Edit tour

Windows Analysis Report
SBSLMD5qhm.msi

Overview

General Information

Sample name:	SBSLMD5qhm.msi renamed because original name is a hash value
Original sample name:	66bfca2c51b6b49c0900b8b401dba81e638ff97885418a5fdcfc95fd1d21a8e6.msi
Analysis ID:	1501115
MD5:	ca1d0bcc5fb18b2b312c2981a9fda576
SHA1:	a2fed73441b207edee0f355b6468854a63e8ce25
SHA256:	66bfca2c51b6b49c0900b8b401dba81e638ff97885418a5fdcfc95fd1d21a8e6
Tags:	cobaltstrikeg00g1e-us-kgmetasploitmsi
Infos:

Detection

Metasploit

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Metasploit Payload

AI detected suspicious sample

Allocates memory in foreign processes

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Drops PE files to the startup folder

Loading BitLocker PowerShell Module

Modifies the DNS server

Modifies the windows firewall

Performs a network lookup / discovery via ARP

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sample is not signed and drops a device driver

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Suspicious Startup Folder Persistence

Uses ipconfig to lookup or modify the Windows network settings

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected Generic Downloader

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries device information via Setup API

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious MsiExec Embedding Parent

Sigma detected: Tap Installer Execution

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 5244 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SBSLMD5qhm.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 4080 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 3300 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7BAC104BD5378FDDE0B63E7FB4B3F634 MD5: 9D09DC1EDA745A5F87553048E57620CF)

cmd.exe (PID: 7324 cmdline: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 1620 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8446B195F51217FC669CD1E61AA0CBB0 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

icacls.exe (PID: 6760 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

expand.exe (PID: 5016 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FileVPN3.8.1.exe (PID: 6852 cmdline: "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe" MD5: 92114D5C56FD14D35E98E60ED2943477)

conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6760 cmdline: C:\Windows\system32\cmd.exe /c copy runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 6856 cmdline: C:\Windows\system32\cmd.exe /c copy desk_compositor_x86.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7148 cmdline: C:\Windows\system32\cmd.exe /c copy msvcr120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcr120.dll" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 6688 cmdline: C:\Windows\system32\cmd.exe /c copy msvcp120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcp120.dll" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 1744 cmdline: C:\Windows\system32\cmd.exe /c start "" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

runshelldraw_x86.exe (PID: 344 cmdline: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe" MD5: 2BA1B334190DC1FE43B1D9FC330EA384)

conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regsvr32.exe (PID: 7252 cmdline: Regsvr32.exe MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

WerFault.exe (PID: 7480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 1512 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cmd.exe (PID: 6824 cmdline: C:\Windows\system32\cmd.exe /c start "" "FileVPN.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

FileVPN.exe (PID: 2080 cmdline: "FileVPN.exe" MD5: A59B68EA2372F9C9F6A0603FD5013174)

powershell.exe (PID: 5956 cmdline: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7936 cmdline: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tapinstall.exe (PID: 1196 cmdline: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901 MD5: 1E3CF83B17891AEE98C3E30012F0B034)

conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tapinstall.exe (PID: 7372 cmdline: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901 MD5: 1E3CF83B17891AEE98C3E30012F0B034)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7564 cmdline: cmd /c netsh advfirewall firewall Delete rule name=lets MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 5776 cmdline: netsh advfirewall firewall Delete rule name=lets MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 5720 cmdline: cmd /c netsh advfirewall firewall Delete rule name=lets.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7664 cmdline: netsh advfirewall firewall Delete rule name=lets.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 2212 cmdline: cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7488 cmdline: netsh advfirewall firewall Delete rule name=LetsPRO.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 7252 cmdline: cmd /c netsh advfirewall firewall Delete rule name=LetsPRO MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 5944 cmdline: netsh advfirewall firewall Delete rule name=LetsPRO MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

tapinstall.exe (PID: 3228 cmdline: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901 MD5: 1E3CF83B17891AEE98C3E30012F0B034)

conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

LetsPRO.exe (PID: 7692 cmdline: "C:\Program Files (x86)\letsvpn\LetsPRO.exe" MD5: 51F74B2422CA5C2E15A4FF761B9AF586)

LetsPRO.exe (PID: 2256 cmdline: "C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe" MD5: 5C8BA6EB1D1C2F078C4C812EA51E1701)

cmd.exe (PID: 416 cmdline: "cmd.exe" /C ipconfig /all MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 3452 cmdline: ipconfig /all MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)

cmd.exe (PID: 7620 cmdline: "cmd.exe" /C route print MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ROUTE.EXE (PID: 3496 cmdline: route print MD5: C563191ED28A926BCFDB1071374575F1)

cmd.exe (PID: 6020 cmdline: "cmd.exe" /C arp -a MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ARP.EXE (PID: 3612 cmdline: arp -a MD5: 4D3943EDBC9C7E18DC3469A21B30B3CE)

icacls.exe (PID: 5000 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7404 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 7440 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7252 -ip 7252 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 5856 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

drvinst.exe (PID: 7244 cmdline: DrvInst.exe "4" "1" "c:\program files (x86)\letsvpn\driver\oemvista.inf" "9" "4d14a44ff" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\letsvpn\driver" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

drvinst.exe (PID: 5300 cmdline: DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000144" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

svchost.exe (PID: 7388 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1696 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5432 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2024 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WmiApSrv.exe (PID: 5592 cmdline: C:\Windows\system32\wbem\WmiApSrv.exe MD5: 9A48D32D7DBA794A40BF030DA500603B)

cleanup

Malware Configuration

Threatname: Metasploit

{"Headers": "Host: g00g1e.us.kg\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel WIndows X 10.14; rv:83.0) Gecko/20100101 Firefox/83.0\r\n", "Type": "Metasploit Download", "URL": "http://g00g1e.us.kg/rpc/9659727"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\letsvpn\Update.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\letsvpn\app-3.9.1\netstandard.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\letsvpn\app-3.9.1\libwin.dll	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp	Windows_Shellcode_Generic_8c487e57	unknown	unknown	0x6:$a: FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0
00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0xd:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Metasploit_24338919	Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).	unknown	0x96:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07
0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Shellcode_Generic_8c487e57	unknown	unknown	0x6:$a: FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0
0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0xd:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_24338919	Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).	unknown	0x96:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07
Process Memory Space: runshelldraw_x86.exe PID: 344	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: LetsPRO.exe PID: 2256	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
60.2.LetsPRO.exe.68850000.23.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: Regsvr32.exe, CommandLine: Regsvr32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe" , ParentImage: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe, ParentProcessId: 344, ParentProcessName: runshelldraw_x86.exe, ProcessCommandLine: Regsvr32.exe, ProcessId: 7252, ProcessName: regsvr32.exe

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\cmd.exe, ProcessId: 6856, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }", CommandLine: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }", CommandLine|base64offset|contains: )f, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "FileVPN.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe, ParentProcessId: 2080, ParentProcessName: FileVPN.exe, ProcessCommandLine: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }", ProcessId: 5956, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe" /silent, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe, ProcessId: 2256, TargetObject: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\LetsPRO

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 8443, EventID: 3, Image: C:\Windows\SysWOW64\regsvr32.exe, Initiated: true, ProcessId: 7252, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe, ProcessId: 2256, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwm2cdmi.34w.ps1

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\cmd.exe, ProcessId: 6760, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c copy runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe", CommandLine: C:\Windows\system32\cmd.exe /c copy runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe, ParentProcessId: 6852, ParentProcessName: FileVPN3.8.1.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c copy runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe", ProcessId: 6760, ProcessName: cmd.exe

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files", CommandLine: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 7BAC104BD5378FDDE0B63E7FB4B3F634, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3300, ParentProcessName: msiexec.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files", ProcessId: 7324, ProcessName: cmd.exe

Sigma detected: Tap Installer Execution

Source: Process started

Author: Daniil Yugoslavskiy, Ian Davis, oscd.community: Data: Command: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901, CommandLine: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901, CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe, NewProcessName: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe, OriginalFileName: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe, ParentCommandLine: "FileVPN.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe, ParentProcessId: 2080, ParentProcessName: FileVPN.exe, ProcessCommandLine: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901, ProcessId: 1196, ProcessName: tapinstall.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }", CommandLine: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }", CommandLine|base64offset|contains: )f, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "FileVPN.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe, ParentProcessId: 2080, ParentProcessName: FileVPN.exe, ProcessCommandLine: powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }", ProcessId: 5956, ProcessName: powershell.exe

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: "cmd.exe" /C ipconfig /all, CommandLine: "cmd.exe" /C ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe" , ParentImage: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe, ParentProcessId: 2256, ParentProcessName: LetsPRO.exe, ProcessCommandLine: "cmd.exe" /C ipconfig /all, ProcessId: 416, ProcessName: cmd.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7404, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Metasploit {"Headers": "Host: g00g1e.us.kg\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel WIndows X 10.14; rv:83.0) Gecko/20100101 Firefox/83.0\r\n", "Type": "Metasploit Download", "URL": "http://g00g1e.us.kg/rpc/9659727"}

Multi AV Scanner detection for submitted file

Source: SBSLMD5qhm.msi	ReversingLabs: Detection: 44%
Source: SBSLMD5qhm.msi	Virustotal: Detection: 32%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.5% probability

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC07A022-E0BF-4B1C-97CC-BF53E9AA5724}

Jump to behavior

Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987784573.0000000005BB2000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\symbols\dll\bcryptprimitives.pdb^ source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.00000000043D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\LetsVPN\obj\Release\LetsPRO.pdb source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr
Source:	Binary string: NetSetupEngine.pdb source: service.0.etl.44.dr
Source:	Binary string: /_/artifacts/obj/System.IO.Packaging/net461-Release/System.IO.Packaging.pdbSHA256 source: System.IO.Packaging.dll.18.dr
Source:	Binary string: wkernel32.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000146A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Configuration.ConfigurationManager/net461-windows-Release/System.Configuration.ConfigurationManager.pdbSHA256h source: System.Configuration.ConfigurationManager.dll.18.dr
Source:	Binary string: D:\Desktop\ConsoleApplication1\x64\Release\ConsoleApplication1.pdb source: FileVPN3.8.1.exe, 00000008.00000000.1754504948.00007FF6281C2000.00000002.00000001.01000000.00000005.sdmp, FileVPN3.8.1.exe, 00000008.00000002.1762910505.00007FF6281C2000.00000002.00000001.01000000.00000005.sdmp, SBSLMD5qhm.msi
Source:	Binary string: ucrtbase.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003EB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\symbols\dll\bcryptprimitives.pdbV source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.00000000043D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Security.Cryptography.Xml/net461-windows-Release/System.Security.Cryptography.Xml.pdb source: System.Security.Cryptography.Xml.dll.18.dr
Source:	Binary string: c:\TeamCity\buildAgent\work\1f6e193703b8b174\WindowsInput\obj\Release\WindowsInput.pdb source: WindowsInput.dll.18.dr
Source:	Binary string: c:\git\OSS\notifyicon-wpf\Hardcodet.NotifyIcon.Wpf\Source\NotifyIconWpf\obj\Release\Hardcodet.Wpf.TaskbarNotification.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3021368237.0000000036292000.00000002.00000001.01000000.00000035.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb source: System.Reflection.Primitives.dll.18.dr
Source:	Binary string: wrpcrt4.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003FA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbata\Microsoft\Windows\Start Menu\Programs\StartUp\ source: runshelldraw_x86.exe, 0000000F.00000002.1775764028.0000000000FC8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001465000.00000004.00000020.00020000.00000000.sdmp, runshelldraw_x86.exe, 0000000F.00000002.1776545841.0000000003370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdb source: tapinstall.exe, tapinstall.exe, 00000024.00000000.2482529191.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000024.00000002.2484945033.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000026.00000002.2534402271.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000026.00000000.2486085059.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000039.00000002.2559009241.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000039.00000000.2557641034.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe.18.dr
Source:	Binary string: D:\a\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\release\net45\Microsoft.Web.WebView2.Wpf.pdbon source: Microsoft.Web.WebView2.Wpf.dll.18.dr
Source:	Binary string: /_/artifacts/obj/System.IO.Ports/net461-windows-Release/System.IO.Ports.pdbSHA256T source: System.IO.Ports.dll.18.dr
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3007496135.0000000030602000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: /_/artifacts/obj/System.ServiceModel.Duplex.Facade/Release/net461/System.ServiceModel.Duplex.pdbSHA256 source: System.ServiceModel.Duplex.dll.18.dr
Source:	Binary string: advapi32.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.0000000004505000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987269506.0000000005AD2000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: ucrtbase.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003EB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.ResourceManager\4.0.1.0\System.Resources.ResourceManager.pdb source: System.Resources.ResourceManager.dll.18.dr
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.3007496135.0000000030602000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3000557941.000000002F452000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: wkernelbase.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001470000.00000004.00000020.00020000.00000000.sdmp, runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000145F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.0000000004516000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Csp\4.0.2.0\System.Security.Cryptography.Csp.pdb4)N) @)_CorDllMainmscoree.dll source: System.Security.Cryptography.Csp.dll.18.dr
Source:	Binary string: C:\PowerShellStandard\src\5\obj\Release\net452\System.Management.Automation.pdb source: System.Management.Automation.dll.18.dr
Source:	Binary string: D:\a\1\s\third_party\edge_webview2\win\winforms_control\Microsoft.Web.WebView2.WinForms\obj\release\net45\Microsoft.Web.WebView2.WinForms.pdb source: Microsoft.Web.WebView2.WinForms.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Drawing.Primitives\4.0.2.0\System.Drawing.Primitives.pdb source: System.Drawing.Primitives.dll.18.dr
Source:	Binary string: bcryptprimitives.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.000000000451B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.DriveInfo\4.0.2.0\System.IO.FileSystem.DriveInfo.pdb source: System.IO.FileSystem.DriveInfo.dll.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\dll\sechost.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.IO.FileSystem.AccessControl/net461-Windows_NT-Release/System.IO.FileSystem.AccessControl.pdb source: System.IO.FileSystem.AccessControl.dll.18.dr
Source:	Binary string: C:\Users\winsign\samuli\source\repos\tap-windows6\src\x64\Release\tap0901.pdb source: drvinst.exe, 0000002A.00000003.2502236025.000001F1083BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\obj\Squirrel\Release\net45\Squirrel.pdbSHA256 source: Squirrel.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.ThreadPool\4.0.12.0\System.Threading.ThreadPool.pdb source: System.Threading.ThreadPool.dll.18.dr
Source:	Binary string: advapi32.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.0000000004505000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3027350728.00000000368A2000.00000002.00000001.01000000.0000003C.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Console\4.0.2.0\System.Console.pdb source: System.Console.dll.18.dr
Source:	Binary string: /_/artifacts/obj/System.Configuration.ConfigurationManager/net461-windows-Release/System.Configuration.ConfigurationManager.pdb source: System.Configuration.ConfigurationManager.dll.18.dr
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2988088538.0000000006242000.00000002.00000001.01000000.0000001F.sdmp, System.Memory.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.EventBasedAsync\4.0.11.0\System.ComponentModel.EventBasedAsync.pdb source: System.ComponentModel.EventBasedAsync.dll.18.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: LetsPRO.exe, 0000003B.00000000.2594918615.000000000037D000.00000002.00000001.01000000.00000016.sdmp, LetsPRO.exe, 0000003B.00000002.2607988542.000000000037D000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb$> 0*_CorDllMainmscoree.dll source: System.Reflection.Primitives.dll.18.dr
Source:	Binary string: E:\A\_work\65\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Pipes.AccessControl/netfx\System.IO.Pipes.AccessControl.pdb/5I5 ;5_CorDllMainmscoree.dll source: System.IO.Pipes.AccessControl.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.TraceSource\4.0.2.0\System.Diagnostics.TraceSource.pdb source: System.Diagnostics.TraceSource.dll.18.dr
Source:	Binary string: wntdll.pdbUGP source: runshelldraw_x86.exe, 0000000F.00000002.1776545841.0000000003370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.IO.Packaging/net461-Release/System.IO.Packaging.pdb source: System.IO.Packaging.dll.18.dr
Source:	Binary string: D:\module_code\bin\Release\runshelldraw_x86.pdb source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000145D000.00000004.00000020.00020000.00000000.sdmp, runshelldraw_x86.exe, 0000000F.00000002.1775418928.0000000000D45000.00000002.00000001.01000000.00000007.sdmp, runshelldraw_x86.exe, 0000000F.00000000.1761413342.0000000000D45000.00000002.00000001.01000000.00000007.sdmp, runshelldraw_x86.exe.10.dr
Source:	Binary string: wrpcrt4.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003FA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlSerializer\4.0.11.0\System.Xml.XmlSerializer.pdbt+ source: System.Xml.XmlSerializer.dll.18.dr
Source:	Binary string: D:\a\1\s\LetsVPNInfraStructure\obj\Release\LetsVPNInfraStructure.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2988360275.0000000006372000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: LetsPRO.exe, 0000003C.00000002.2987712048.0000000005BA2000.00000002.00000001.01000000.00000020.sdmp, System.Runtime.CompilerServices.Unsafe.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Parallel\4.0.1.0\System.Linq.Parallel.pdb source: System.Linq.Parallel.dll.18.dr
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256xpRb source: LetsPRO.exe, 0000003C.00000002.3008296013.0000000030782000.00000002.00000001.01000000.00000031.sdmp, SQLitePCLRaw.core.dll.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\shlwapi.pdb\*6 source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3008449399.00000000307A2000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\dll\shcore.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\sharpcompress\src\SharpCompress\obj\Release\net45\SharpCompress.pdb source: SharpCompress.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XPath\4.0.3.0\System.Xml.XPath.pdb source: System.Xml.XPath.dll.18.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\obj\Squirrel\Release\net45\Squirrel.pdb source: Squirrel.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb@Z L*_CorDllMainmscoree.dll source: System.Runtime.CompilerServices.VisualC.dll.18.dr
Source:	Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Primitives/netfx\System.Runtime.Serialization.Primitives.pdb source: System.Runtime.Serialization.Primitives.dll.18.dr
Source:	Binary string: msvcr120.i386.pdb source: runshelldraw_x86.exe, runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003EBF000.00000004.00000020.00020000.00000000.sdmp, runshelldraw_x86.exe, 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, msvcr120.dll.12.dr
Source:	Binary string: NetSetupSvc.pdb source: service.0.etl.44.dr
Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: System.ValueTuple.dll.18.dr
Source:	Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.3027350728.00000000368A2000.00000002.00000001.01000000.0000003C.sdmp
Source:	Binary string: msvcp120.i386.pdb source: runshelldraw_x86.exe, runshelldraw_x86.exe, 0000000F.00000002.1782322010.000000006C511000.00000020.00000001.01000000.00000009.sdmp, runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003EBA000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr
Source:	Binary string: combase.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003FA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003F9C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime\4.1.2.0\System.Runtime.pdb source: System.Runtime.dll.18.dr
Source:	Binary string: msvcr120.i386.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003EBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdbxE source: LetsPRO.exe, 0000003C.00000002.2987784573.0000000005BB2000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: /_/artifacts/obj/System.Threading.AccessControl/net461-windows-Release/System.Threading.AccessControl.pdbSHA256 source: System.Threading.AccessControl.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlSerializer\4.0.11.0\System.Xml.XmlSerializer.pdb source: System.Xml.XmlSerializer.dll.18.dr
Source:	Binary string: wkernel32.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000146A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp120.i386.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003EBA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8lC:\ProgramDabcryptprimitives.pdbdbrt Menu\Programs\StartUpP: source: runshelldraw_x86.exe, 0000000F.00000002.1775764028.0000000000FC8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001476000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Security.AccessControl/net461-windows-Release/System.Security.AccessControl.pdb source: System.Security.AccessControl.dll.18.dr
Source:	Binary string: /_/artifacts/obj/System.ServiceModel.Duplex.Facade/Release/net461/System.ServiceModel.Duplex.pdb source: System.ServiceModel.Duplex.dll.18.dr
Source:	Binary string: shcore.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.0000000004510000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.AppContext\4.1.2.0\System.AppContext.pdb source: System.AppContext.dll.18.dr
Source:	Binary string: wgdi32full.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Utils\obj\Release\Utils.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2982446572.0000000004CD2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\MdXaml\artifacts\obj\MdXaml\Release\net45\MdXaml.pdbSHA256/T source: MdXaml.dll.18.dr
Source:	Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\x86\e_sqlite3.pdb source: LetsPRO.exe, 0000003C.00000002.3061255989.0000000067577000.00000002.00000001.01000000.00000034.sdmp, e_sqlite3.dll1.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.18.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.3000412976.000000002F442000.00000002.00000001.01000000.00000025.sdmp, Microsoft.AppCenter.Analytics.dll.18.dr
Source:	Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3030029502.0000000037D02000.00000002.00000001.01000000.0000003E.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.18.dr
Source:	Binary string: shcore.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.0000000004510000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.0000000004516000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: "ry..primitives.pdb\*H source: runshelldraw_x86.exe, 0000000F.00000002.1775764028.0000000000FC8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001476000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.2987269506.0000000005AD2000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3000689023.000000002F482000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: wgdi32.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\advapi32.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/net461-windows-Release/System.ServiceProcess.ServiceController.pdb source: System.ServiceProcess.ServiceController.dll.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\dll\shlwapi.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\dll\shlwapi.pdbb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.IO.FileSystem.AccessControl/net461-Windows_NT-Release/System.IO.FileSystem.AccessControl.pdbSHA256 source: System.IO.FileSystem.AccessControl.dll.18.dr
Source:	Binary string: /_/artifacts/obj/System.Data.Odbc/net461-windows-Release/System.Data.Odbc.pdb source: System.Data.Odbc.dll.18.dr
Source:	Binary string: Extract: Mono.Cecil.Pdb.dll... 100% source: FileVPN.exe, 00000012.00000003.2595341820.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, FileVPN.exe, 00000012.00000002.2596107645.00000000007BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\sharpcompress\src\SharpCompress\obj\Release\net45\SharpCompress.pdbL source: SharpCompress.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.X509Certificates\4.1.2.0\System.Security.Cryptography.X509Certificates.pdb source: System.Security.Cryptography.X509Certificates.dll.18.dr
Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdbT source: System.ValueTuple.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Csp\4.0.2.0\System.Security.Cryptography.Csp.pdb source: System.Security.Cryptography.Csp.dll.18.dr
Source:	Binary string: msvcp_win.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\release\net45\Microsoft.Web.WebView2.Wpf.pdb source: Microsoft.Web.WebView2.Wpf.dll.18.dr
Source:	Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2982353960.0000000004CC2000.00000002.00000001.01000000.0000001B.sdmp, LetsVPNDomainModel.dll.18.dr
Source:	Binary string: /_/artifacts/obj/System.Security.Cryptography.Xml/net461-windows-Release/System.Security.Cryptography.Xml.pdbSHA256 source: System.Security.Cryptography.Xml.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel\4.0.1.0\System.ComponentModel.pdb source: System.ComponentModel.dll.18.dr
Source:	Binary string: NetSetupApi.pdbb source: service.0.etl.44.dr
Source:	Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdbwD source: LetsPRO.exe, 0000003C.00000002.2982353960.0000000004CC2000.00000002.00000001.01000000.0000001B.sdmp, LetsVPNDomainModel.dll.18.dr
Source:	Binary string: Windows.Storage.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003F9C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\third_party\edge_webview2\win\webview2_api_writer\dotNetAPIWrapper\Microsoft.Web.WebView2.Core\bin\ReleasePackage\Microsoft.Web.WebView2.Core.pdb source: Microsoft.Web.WebView2.Core.dll.18.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987886234.0000000005BC2000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: /_/artifacts/obj/System.Security.AccessControl/net461-windows-Release/System.Security.AccessControl.pdbSHA256 source: System.Security.AccessControl.dll.18.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: System.Numerics.Vectors.dll.18.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdbSHA256, source: LetsPRO.exe, 0000003C.00000002.3000557941.000000002F452000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: System.Threading.Tasks.Extensions.dll.18.dr
Source:	Binary string: pr..itives.pdbH source: runshelldraw_x86.exe, 0000000F.00000002.1775764028.0000000000FC8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.AppContext\4.1.2.0\System.AppContext.pdb<(V( H(_CorDllMainmscoree.dll source: System.AppContext.dll.18.dr
Source:	Binary string: /_/artifacts/obj/System.Data.Odbc/net461-windows-Release/System.Data.Odbc.pdbSHA256x source: System.Data.Odbc.dll.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\dll\advapi32.pdbdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000141E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\sources\cecil\rocks\obj\Release\net40\Mono.Cecil.Rocks.pdb source: Mono.Cecil.Rocks.dll.18.dr
Source:	Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb* source: LetsPRO.exe, 0000003C.00000002.3030029502.0000000037D02000.00000002.00000001.01000000.0000003E.sdmp
Source:	Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/net461-windows-Release/System.ServiceProcess.ServiceController.pdbSHA256 source: System.ServiceProcess.ServiceController.dll.18.dr
Source:	Binary string: dbghelp.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: SBSLMD5qhm.msi, MSIEEFF.tmp.1.dr
Source:	Binary string: combase.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003FA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001465000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdbR source: LetsPRO.exe, 0000003C.00000002.3029756313.0000000037BE2000.00000002.00000001.01000000.0000003D.sdmp
Source:	Binary string: /_/artifacts/obj/System.IO.Ports/net461-windows-Release/System.IO.Ports.pdb source: System.IO.Ports.dll.18.dr
Source:	Binary string: E:\A\_work\65\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Pipes.AccessControl/netfx\System.IO.Pipes.AccessControl.pdb source: System.IO.Pipes.AccessControl.dll.18.dr
Source:	Binary string: C:\sources\cecil\rocks\obj\Release\net40\Mono.Cecil.Rocks.pdbSHA256 source: Mono.Cecil.Rocks.dll.18.dr
Source:	Binary string: wgdi32full.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading\4.0.11.0\System.Threading.pdb source: System.Threading.dll.18.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.2984155245.0000000005422000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2984155245.0000000005422000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: /_/artifacts/obj/System.Threading.AccessControl/net461-windows-Release/System.Threading.AccessControl.pdb source: System.Threading.AccessControl.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Claims\4.0.3.0\System.Security.Claims.pdb source: System.Security.Claims.dll.18.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987712048.0000000005BA2000.00000002.00000001.01000000.00000020.sdmp, System.Runtime.CompilerServices.Unsafe.dll.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\advapi32.pdbn source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.3008449399.00000000307A2000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: dbghelp.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\MdXaml\artifacts\obj\MdXaml\Release\net45\MdXaml.pdb source: MdXaml.dll.18.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3000412976.000000002F442000.00000002.00000001.01000000.00000025.sdmp, Microsoft.AppCenter.Analytics.dll.18.dr
Source:	Binary string: C:\PowerShellStandard\src\5\obj\Release\net452\System.Management.Automation.pdbSHA2569v'` source: System.Management.Automation.dll.18.dr
Source:	Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdbH source: tapinstall.exe, 00000024.00000000.2482529191.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000024.00000002.2484945033.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000026.00000002.2534402271.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000026.00000000.2486085059.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000039.00000002.2559009241.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000039.00000000.2557641034.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe.18.dr
Source:	Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3029756313.0000000037BE2000.00000002.00000001.01000000.0000003D.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.3008685058.00000000307D2000.00000002.00000001.01000000.00000033.sdmp, SQLitePCLRaw.nativelibrary.dll.18.dr
Source:	Binary string: NetSetupApi.pdb source: service.0.etl.44.dr
Source:	Binary string: wgdi32.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001470000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.000000000451B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\LetsVPNInfraStructure\obj\Release\LetsVPNInfraStructure.pdbL#L source: LetsPRO.exe, 0000003C.00000002.2988360275.0000000006372000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections\4.0.11.0\System.Collections.pdb source: System.Collections.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebSockets\4.0.2.0\System.Net.WebSockets.pdb source: System.Net.WebSockets.dll.18.dr
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3008296013.0000000030782000.00000002.00000001.01000000.00000031.sdmp, SQLitePCLRaw.core.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Json\4.0.1.0\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.18.dr
Source:	Binary string: wuser32.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3008685058.00000000307D2000.00000002.00000001.01000000.00000033.sdmp, SQLitePCLRaw.nativelibrary.dll.18.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdbSHA256X7 source: LetsPRO.exe, 0000003C.00000002.3000689023.000000002F482000.00000002.00000001.01000000.00000026.sdmp

Spreading

Performs a network lookup / discovery via ARP

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3DF230 SHGetFolderPathW,SHGetFolderPathW,FindNextFileW,FindFirstFileW,FindNextFileW,FindClose,SHGetFolderPathW,SHGetFolderPathW,FindFirstFileW,FindNextFileW,FindClose,	15_2_6C3DF230
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3F0B1B FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_6C3F0B1B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49EB97 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,__fstat64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	15_2_6C49EB97
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49C41C _mbsdec,_mbscmp,_mbscmp,_strdup,strlen,_calloc_crt,__cftof,strcpy_s,_mbsicmp,_invoke_watson,_malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	15_2_6C49C41C
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49E748 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FindClose,_errno,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	15_2_6C49E748
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49C385 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	15_2_6C49C385
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49DCF7 _wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,	15_2_6C49DCF7
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C435C91 _wstat64i32,_wcspbrk,towlower,FindFirstFileExW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,_getdrive,GetLastError,GetLastError,_wcspbrk,wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,GetDriveTypeW,free,free,_wsopen_s,__fstat64i32,_close,_errno,__dosmaperr,FindClose,__dosmaperr,FindClose,	15_2_6C435C91
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49DF35 _wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,	15_2_6C49DF35
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49D86F _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,	15_2_6C49D86F
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49DA9B _wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,	15_2_6C49DA9B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49F00C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FindClose,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	15_2_6C49F00C
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Code function: 18_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	18_2_004059CC
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Code function: 18_2_004065FD FindFirstFileW,FindClose,	18_2_004065FD
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Code function: 18_2_00402868 FindFirstFileW,	18_2_00402868
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Code function: 36_2_00007FF7682B71EC GetWindowsDirectoryW,FindFirstFileW,__iob_func,__iob_func,__iob_func,FindNextFileW,FindClose,	36_2_00007FF7682B71EC
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_00364318 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,std::ios_base::_Ios_base_dtor,	59_2_00364318

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Code function: 4x nop then push esi

15_2_6C4C90B4

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe

Network Connect: 188.114.96.3 8443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://g00g1e.us.kg/rpc/9659727

Yara detected Generic Downloader

Source: Yara match	File source: C:\Program Files (x86)\letsvpn\Update.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\letsvpn\app-3.9.1\netstandard.dll, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 188.114.96.3:8443

Source: global traffic

TCP traffic: 192.168.2.4:49753 -> 8.8.8.8:53

Source: global traffic

HTTP traffic detected: GET /app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2 HTTP/1.1Host: ws-ap1.pusher.comUpgrade: websocketConnection: UpgradeSec-WebSocket-Version: 13Sec-WebSocket-Key: OWQ3ZTRkZWYtZmZiOS00ZQ==Origin: ws://ws-ap1.pusher.com

Source: Joe Sandbox View	IP Address: 183.60.146.66 183.60.146.66
Source: Joe Sandbox View	IP Address: 5.255.255.77 5.255.255.77
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188

Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 23.98.101.155
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 35.227.223.56
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66
Source: unknown	TCP traffic detected without corresponding DNS query: 183.60.146.66

Source: global traffic	HTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nal.fqoqehwib.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=chr.alipayassets.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2 HTTP/1.1Host: ws-ap1.pusher.comUpgrade: websocketConnection: UpgradeSec-WebSocket-Version: 13Sec-WebSocket-Key: OWQ3ZTRkZWYtZmZiOS00ZQ==Origin: ws://ws-ap1.pusher.com

Source: LetsPRO.exe, 0000003C.00000002.3072334918.0000000068D50000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: os/exec.Command(]. new data: GID[^/app([0-9]+)/app^created by (.+)$bad TinySizeClassbad key algorithmbad local addressboundBindToDeviceclose dns channelconnectingAddresscorkOptionEnableddecryption failedduplicate addresseffectiveNetProtoentersyscallblockexec apiAgent GIDexec apiAgent RIDexec deleteRegDirexec format errorexec nicIndexToIPexec phyNIC Indexexec phyNIC SetIPexec tapIFCE Nameexec: killing Cmdexec: not startedfractional secondframe_ping_lengthg already scannedget up-going ACK glEdgeFlagPointerglPopClientAttribglTexCoordPointergp.waiting != nilhandshake failureif-modified-sinceillegal parameterin string literalindex > windowEndinteger too largeinvalid BMPStringinvalid IA5Stringinvalid bit size invalid stream IDip2if func returnipv6-only networkisConnectNotifiedjoyReleaseCapturekey align too biglocked m0 woke upmark - bad statusmarkBits overflowmciGetCreatorTaskmessage too largemidiInGetDevCapsWmidiOutGetNumDevsmidiStreamRestartmissing closing )missing closing ]missing extensionmixerGetLineInfoWmultipartmaxpartsneed re-resolve: nextId too large:nil resource bodyno available Datano data availablenoChecksumEnablednotetsleepg on g0old node version:operation abortedparameter problempermission deniedpkg/buffer.Bufferpkg/sleep.Sleeperpkg/tcpip.Addresspppoe instanceId:protect fd failedreceiveBufferSizereceiveTOSEnabledreceiveTTLEnabledreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of remoteAddr is nilruntime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)set sdk loglevel:set tap static ipstack: frame={sp:start map checkerstart refresh infswept cached spansync.RWMutex.Lockthread exhaustiontimeGetSystemTimetransfer-encodingtruncated headersudp routines num:unknown caller pcunknown hostname:unknown type kindunrecognized nameupdate dns dialeruse gid:%s rid:%swait for GC cyclewaveInGetDevCapsWwaveInGetPositionwaveOutGetNumDevswebsocket: close wglGetPixelFormatwglGetProcAddresswglSetPixelFormatwine_get_versionwrong medium typewww.baidu.com:443www.facebook.com.x-forwarded-proto but memory size connection limit (message too big) because dotdotdot in async preempt equals www.facebook.com (Facebook)
Source: LetsPRO.exe, 0000003C.00000002.3072334918.0000000068D50000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: wrong medium typewww.baidu.com:443www.facebook.com.x-forwarded-proto but memory size connection limit (message too big) because dotdotdot in async preempt equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: g00g1e.us.kg
Source: global traffic	DNS traffic detected: DNS query: crt.sectigo.com
Source: global traffic	DNS traffic detected: DNS query: ocsp.sectigo.com
Source: global traffic	DNS traffic detected: DNS query: crl.sectigo.com
Source: global traffic	DNS traffic detected: DNS query: www.baidu.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: www.yandex.com
Source: global traffic	DNS traffic detected: DNS query: nal.fqoqehwib.com
Source: global traffic	DNS traffic detected: DNS query: nit.crash1ytics.com
Source: global traffic	DNS traffic detected: DNS query: chr.alipayassets.com
Source: global traffic	DNS traffic detected: DNS query: d1dmgcawtbm6l9.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: ws-ap1.pusher.com

Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.p
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/r1Lq4vMcD8c.crl0
Source: tapinstall.exe.18.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: tapinstall.exe.18.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: tapinstall.exe.18.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr, System.IO.Pipes.AccessControl.dll.18.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: LetsPRO.exe, 0000003C.00000002.2984935523.0000000005501000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr, System.IO.Pipes.AccessControl.dll.18.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: LetsPRO.exe, 0000003C.00000002.2984935523.0000000005501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: LetsPRO.exe, 0000003C.00000002.3012277253.0000000033F3F000.00000004.00000020.00020000.00000000.sdmp, AEED7C5D2183A1352C6D421D65F131F0.60.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: LetsPRO.exe, 0000003C.00000002.2964203103.000000000094E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000003D.00000002.2967071666.00000163E208E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: LetsPRO.exe, 0000003C.00000002.3012277253.0000000033EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000020.00000002.2480362877.0000000008183000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: LetsPRO.exe, 0000003C.00000002.3002515195.000000002FF90000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2965369142.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.3004902007.0000000030185000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: LetsPRO.exe, 0000003C.00000002.2985679411.00000000055CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crlw
Source: SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr, System.IO.Pipes.AccessControl.dll.18.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 0000003D.00000002.2966785275.00000163E2000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: tapinstall.exe.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr, System.IO.Pipes.AccessControl.dll.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: tapinstall.exe.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LetsPRO.exe, 0000003C.00000002.2984935523.0000000005501000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr, System.IO.Pipes.AccessControl.dll.18.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: tapinstall.exe.18.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-2011a.crl03
Source: tapinstall.exe.18.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: tapinstall.exe.18.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: tapinstall.exe.18.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-2011a.crl0
Source: LetsPRO.exe, 0000003C.00000002.3002515195.000000002FF90000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2965369142.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.3004902007.0000000030185000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr, System.IO.Pipes.AccessControl.dll.18.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: LetsPRO.exe, 0000003C.00000002.3003225940.0000000030031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: LetsPRO.exe, 0000003C.00000002.2985679411.00000000055BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enL
Source: svchost.exe, 0000003D.00000003.2621351490.00000163E2218000.00000004.00000800.00020000.00000000.sdmp, edb.log.61.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.61.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.61.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.61.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000003D.00000003.2621351490.00000163E2218000.00000004.00000800.00020000.00000000.sdmp, edb.log.61.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000003D.00000003.2621351490.00000163E2218000.00000004.00000800.00020000.00000000.sdmp, edb.log.61.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000003D.00000003.2621351490.00000163E224D000.00000004.00000800.00020000.00000000.sdmp, edb.log.61.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.61.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt0
Source: MdXaml.dll.18.dr	String found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit
Source: LetsPRO.exe, 0000003C.00000002.2984155245.0000000005422000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: LetsPRO.exe	String found in binary or memory: http://logging.apache.org/log4ne
Source: LetsPRO.exe, 0000003C.00000002.2983311972.0000000005112000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: FileVPN.exe, 00000012.00000000.1762414728.000000000040A000.00000008.00000001.01000000.00000008.sdmp, FileVPN.exe, 00000012.00000003.2559995413.0000000000803000.00000004.00000020.00020000.00000000.sdmp, FileVPN.exe, 00000012.00000002.2595658102.000000000040A000.00000004.00000001.01000000.00000008.sdmp, SBSLMD5qhm.msi, uninst.exe.18.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000020.00000002.2475363240.0000000005A62000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2974879264.0000000003704000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/tq00%
Source: LetsPRO.exe, 0000003C.00000002.3012277253.0000000033F3F000.00000004.00000020.00020000.00000000.sdmp, B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F0.60.dr	String found in binary or memory: http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8
Source: LetsPRO.exe, 0000003C.00000002.3012277253.0000000033F3F000.00000004.00000020.00020000.00000000.sdmp, AEED7C5D2183A1352C6D421D65F131F0.60.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: LetsPRO.exe, 0000003C.00000002.3012277253.0000000033FB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com6U
Source: SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr, System.IO.Pipes.AccessControl.dll.18.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr, System.IO.Pipes.AccessControl.dll.18.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: tapinstall.exe.18.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: LetsPRO.exe, 0000003C.00000002.2984935523.0000000005501000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: LetsPRO.exe, 0000003C.00000002.2984935523.0000000005565000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2984935523.0000000005501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQVD%2BnGf79Hpedv3mhy6uKMVZkPCQQUDyrLIIcouOxvSK
Source: System.Diagnostics.TraceSource.dll.18.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: LetsPRO.exe, 0000003C.00000002.2985679411.0000000005583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.comhttp://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://s2.symcb.com0
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe, 0000003C.00000002.2965823184.0000000002531000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: http://schemas.fontawesome.io/icons/
Source: powershell.exe, 00000020.00000002.2471537574.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000014.00000002.1781149519.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2471537574.0000000004A01000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2965823184.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000020.00000002.2471537574.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://sv.symcd.com0&
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: http://wpfanimatedgif.codeplex.com
Source: LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: tapinstall.exe.18.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: LetsPRO.exe, 0000003C.00000002.3021368237.0000000036292000.00000002.00000001.01000000.00000035.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: http://www.hardcodet.net/taskbar
Source: LetsPRO.exe, 0000003C.00000002.3018326593.0000000034512000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://www.kuwo.cn0
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: System.Data.Odbc.dll.18.dr	String found in binary or memory: http://www.xmlspy.com)
Source: LetsPRO.exe, 0000003C.00000002.2996384380.000000000F270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://0.0.0.0%2F0
Source: LetsPRO.exe, 0000003C.00000002.2996384380.000000000F270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://0.0.0.0%2F0infoinfo
Source: powershell.exe, 00000014.00000002.1781149519.0000000004C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1781149519.0000000004C28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2471537574.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987269506.0000000005AD2000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://aka.ms/toolkit/dotnet
Source: Squirrel.dll.18.dr	String found in binary or memory: https://api.github.com/#
Source: LetsPRO.exe, 0000003C.00000002.2974879264.0000000003704000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: LetsPRO.exe, 0000003C.00000002.2974879264.0000000003704000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: LetsPRO.exe, 0000003C.00000002.2974879264.0000000003704000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: LetsPRO.exe, 0000003C.00000002.2990642865.000000000F0A4000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2994883965.000000000F1A6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d1dmgcawtbm6l9.cloudfront.net/rest-api
Source: LetsPRO.exe, 0000003C.00000002.2990642865.000000000F0A4000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2994883965.000000000F1A6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d1dmgcawtbm6l9.cloudfront.net/rest-apiedns_client_subnet=0.0.0.0%2F0&name=d1dmgcawtbm6l9.clo
Source: LetsPRO.exe, 0000003C.00000002.3072334918.0000000068D50000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://d1dmgcawtbm6l9.cloudfront.net/rest-apiinvalid
Source: svchost.exe, 0000003D.00000003.2621351490.00000163E22C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.61.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.61.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.61.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.61.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000003D.00000003.2621351490.00000163E22C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.61.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g00g1e.us.kg/
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g00g1e.us.kg/P
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g00g1e.us.kg:8443/rpc/9659727
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g00g1e.us.kg:8443/rpc/9659727G
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987269506.0000000005AD2000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://github.com/CommunityToolkit/dotnet
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2984155245.0000000005422000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: System.Numerics.Vectors.dll.18.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: System.Numerics.Vectors.dll.18.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: LetsPRO.exe	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b4919
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2988088538.0000000006242000.00000002.00000001.01000000.0000001F.sdmp, System.Memory.dll.18.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
Source: LetsPRO.exe, 0000003C.00000002.2988088538.0000000006242000.00000002.00000001.01000000.0000001F.sdmp, System.Memory.dll.18.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987886234.0000000005BC2000.00000002.00000001.01000000.00000021.sdmp, System.Threading.Tasks.Extensions.dll.18.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
Source: LetsPRO.exe, 0000003C.00000002.2987923125.0000000005BC6000.00000002.00000001.01000000.00000021.sdmp, System.Threading.Tasks.Extensions.dll.18.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
Source: System.IO.Pipes.AccessControl.dll.18.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/7ee84596d92e178bce54c986df31ccc52479e772
Source: System.IO.Pipes.AccessControl.dll.18.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/7ee84596d92e178bce54c986df31ccc52479e7728
Source: System.Security.Cryptography.Xml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.Configuration.ConfigurationManager.dll.18.dr, System.IO.Packaging.dll.18.dr, System.ServiceProcess.ServiceController.dll.18.dr, System.Data.Odbc.dll.18.dr, System.Threading.AccessControl.dll.18.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: System.ServiceModel.Duplex.dll.18.dr	String found in binary or memory: https://github.com/dotnet/wcf
Source: Squirrel.dll.18.dr	String found in binary or memory: https://github.com/myuser/myrepo
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3000689023.000000002F482000.00000002.00000001.01000000.00000026.sdmp	String found in binary or memory: https://in.appcenter.ms
Source: LetsPRO.exe, 0000003C.00000002.3000689023.000000002F482000.00000002.00000001.01000000.00000026.sdmp	String found in binary or memory: https://in.appcenter.ms./logs?api-version=1.0.0
Source: FileVPN.exe, 00000012.00000002.2596014183.000000000079A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://intercom.help/letsvpn-world/-N
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2780068-%E5%A6%82%E4%BD%95%E4%B8%8B%E8%BD%BD%E5%BE%9
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2830420-special-settings-for-killer-networking-produ
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2907649-%E9%80%9A%E8%BF%87%E7%94%B3%E8%BF%B0%E6%89%B
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2925752-how-to-download-letsvpn
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2926044-what-if-i-reached-maximum-connection-limit
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2926062-recover-my-letsvpn-account
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3081101-adjust-the-settings-for-ipv6
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3401886-special-settings-for-smartbyte
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3710603-about-logging-in-out-anomalies
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262690-special-settings-for-intel-connectivity-serv
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262720-special-settings-for-host-network-service
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262786-special-settings-for-expressconnect
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262801-special-settings-for-killer-network-service
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8263068-how-to-delete-hosts-in-windows
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/collections/1611781-%E4%B8%AD%E6%96%87%E5%B8%AE%E5%8A%A9
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe, 0000003C.00000002.2965823184.0000000002531000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/collections/1628560-help-documents
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://intercom.help/letsvpn-world/en/collections/Killer
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://letsvpn.world/privacy.html
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://letsvpn.world/registerterm.html
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://letsvpn.world/terms.html
Source: LetsPRO.exe, 0000003C.00000002.2993917653.000000000F11C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.com
Source: LetsPRO.exe, 0000003C.00000002.2995260865.000000000F200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.com/app34/device
Source: LetsPRO.exe, 0000003C.00000002.2999057700.000000000F3CE000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2995260865.000000000F200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.com/app34/deviceH
Source: LetsPRO.exe, 0000003C.00000002.2999626621.000000000F43E000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2999057700.000000000F3CE000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2995260865.000000000F200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.com/app34/devicechecking
Source: LetsPRO.exe, 0000003C.00000002.2999626621.000000000F43E000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2990642865.000000000F084000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.com/app34/devicehttps://nit.crash1ytics.com/app34/device
Source: LetsPRO.exe, 0000003C.00000002.2999516217.000000000F404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.comG
Source: LetsPRO.exe, 0000003C.00000002.2999516217.000000000F404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.comH/
Source: LetsPRO.exe, 0000003C.00000002.2998911858.000000000F3B8000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2999516217.000000000F404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.comLoopback
Source: LetsPRO.exe, 0000003C.00000002.2999516217.000000000F404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.comSC-Set-NetIPInterface
Source: LetsPRO.exe, 0000003C.00000002.2990642865.000000000F02A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.comTo
Source: LetsPRO.exe, 0000003C.00000002.2990642865.000000000F02A000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2993917653.000000000F11C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.comhttpCode=-2
Source: LetsPRO.exe, 0000003C.00000002.2997717778.000000000F316000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nit.crash1ytics.comi
Source: powershell.exe, 00000020.00000002.2475363240.0000000005A62000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2974879264.0000000003704000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 0000003D.00000003.2621351490.00000163E22C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.61.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.61.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://pngimg.com/uploads/light/light_PNG14440.png
Source: LetsPRO.exe, 0000003C.00000002.2998029190.000000000F34E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://postPost142.242.204.31
Source: LetsPRO.exe, 0000003C.00000002.2998876528.000000000F3B2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://postPost67.137.174.254
Source: LetsPRO.exe, 0000003C.00000002.3002515195.000000002FF90000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2965369142.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.3004902007.0000000030185000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	String found in binary or memory: https://widget.intercom.io/widget/
Source: tapinstall.exe.18.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: LetsPRO.exe, 0000003C.00000002.2984155245.0000000005422000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2984155245.0000000005422000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe

Code function: 18_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

18_2_00405461

Source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001496000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DWM8And16Bit_DirectDrawCreateEx_CallOut

memstr_e2673b6b-1

Source: runshelldraw_x86.exe, 0000000F.00000002.1777065849.0000000003DCD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: NtUserGetRawInputData

memstr_10393c0d-9

Source: Yara match	File source: 60.2.LetsPRO.exe.68850000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: runshelldraw_x86.exe PID: 344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LetsPRO.exe PID: 2256, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\letsvpn\app-3.9.1\libwin.dll, type: DROPPED

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEED7C5D2183A1352C6D421D65F131F0	Jump to dropped file
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	Jump to dropped file
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_71A3756DBB32C004799210B766A7AFA4	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\SETB1C.tmp	Jump to dropped file
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\driver\tap0901.cat	Jump to dropped file
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3538626A1FCCCA43C7E18F220BDD9B02	Jump to dropped file
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_46C2CD5D0F070B6D918CC9BAEC875CC3	Jump to dropped file
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\tap0901.cat (copy)	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Shellcode_Generic_8c487e57 Author: unknown
Source: 00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Shellcode_Generic_8c487e57 Author: unknown
Source: 0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe

Code function: 18_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

18_2_0040338F

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe

File created: C:\Program Files (x86)\letsvpn\driver\tap0901.sys

Jump to behavior

Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

File created: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6ed162.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{FC07A022-E0BF-4B1C-97CC-BF53E9AA5724}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID3F2.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID403.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDC22.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEEFF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6ed164.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6ed164.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{FC07A022-E0BF-4B1C-97CC-BF53E9AA5724}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{FC07A022-E0BF-4B1C-97CC-BF53E9AA5724}\ProductIcon	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF28A.tmp	Jump to behavior
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	File created: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\SET1348.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\SET1348.tmp
Source: C:\Windows\SysWOW64\netsh.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\PeerDistRepub
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEED7C5D2183A1352C6D421D65F131F0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEED7C5D2183A1352C6D421D65F131F0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_46C2CD5D0F070B6D918CC9BAEC875CC3
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_46C2CD5D0F070B6D918CC9BAEC875CC3
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3538626A1FCCCA43C7E18F220BDD9B02
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_71A3756DBB32C004799210B766A7AFA4
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_71A3756DBB32C004799210B766A7AFA4
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\43B41D246473AA455DCC6019A9AF9545
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\43B41D246473AA455DCC6019A9AF9545
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSID403.tmp

Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3DFA40	15_2_6C3DFA40
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3E20B0	15_2_6C3E20B0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3E1CC0	15_2_6C3E1CC0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3D8BE0	15_2_6C3D8BE0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3D3BE0	15_2_6C3D3BE0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3DDBC0	15_2_6C3DDBC0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3D1000	15_2_6C3D1000
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3F60AA	15_2_6C3F60AA
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3D63E0	15_2_6C3D63E0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3DB3D0	15_2_6C3DB3D0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C44AD6C	15_2_6C44AD6C
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C43ADE5	15_2_6C43ADE5
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4B4DB2	15_2_6C4B4DB2
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4E0DB3	15_2_6C4E0DB3
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C430EAC	15_2_6C430EAC
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C430F38	15_2_6C430F38
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C444FC6	15_2_6C444FC6
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C43A8CA	15_2_6C43A8CA
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C44EA80	15_2_6C44EA80
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4B2AA9	15_2_6C4B2AA9
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4B8B41	15_2_6C4B8B41
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4E04C2	15_2_6C4E04C2
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C43E5DD	15_2_6C43E5DD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4B07DD	15_2_6C4B07DD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C440189	15_2_6C440189
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4F42D8	15_2_6C4F42D8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4643CE	15_2_6C4643CE
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4C63C7	15_2_6C4C63C7
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C491D6D	15_2_6C491D6D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C451E4B	15_2_6C451E4B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4D1E60	15_2_6C4D1E60
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4F3EE5	15_2_6C4F3EE5
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C437F5A	15_2_6C437F5A
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C43B879	15_2_6C43B879
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4CB930	15_2_6C4CB930
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C44BA78	15_2_6C44BA78
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4B1AB7	15_2_6C4B1AB7
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4B3BAC	15_2_6C4B3BAC
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C44D40E	15_2_6C44D40E
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C43B42B	15_2_6C43B42B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C443486	15_2_6C443486
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4CD5A8	15_2_6C4CD5A8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C45D6F3	15_2_6C45D6F3
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4DB710	15_2_6C4DB710
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C457004	15_2_6C457004
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C43B082	15_2_6C43B082
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4F7160	15_2_6C4F7160
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4BD1F8	15_2_6C4BD1F8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C45320E	15_2_6C45320E
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4D7384	15_2_6C4D7384
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C46B389	15_2_6C46B389
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C549E42	15_2_6C549E42
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Code function: 18_2_00406B15	18_2_00406B15
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Code function: 18_2_004072EC	18_2_004072EC
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Code function: 18_2_00404C9E	18_2_00404C9E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 32_2_02CBB4B8	32_2_02CBB4B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 32_2_02CBB4A8	32_2_02CBB4A8
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Code function: 36_2_00007FF7682B24C8	36_2_00007FF7682B24C8
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Code function: 36_2_00007FF7682B354C	36_2_00007FF7682B354C
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Code function: 36_2_00007FF7682B6534	36_2_00007FF7682B6534
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Code function: 36_2_00007FF7682B4B74	36_2_00007FF7682B4B74
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_00373929	59_2_00373929
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_0036A95F	59_2_0036A95F
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_0036B18B	59_2_0036B18B
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_00367B91	59_2_00367B91
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_0036AC09	59_2_0036AC09
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_00372D55	59_2_00372D55
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_0036A540	59_2_0036A540
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_0036A5ED	59_2_0036A5ED
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_0036AED0	59_2_0036AED0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_04CD4225	60_2_04CD4225
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_04CD5B35	60_2_04CD5B35
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_0511A0DF	60_2_0511A0DF
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_0511A048	60_2_0511A048
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_051167F6	60_2_051167F6
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_0511A9EB	60_2_0511A9EB
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_0511632F	60_2_0511632F
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_05423276	60_2_05423276
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_05426998	60_2_05426998
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_054233B9	60_2_054233B9
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_05BB266A	60_2_05BB266A
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_06245C52	60_2_06245C52
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_2F455355	60_2_2F455355
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_2F484A2C	60_2_2F484A2C
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_307841EC	60_2_307841EC
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_362970E2	60_2_362970E2
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_368A5A59	60_2_368A5A59
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_368B54CB	60_2_368B54CB
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_368B3C95	60_2_368B3C95
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_368B3A94	60_2_368B3A94
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_368B46ED	60_2_368B46ED
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_67556390	60_2_67556390
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674FCD90	60_2_674FCD90
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_67510A10	60_2_67510A10
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674D5750	60_2_674D5750
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674DF750	60_2_674DF750
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_6754C730	60_2_6754C730
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674CB720	60_2_674CB720
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_675267E0	60_2_675267E0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674E27F0	60_2_674E27F0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674D67B0	60_2_674D67B0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_6750B570	60_2_6750B570
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_6751B570	60_2_6751B570
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_6755C570	60_2_6755C570
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_67509560	60_2_67509560
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674B75F0	60_2_674B75F0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674DB580	60_2_674DB580
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674C1450	60_2_674C1450
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_67508470	60_2_67508470
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674B8340	60_2_674B8340
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_67547340	60_2_67547340
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_675203D0	60_2_675203D0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674DC3F0	60_2_674DC3F0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_675483A0	60_2_675483A0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674F9220	60_2_674F9220
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674C8230	60_2_674C8230
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674CC2E0	60_2_674CC2E0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_6756C280	60_2_6756C280
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_00B638E8	60_2_00B638E8
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_00B68C80	60_2_00B68C80
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_37D0A709	60_2_37D0A709
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_05425D9D	60_2_05425D9D
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_051175DB	60_2_051175DB
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_0511760D	60_2_0511760D
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_051175F4	60_2_051175F4
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_30786D2C	60_2_30786D2C
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_30782050	60_2_30782050

Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Process token adjusted: Load Driver

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Security

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: String function: 674B1110 appears 44 times
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: String function: 68D0E210 appears 51 times
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: String function: 67516970 appears 52 times
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: String function: 674BBCB0 appears 70 times
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: String function: 6C4349A4 appears 65 times
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: String function: 6C3DED90 appears 46 times
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: String function: 6C434B60 appears 37 times
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: String function: 6C42F750 appears 33 times
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: String function: 6C3DEDE0 appears 391 times
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: String function: 6C42ED7E appears 137 times
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: String function: 6C54B3A5 appears 45 times
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: String function: 6C42EDFC appears 69 times
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: String function: 6C3E4420 appears 51 times
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: String function: 6C54B3DB appears 106 times
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: String function: 6C54B372 appears 225 times
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: String function: 00368C30 appears 40 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7252 -ip 7252

Source: SBSLMD5qhm.msi

Binary or memory string: OriginalFilenamemsvcp120.dll^ vs SBSLMD5qhm.msi

Source: 00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Shellcode_Generic_8c487e57 os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Shellcode.Generic, fingerprint = 834caf96192a513aa93ac48fb8d2f3326bf9f08acaf7a27659f688b26e3e57e4, id = 8c487e57-4b8c-488e-a1d9-786ff935fd2c, last_modified = 2022-07-18
Source: 00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Shellcode_Generic_8c487e57 os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Shellcode.Generic, fingerprint = 834caf96192a513aa93ac48fb8d2f3326bf9f08acaf7a27659f688b26e3e57e4, id = 8c487e57-4b8c-488e-a1d9-786ff935fd2c, last_modified = 2022-07-18
Source: 0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23

Source: Utils.dll.18.dr, EncryptionHelper.cs

Base64 encoded string: 'MmnG6VOR+WnZS9H1nUImgh51Osbv1HNbg0tmihNKIe56P70uL5Qpu7Pg5BRk5AHEN7JjJBMMg3K+zTtV1yr5Z4OUpvRNri102lHcvY0xDlrDpER1nsJylqsBoy24674eg5Pyf3n55VkkXWX2Plb+wrLs7sPC+KmgyOhFif4ZESQXqTS/q+Cy+EtUFZRYqDg3wLkTAIUg1Y7TO+me6hpjVKfavGaVZK1R87D+dwnC6O2GqA12ZUWUCoJF+py6stRs8RpFoxKdoMxM4mXOakl31jpmLW9rBvYUNccWVwfNyGADglRdMjx+Knx+Ab4Ca/RMsF15MI+IIUAV0kbgkZTtN6VeLZELo1C99hV/Ot4T1yJwAA4zU9fkRdwuv86e2+f4n8Ibntyh6By9eV3rJQ5FOZE+Wu+N1Yjkhn0JuoRSNmlY4o+qMvv//2zJm0rK3xXL7L9T6zz/CXllU+qIEXFd67uS1taBykurfdYqbNy1BXZwSqPLpWUQt1Icr3fwdORhEvVZi3TX5PkUtYY2omHSmrFDIX5IRDpvcNSgNyGBjeeXXtOgxSXviM5dkg+010rGN1m7sU5zEgGH8h5f+iLJTyk7ZYE6NeZUnz6ueYCm2tfkXABcJGcizm9NR4WFXgUyVhmShAKnl/ibHfEI8IykY6PDIZbRv3AdfG8tZnqZeb8NYKFOzumRpA8MmmIFMvImu/JWb/SP0WbUZWg3Lt39f1EUnTe2+6HgXCXMCf39SoSNiuSWVDux7rte2dtYRwNssXKSMtXbSw12nG08+UE+k428PU/ZA7d/r+InLoUCZlprYMzd3lqJOLwnpGAJI+0KeAlyg86ZXGP2GukkIGjG8idjKBWpvqL/euEHNNfBIqpIdAjuQAKXsmeRq7fc2sC+ntLiUtuG0iu4Pr5THZBcNX9g+iSxZNCrZ1ShbcFzZ0tej74Xk64QWcLkjH9xQ5v6k/I02zDp+4XpQ6/iFL87Bh9jJD7ZtbMV3cWL3I5xQULhfw/475Ip0jnBfXY+JArydLESbTrWhGcNo1BYO5SRy+FPuP6IH1knm0v4VZlacAELHL6IzUfmjtagkFs3hGDkzYGKEJ6xFGmgRjhmUcWfLCp7Xwkl0IM5FJw21IfQpQojn8S5Lj2KPQkE1WkNkhJx/j3fLMLgbNfrfjeo9pWPFQo6byGz+K+PJ+Cwo0ZbttwUYL2GucrayJxqPShrxKLFb9v3iCWLIYMVcfgA7LpXdS+6lmOUZxrepO0jSugA5fQv8kHvvwkA0DQwU85yViJVK94hBaY75RKqwiI4Tfsqu5pFoq0Z6uCwJ5gfpbG/hF8wqoj0ybbFt1b+QQdS8cEjZtnS/LyLvl35oLIF4q2J/oda0ESYRsx8wA7UGAK8KKDGyOihfXywxgE4CU3ko1PNy9A6KZBaYzertv3uHeBJH2JC9H1qErVSG8dIk3BbAVtIsJ+OMEbbS+mSuMa42Fl5hLjwbB4V7K2iWEp+w+JZ+1NTCJxXqZze/YLwg/UPb/HJyqAqKkFku8ctNUPqsVtu2FjqDSEezp5stKsqsjyfdBAouLetvlrlp5lMOyd12Yi4VTlu/8AXRFbWCFf73feCj8NULfc0vqfjSfZ0HoirsvomNYn5GABtU75DiKOZgptCEYzfPnmcx6M6F2DgYB4ITTP2XV8+ousV7sEOSw18Gd40lSQmi25bmKUAnKIINhyki0IX/76e6LdYfvWWJTGzFOiZ+KuufFS0vTZEQnVnEpXviz+DqyQzKxiWVAId8mdXOZv4rmDXjeEEOkqLe/ZoIT8udAy+xRdhHXyTpnDj9VoU4oVIkwGg/scKxIrRn7FzcVEk6o7V4cmgGcOwmf42JYy92F+xZu0Ro4Fx4aMpR63P/UADAfidp59dPBJBJrEtVeBkVqposXpKcFYPHKHdyq6FRzAd2aM8RzmVaWiIadl4YDXNN7IiAAMv+G0MqmgBwKHWdhqac2eLRn+giLEwJgiqSUpeedeXobdqZOF6uoJ2jTmxgzBgyVqvGXkKKex5ZnskC9P7EQXhHEGZ5L0KhXgtHxPIZ4coRlfaepVbIq12quYqN3Y3WgfCrmZ4BAQf2h3TMgwUSYCHrHlAPapjT+NLeoJYvaxlY3Z8aB6G3JCcQ4fCeVo0c0mw+wDFOnfaxr26DsReIde+o7I6nOyqag1Reg13GlDzshLN35WmPHDwc2XDUD+vaNQBYBg0ED99UPxjaptvHdgxABfLVNieAxL7UBc327uKcl+n4fs69fwdsQGWIw7d2vSpKjFyalG/1EDHvq1Cgh5LmAAiyyTnBTa76nzQrIK+37hTO+vRBKdsgkdnET+DPNNRv5aR1RWJABSBJV3kV23SxxMjMmqIIr2DxgROOmspYZZ4AK9o8cT7tJBaHWvan0aplwcb/ALoWFBLDweGa0Dc+JXFHhwd4nKy8mRdC7IKZJzUlfEukKXvmEB19fWKvfOfHQkxQEwSss9LO+QQ3BKdjGjrKFDsKIpfUotoSH85KG9+pndOXxD7xDbNsPajtxFMXZxydh7xIK91+P7ekRN7gjMUIoDSs3jhOtpqG5+yYxTgT7PwCU1RCTqD9mG2rIioUsS1+Oz8OYHJvuYvBFzQftJDSkeaP1Ib2kHlFEP5ZLnLbiPAVKyW3RqoMPqXDFpkRl8qyo6YGigP2h5AP3EyxAZ3olZuqIjNKb1aKngO0rADdgNg2X5bTej3eD5w/+5S77oPj2mXnIZAseCrhysxuZTaY4HR3jWLMud8aGpMIREdjIUcRo/Jlpoch5RpLLjxQAOKhLm0zuq75naOqzDyphDiXEbvavcEFHuLHFjfUFjfkFoZuWG2sttUMeOJ+NnL7JaoSSe/WFI4S4s+OIpe2yJoWCJZX4O3n2kHoapNgQz8eEcZyPvx6WCuo55UYfUa6nbOGtCyUm8027mv/8w2QrZAFxJPhf1+I10kFp6MoO1ho/RAVvEv3j1gQXDgvsGxEpkN0TWtzHCOmai74md

Source: classification engine

Classification label: mal80.spre.troj.adwa.spyw.evad.winMSI@110/330@13/10

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Code function: 18_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		18_2_0040338F
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Code function: 36_2_00007FF7682B1C7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,InitiateSystemShutdownExW,		36_2_00007FF7682B1C7C

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Code function: 15_2_6C49E060 _wfindnext32i64,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,_getdiskfree,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,memset,GetDiskFreeSpaceA,GetLastError,_errno,

15_2_6C49E060

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe

Code function: 8_2_00007FF6281C1000 GetConsoleWindow,ShowWindow,GetConsoleWindow,ShowWindow,CreateToolhelp32Snapshot,Process32FirstW,FindCloseChangeNotification,system,system,system,system,system,system,wcsstr,Process32NextW,CloseHandle,MessageBoxW,

8_2_00007FF6281C1000

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe

Code function: 18_2_00402104 CoCreateInstance,

18_2_00402104

Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Code function: 36_2_00007FF7682B2C44 lstrcpyW,LoadLibraryW,FindResourceW,LoadResource,LockResource,lstrlenW,lstrcpyW,FreeLibrary,CreateEventW,CreateThread,SetEvent,WaitForSingleObject,CloseHandle,CloseHandle,

36_2_00007FF7682B2C44

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe

File created: C:\Program Files (x86)\letsvpn

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7252
Source: C:\Windows\System32\drvinst.exe	Mutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_03
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Program Files (x86)_letsvpn_app-3.9.1_Log_
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3260:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:7440:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Instance: ESENT Performance Data Schema Version 295
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MSDTC_STATS_EVENT
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFC52D39C2AE145962.TMP

Jump to behavior

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\msiwrapper.ini

Jump to behavior

Source: C:\Windows\SysWOW64\icacls.exe

Key opened: HKEY_USERSS-1-5-18\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LetsPRO.exe, 0000003C.00000002.3061255989.0000000067577000.00000002.00000001.01000000.00000034.sdmp, e_sqlite3.dll1.18.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3061255989.0000000067577000.00000002.00000001.01000000.00000034.sdmp, e_sqlite3.dll1.18.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3061255989.0000000067577000.00000002.00000001.01000000.00000034.sdmp, e_sqlite3.dll1.18.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3061255989.0000000067577000.00000002.00000001.01000000.00000034.sdmp, e_sqlite3.dll1.18.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3061255989.0000000067577000.00000002.00000001.01000000.00000034.sdmp, e_sqlite3.dll1.18.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3061255989.0000000067577000.00000002.00000001.01000000.00000034.sdmp, e_sqlite3.dll1.18.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3061255989.0000000067577000.00000002.00000001.01000000.00000034.sdmp, e_sqlite3.dll1.18.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SBSLMD5qhm.msi	ReversingLabs: Detection: 44%
Source: SBSLMD5qhm.msi	Virustotal: Detection: 32%

Source: tapinstall.exe	String found in binary or memory: positioned on the newly-added filter. ! Deletes the next occurrence of the specified filter. When the subcommand
Source: tapinstall.exe	String found in binary or memory: ng of the list. When the subcommand completes, the cursor is positioned on the newly-added filter. + Add after

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SBSLMD5qhm.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7BAC104BD5378FDDE0B63E7FB4B3F634
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8446B195F51217FC669CD1E61AA0CBB0 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy desk_compositor_x86.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll"
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy msvcr120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcr120.dll"
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy msvcp120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcp120.dll"
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start "" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start "" "FileVPN.exe"
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe "FileVPN.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe Regsvr32.exe
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7252 -ip 7252
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 1512
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "1" "c:\program files (x86)\letsvpn\driver\oemvista.inf" "9" "4d14a44ff" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\letsvpn\driver"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000144"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets.exe
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO.exe
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Program Files (x86)\letsvpn\LetsPRO.exe "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Process created: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ipconfig /all
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: unknown	Process created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C route print
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ROUTE.EXE route print
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C arp -a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7BAC104BD5378FDDE0B63E7FB4B3F634	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8446B195F51217FC669CD1E61AA0CBB0 E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy desk_compositor_x86.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy msvcr120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcr120.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy msvcp120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcp120.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start "" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start "" "FileVPN.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe Regsvr32.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe "FileVPN.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe Regsvr32.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Program Files (x86)\letsvpn\LetsPRO.exe "C:\Program Files (x86)\letsvpn\LetsPRO.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7252 -ip 7252
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 1512
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "1" "c:\program files (x86)\letsvpn\driver\oemvista.inf" "9" "4d14a44ff" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\letsvpn\driver"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000144"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Process created: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe"
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ipconfig /all
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C route print
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C arp -a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ROUTE.EXE route print
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Section loaded: msvcp120.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Section loaded: msvcr120.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Section loaded: desk_compositor_x86.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Section loaded: msvcr120.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Section loaded: symsrv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wininetlui.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: devrtl.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: spinf.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: drvstore.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: newdev.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netsetupsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netsetupengine.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: implatsetup.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: spinf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: drvstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\msiwrapper.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC07A022-E0BF-4B1C-97CC-BF53E9AA5724}

Jump to behavior

Source: SBSLMD5qhm.msi

Static file information: File size 17215488 > 1048576

Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987784573.0000000005BB2000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\symbols\dll\bcryptprimitives.pdb^ source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.00000000043D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\LetsVPN\obj\Release\LetsPRO.pdb source: LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr
Source:	Binary string: NetSetupEngine.pdb source: service.0.etl.44.dr
Source:	Binary string: /_/artifacts/obj/System.IO.Packaging/net461-Release/System.IO.Packaging.pdbSHA256 source: System.IO.Packaging.dll.18.dr
Source:	Binary string: wkernel32.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000146A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Configuration.ConfigurationManager/net461-windows-Release/System.Configuration.ConfigurationManager.pdbSHA256h source: System.Configuration.ConfigurationManager.dll.18.dr
Source:	Binary string: D:\Desktop\ConsoleApplication1\x64\Release\ConsoleApplication1.pdb source: FileVPN3.8.1.exe, 00000008.00000000.1754504948.00007FF6281C2000.00000002.00000001.01000000.00000005.sdmp, FileVPN3.8.1.exe, 00000008.00000002.1762910505.00007FF6281C2000.00000002.00000001.01000000.00000005.sdmp, SBSLMD5qhm.msi
Source:	Binary string: ucrtbase.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003EB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\symbols\dll\bcryptprimitives.pdbV source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.00000000043D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Security.Cryptography.Xml/net461-windows-Release/System.Security.Cryptography.Xml.pdb source: System.Security.Cryptography.Xml.dll.18.dr
Source:	Binary string: c:\TeamCity\buildAgent\work\1f6e193703b8b174\WindowsInput\obj\Release\WindowsInput.pdb source: WindowsInput.dll.18.dr
Source:	Binary string: c:\git\OSS\notifyicon-wpf\Hardcodet.NotifyIcon.Wpf\Source\NotifyIconWpf\obj\Release\Hardcodet.Wpf.TaskbarNotification.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3021368237.0000000036292000.00000002.00000001.01000000.00000035.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb source: System.Reflection.Primitives.dll.18.dr
Source:	Binary string: wrpcrt4.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003FA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbata\Microsoft\Windows\Start Menu\Programs\StartUp\ source: runshelldraw_x86.exe, 0000000F.00000002.1775764028.0000000000FC8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001465000.00000004.00000020.00020000.00000000.sdmp, runshelldraw_x86.exe, 0000000F.00000002.1776545841.0000000003370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdb source: tapinstall.exe, tapinstall.exe, 00000024.00000000.2482529191.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000024.00000002.2484945033.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000026.00000002.2534402271.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000026.00000000.2486085059.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000039.00000002.2559009241.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000039.00000000.2557641034.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe.18.dr
Source:	Binary string: D:\a\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\release\net45\Microsoft.Web.WebView2.Wpf.pdbon source: Microsoft.Web.WebView2.Wpf.dll.18.dr
Source:	Binary string: /_/artifacts/obj/System.IO.Ports/net461-windows-Release/System.IO.Ports.pdbSHA256T source: System.IO.Ports.dll.18.dr
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3007496135.0000000030602000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: /_/artifacts/obj/System.ServiceModel.Duplex.Facade/Release/net461/System.ServiceModel.Duplex.pdbSHA256 source: System.ServiceModel.Duplex.dll.18.dr
Source:	Binary string: advapi32.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.0000000004505000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987269506.0000000005AD2000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: ucrtbase.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003EB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.ResourceManager\4.0.1.0\System.Resources.ResourceManager.pdb source: System.Resources.ResourceManager.dll.18.dr
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.3007496135.0000000030602000.00000002.00000001.01000000.00000030.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3000557941.000000002F452000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: wkernelbase.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001470000.00000004.00000020.00020000.00000000.sdmp, runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000145F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.0000000004516000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Csp\4.0.2.0\System.Security.Cryptography.Csp.pdb4)N) @)_CorDllMainmscoree.dll source: System.Security.Cryptography.Csp.dll.18.dr
Source:	Binary string: C:\PowerShellStandard\src\5\obj\Release\net452\System.Management.Automation.pdb source: System.Management.Automation.dll.18.dr
Source:	Binary string: D:\a\1\s\third_party\edge_webview2\win\winforms_control\Microsoft.Web.WebView2.WinForms\obj\release\net45\Microsoft.Web.WebView2.WinForms.pdb source: Microsoft.Web.WebView2.WinForms.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Drawing.Primitives\4.0.2.0\System.Drawing.Primitives.pdb source: System.Drawing.Primitives.dll.18.dr
Source:	Binary string: bcryptprimitives.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.000000000451B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.DriveInfo\4.0.2.0\System.IO.FileSystem.DriveInfo.pdb source: System.IO.FileSystem.DriveInfo.dll.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\dll\sechost.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.IO.FileSystem.AccessControl/net461-Windows_NT-Release/System.IO.FileSystem.AccessControl.pdb source: System.IO.FileSystem.AccessControl.dll.18.dr
Source:	Binary string: C:\Users\winsign\samuli\source\repos\tap-windows6\src\x64\Release\tap0901.pdb source: drvinst.exe, 0000002A.00000003.2502236025.000001F1083BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\obj\Squirrel\Release\net45\Squirrel.pdbSHA256 source: Squirrel.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.ThreadPool\4.0.12.0\System.Threading.ThreadPool.pdb source: System.Threading.ThreadPool.dll.18.dr
Source:	Binary string: advapi32.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.0000000004505000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3027350728.00000000368A2000.00000002.00000001.01000000.0000003C.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Console\4.0.2.0\System.Console.pdb source: System.Console.dll.18.dr
Source:	Binary string: /_/artifacts/obj/System.Configuration.ConfigurationManager/net461-windows-Release/System.Configuration.ConfigurationManager.pdb source: System.Configuration.ConfigurationManager.dll.18.dr
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2988088538.0000000006242000.00000002.00000001.01000000.0000001F.sdmp, System.Memory.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.EventBasedAsync\4.0.11.0\System.ComponentModel.EventBasedAsync.pdb source: System.ComponentModel.EventBasedAsync.dll.18.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: LetsPRO.exe, 0000003B.00000000.2594918615.000000000037D000.00000002.00000001.01000000.00000016.sdmp, LetsPRO.exe, 0000003B.00000002.2607988542.000000000037D000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb$> 0*_CorDllMainmscoree.dll source: System.Reflection.Primitives.dll.18.dr
Source:	Binary string: E:\A\_work\65\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Pipes.AccessControl/netfx\System.IO.Pipes.AccessControl.pdb/5I5 ;5_CorDllMainmscoree.dll source: System.IO.Pipes.AccessControl.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.TraceSource\4.0.2.0\System.Diagnostics.TraceSource.pdb source: System.Diagnostics.TraceSource.dll.18.dr
Source:	Binary string: wntdll.pdbUGP source: runshelldraw_x86.exe, 0000000F.00000002.1776545841.0000000003370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.IO.Packaging/net461-Release/System.IO.Packaging.pdb source: System.IO.Packaging.dll.18.dr
Source:	Binary string: D:\module_code\bin\Release\runshelldraw_x86.pdb source: expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000145D000.00000004.00000020.00020000.00000000.sdmp, runshelldraw_x86.exe, 0000000F.00000002.1775418928.0000000000D45000.00000002.00000001.01000000.00000007.sdmp, runshelldraw_x86.exe, 0000000F.00000000.1761413342.0000000000D45000.00000002.00000001.01000000.00000007.sdmp, runshelldraw_x86.exe.10.dr
Source:	Binary string: wrpcrt4.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003FA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlSerializer\4.0.11.0\System.Xml.XmlSerializer.pdbt+ source: System.Xml.XmlSerializer.dll.18.dr
Source:	Binary string: D:\a\1\s\LetsVPNInfraStructure\obj\Release\LetsVPNInfraStructure.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2988360275.0000000006372000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: LetsPRO.exe, 0000003C.00000002.2987712048.0000000005BA2000.00000002.00000001.01000000.00000020.sdmp, System.Runtime.CompilerServices.Unsafe.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Parallel\4.0.1.0\System.Linq.Parallel.pdb source: System.Linq.Parallel.dll.18.dr
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256xpRb source: LetsPRO.exe, 0000003C.00000002.3008296013.0000000030782000.00000002.00000001.01000000.00000031.sdmp, SQLitePCLRaw.core.dll.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\shlwapi.pdb\*6 source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3008449399.00000000307A2000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\dll\shcore.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\sharpcompress\src\SharpCompress\obj\Release\net45\SharpCompress.pdb source: SharpCompress.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XPath\4.0.3.0\System.Xml.XPath.pdb source: System.Xml.XPath.dll.18.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\obj\Squirrel\Release\net45\Squirrel.pdb source: Squirrel.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb@Z L*_CorDllMainmscoree.dll source: System.Runtime.CompilerServices.VisualC.dll.18.dr
Source:	Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Primitives/netfx\System.Runtime.Serialization.Primitives.pdb source: System.Runtime.Serialization.Primitives.dll.18.dr
Source:	Binary string: msvcr120.i386.pdb source: runshelldraw_x86.exe, runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003EBF000.00000004.00000020.00020000.00000000.sdmp, runshelldraw_x86.exe, 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, msvcr120.dll.12.dr
Source:	Binary string: NetSetupSvc.pdb source: service.0.etl.44.dr
Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: System.ValueTuple.dll.18.dr
Source:	Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.3027350728.00000000368A2000.00000002.00000001.01000000.0000003C.sdmp
Source:	Binary string: msvcp120.i386.pdb source: runshelldraw_x86.exe, runshelldraw_x86.exe, 0000000F.00000002.1782322010.000000006C511000.00000020.00000001.01000000.00000009.sdmp, runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003EBA000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr
Source:	Binary string: combase.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003FA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003F9C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime\4.1.2.0\System.Runtime.pdb source: System.Runtime.dll.18.dr
Source:	Binary string: msvcr120.i386.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003EBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdbxE source: LetsPRO.exe, 0000003C.00000002.2987784573.0000000005BB2000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: /_/artifacts/obj/System.Threading.AccessControl/net461-windows-Release/System.Threading.AccessControl.pdbSHA256 source: System.Threading.AccessControl.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlSerializer\4.0.11.0\System.Xml.XmlSerializer.pdb source: System.Xml.XmlSerializer.dll.18.dr
Source:	Binary string: wkernel32.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000146A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp120.i386.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003EBA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8lC:\ProgramDabcryptprimitives.pdbdbrt Menu\Programs\StartUpP: source: runshelldraw_x86.exe, 0000000F.00000002.1775764028.0000000000FC8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001476000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Security.AccessControl/net461-windows-Release/System.Security.AccessControl.pdb source: System.Security.AccessControl.dll.18.dr
Source:	Binary string: /_/artifacts/obj/System.ServiceModel.Duplex.Facade/Release/net461/System.ServiceModel.Duplex.pdb source: System.ServiceModel.Duplex.dll.18.dr
Source:	Binary string: shcore.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.0000000004510000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.AppContext\4.1.2.0\System.AppContext.pdb source: System.AppContext.dll.18.dr
Source:	Binary string: wgdi32full.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Utils\obj\Release\Utils.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2982446572.0000000004CD2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\MdXaml\artifacts\obj\MdXaml\Release\net45\MdXaml.pdbSHA256/T source: MdXaml.dll.18.dr
Source:	Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\x86\e_sqlite3.pdb source: LetsPRO.exe, 0000003C.00000002.3061255989.0000000067577000.00000002.00000001.01000000.00000034.sdmp, e_sqlite3.dll1.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.18.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.3000412976.000000002F442000.00000002.00000001.01000000.00000025.sdmp, Microsoft.AppCenter.Analytics.dll.18.dr
Source:	Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3030029502.0000000037D02000.00000002.00000001.01000000.0000003E.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.18.dr
Source:	Binary string: shcore.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.0000000004510000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.0000000004516000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: "ry..primitives.pdb\*H source: runshelldraw_x86.exe, 0000000F.00000002.1775764028.0000000000FC8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001476000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.2987269506.0000000005AD2000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3000689023.000000002F482000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: wgdi32.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\advapi32.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/net461-windows-Release/System.ServiceProcess.ServiceController.pdb source: System.ServiceProcess.ServiceController.dll.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\dll\shlwapi.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\dll\shlwapi.pdbb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.IO.FileSystem.AccessControl/net461-Windows_NT-Release/System.IO.FileSystem.AccessControl.pdbSHA256 source: System.IO.FileSystem.AccessControl.dll.18.dr
Source:	Binary string: /_/artifacts/obj/System.Data.Odbc/net461-windows-Release/System.Data.Odbc.pdb source: System.Data.Odbc.dll.18.dr
Source:	Binary string: Extract: Mono.Cecil.Pdb.dll... 100% source: FileVPN.exe, 00000012.00000003.2595341820.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, FileVPN.exe, 00000012.00000002.2596107645.00000000007BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\sharpcompress\src\SharpCompress\obj\Release\net45\SharpCompress.pdbL source: SharpCompress.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.X509Certificates\4.1.2.0\System.Security.Cryptography.X509Certificates.pdb source: System.Security.Cryptography.X509Certificates.dll.18.dr
Source:	Binary string: E:\A\_work\1795\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdbT source: System.ValueTuple.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Csp\4.0.2.0\System.Security.Cryptography.Csp.pdb source: System.Security.Cryptography.Csp.dll.18.dr
Source:	Binary string: msvcp_win.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\release\net45\Microsoft.Web.WebView2.Wpf.pdb source: Microsoft.Web.WebView2.Wpf.dll.18.dr
Source:	Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2982353960.0000000004CC2000.00000002.00000001.01000000.0000001B.sdmp, LetsVPNDomainModel.dll.18.dr
Source:	Binary string: /_/artifacts/obj/System.Security.Cryptography.Xml/net461-windows-Release/System.Security.Cryptography.Xml.pdbSHA256 source: System.Security.Cryptography.Xml.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel\4.0.1.0\System.ComponentModel.pdb source: System.ComponentModel.dll.18.dr
Source:	Binary string: NetSetupApi.pdbb source: service.0.etl.44.dr
Source:	Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdbwD source: LetsPRO.exe, 0000003C.00000002.2982353960.0000000004CC2000.00000002.00000001.01000000.0000001B.sdmp, LetsVPNDomainModel.dll.18.dr
Source:	Binary string: Windows.Storage.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003F9C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\third_party\edge_webview2\win\webview2_api_writer\dotNetAPIWrapper\Microsoft.Web.WebView2.Core\bin\ReleasePackage\Microsoft.Web.WebView2.Core.pdb source: Microsoft.Web.WebView2.Core.dll.18.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987886234.0000000005BC2000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: /_/artifacts/obj/System.Security.AccessControl/net461-windows-Release/System.Security.AccessControl.pdbSHA256 source: System.Security.AccessControl.dll.18.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: System.Numerics.Vectors.dll.18.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdbSHA256, source: LetsPRO.exe, 0000003C.00000002.3000557941.000000002F452000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: System.Threading.Tasks.Extensions.dll.18.dr
Source:	Binary string: pr..itives.pdbH source: runshelldraw_x86.exe, 0000000F.00000002.1775764028.0000000000FC8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.AppContext\4.1.2.0\System.AppContext.pdb<(V( H(_CorDllMainmscoree.dll source: System.AppContext.dll.18.dr
Source:	Binary string: /_/artifacts/obj/System.Data.Odbc/net461-windows-Release/System.Data.Odbc.pdbSHA256x source: System.Data.Odbc.dll.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\dll\advapi32.pdbdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000141E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\sources\cecil\rocks\obj\Release\net40\Mono.Cecil.Rocks.pdb source: Mono.Cecil.Rocks.dll.18.dr
Source:	Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb* source: LetsPRO.exe, 0000003C.00000002.3030029502.0000000037D02000.00000002.00000001.01000000.0000003E.sdmp
Source:	Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/net461-windows-Release/System.ServiceProcess.ServiceController.pdbSHA256 source: System.ServiceProcess.ServiceController.dll.18.dr
Source:	Binary string: dbghelp.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: SBSLMD5qhm.msi, MSIEEFF.tmp.1.dr
Source:	Binary string: combase.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003FA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001465000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdbR source: LetsPRO.exe, 0000003C.00000002.3029756313.0000000037BE2000.00000002.00000001.01000000.0000003D.sdmp
Source:	Binary string: /_/artifacts/obj/System.IO.Ports/net461-windows-Release/System.IO.Ports.pdb source: System.IO.Ports.dll.18.dr
Source:	Binary string: E:\A\_work\65\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Pipes.AccessControl/netfx\System.IO.Pipes.AccessControl.pdb source: System.IO.Pipes.AccessControl.dll.18.dr
Source:	Binary string: C:\sources\cecil\rocks\obj\Release\net40\Mono.Cecil.Rocks.pdbSHA256 source: Mono.Cecil.Rocks.dll.18.dr
Source:	Binary string: wgdi32full.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading\4.0.11.0\System.Threading.pdb source: System.Threading.dll.18.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.2984155245.0000000005422000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2984155245.0000000005422000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: /_/artifacts/obj/System.Threading.AccessControl/net461-windows-Release/System.Threading.AccessControl.pdb source: System.Threading.AccessControl.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Claims\4.0.3.0\System.Security.Claims.pdb source: System.Security.Claims.dll.18.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987712048.0000000005BA2000.00000002.00000001.01000000.00000020.sdmp, System.Runtime.CompilerServices.Unsafe.dll.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\advapi32.pdbn source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.000000000150A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.3008449399.00000000307A2000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: dbghelp.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1777176944.0000000003F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\MdXaml\artifacts\obj\MdXaml\Release\net45\MdXaml.pdb source: MdXaml.dll.18.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3000412976.000000002F442000.00000002.00000001.01000000.00000025.sdmp, Microsoft.AppCenter.Analytics.dll.18.dr
Source:	Binary string: C:\PowerShellStandard\src\5\obj\Release\net452\System.Management.Automation.pdbSHA2569v'` source: System.Management.Automation.dll.18.dr
Source:	Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdbH source: tapinstall.exe, 00000024.00000000.2482529191.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000024.00000002.2484945033.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000026.00000002.2534402271.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000026.00000000.2486085059.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000039.00000002.2559009241.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe, 00000039.00000000.2557641034.00007FF7682B1000.00000020.00000001.01000000.00000015.sdmp, tapinstall.exe.18.dr
Source:	Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3029756313.0000000037BE2000.00000002.00000001.01000000.0000003D.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdbSHA256 source: LetsPRO.exe, 0000003C.00000002.3008685058.00000000307D2000.00000002.00000001.01000000.00000033.sdmp, SQLitePCLRaw.nativelibrary.dll.18.dr
Source:	Binary string: NetSetupApi.pdb source: service.0.etl.44.dr
Source:	Binary string: wgdi32.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb( source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.0000000001470000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1779980931.000000000451B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\LetsVPNInfraStructure\obj\Release\LetsVPNInfraStructure.pdbL#L source: LetsPRO.exe, 0000003C.00000002.2988360275.0000000006372000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections\4.0.11.0\System.Collections.pdb source: System.Collections.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebSockets\4.0.2.0\System.Net.WebSockets.pdb source: System.Net.WebSockets.dll.18.dr
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3008296013.0000000030782000.00000002.00000001.01000000.00000031.sdmp, SQLitePCLRaw.core.dll.18.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Json\4.0.1.0\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.18.dr
Source:	Binary string: wuser32.pdb source: runshelldraw_x86.exe, 0000000F.00000002.1775901127.00000000014DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdb source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3008685058.00000000307D2000.00000002.00000001.01000000.00000033.sdmp, SQLitePCLRaw.nativelibrary.dll.18.dr
Source:	Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdbSHA256X7 source: LetsPRO.exe, 0000003C.00000002.3000689023.000000002F482000.00000002.00000001.01000000.00000026.sdmp

Source: System.CodeDom.dll.18.dr

Static PE information: 0x85275064 [Mon Oct 15 20:36:52 2040 UTC]

Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Code function: 36_2_00007FF7682B5D18 GetFullPathNameW,GetFileAttributesW,LoadLibraryW,GetProcAddress,__iob_func,GetLastError,printf,__iob_func,FreeLibrary,

36_2_00007FF7682B5D18

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_00D43D05 push ecx; ret	15_2_00D43D18
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3F05AD pushad ; iretd	15_2_6C3F05AE
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3FB735 push ecx; ret	15_2_6C3FB748
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C42EDC3 push ecx; ret	15_2_6C42EDD6
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4349D7 push ecx; ret	15_2_6C4349EA
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C457BA8 pushad ; iretd	15_2_6C457BB6
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4552B4 push eax; ret	15_2_6C4552D2
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C517DF6 push ecx; retf 0003h	15_2_6C517E6D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C517E8A push ecx; retf 0003h	15_2_6C517E6D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C54BA45 push ecx; ret	15_2_6C54BA58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 32_2_02CB5A2C push edi; retf	32_2_02CB5A32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 32_2_02CB5A37 push edi; retf	32_2_02CB5A3E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 32_2_02CB6820 push eax; ret	32_2_02CB6833
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 32_2_073866DB push FFFFFFE8h; iretd	32_2_073866DD
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_00368835 push ecx; ret	59_2_00368848
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_00368C76 push ecx; ret	59_2_00368C89
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_05AD8F7D push es; ret	60_2_05AD8F88
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_05AD8DF1 push ds; ret	60_2_05AD8E02
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_05AD804A push ss; retf	60_2_05AD805D
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_307A6890 push cs; retn 0004h	60_2_307A6EEA
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_368B3A0A push es; retn 0001h	60_2_368B3A91
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_368B3A94 push es; retn 0001h	60_2_368B3A91
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_368B37BC push es; retn 0001h	60_2_368B3A91
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_37D0760E push cs; ret	60_2_37D07612

Source: 81edc0915ea6864aac385e5a3ec27eaa.tmp.6.dr	Static PE information: section name: .text entropy: 6.95576372950548
Source: msvcr120.dll.12.dr	Static PE information: section name: .text entropy: 6.95576372950548

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe

File created: C:\Program Files (x86)\letsvpn\driver\tap0901.sys

Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\ko\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\fr\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.SystemEvents.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF28A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\PusherClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\pt-BR\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.Rocks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\pl\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceProcess.ServiceController.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Squirrel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\runtimes\win-x86\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Ports.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Web.Services.Description.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\WindowsInput.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.nativelibrary.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\msvcp120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.CodeDom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\de\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Syndication.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\SET1348.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.Pdb.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Management.Automation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.Annotations.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\SETB3C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\runtimes\win-x64\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.IPNetwork.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Console.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.batteries_v2.dll	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Configuration.ConfigurationManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.Analytics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.Registry.AccessControl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\0a44da956e4f4348b70f90f5a63f8a19.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Cng.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\microsoft.identitymodel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\SharpCompress.dll	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcp120.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Data.SqlClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLiteNetExtensionsAsync.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\2b5b114ccdb3e048bd6a932b2bf29f69.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Claims.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsVPNDomainModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\FontAwesome.WPF.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.NetTcp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Pkcs.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\9bac9942738246429eadfaf2ebba18a1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Memory.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\CommunityToolkit.Mvvm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\WebSocket4Net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Duplex.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Web.WebView2.WinForms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\tap0901.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Drawing.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Web.WebView2.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.MsDelta.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLiteNetExtensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\ToastNotifications.Messages.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.PatchApi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.Crashes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\ndp462-web.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Buffers.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\ja\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\zh-SG\LetsPRO.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Hardcodet.Wpf.TaskbarNotification.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Utils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\runtimes\win-arm\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\desk_compositor_x86.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Users\user\AppData\Local\Temp\nsoEB83.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\tr\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Web.WebView2.Wpf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\5985ccaab8164b40a1c1ca44621e6eb9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\libwin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\Update.exe	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Packaging.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.ProtectedData.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\ru\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Permissions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\x64\WebView2Loader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDC22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Security.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\runshelldraw_x86.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\uninst.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.provider.dynamic_cdecl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\ToastNotifications.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\es\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLite-net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\cs\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.PerformanceCounter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\zh-CN\LetsPRO.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\MdXaml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Users\user\AppData\Local\Temp\nsoEB83.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\x86\WebView2Loader.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\81edc0915ea6864aac385e5a3ec27eaa.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsVPNInfraStructure.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\SuperSocket.ClientEngine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\e8d300304718b54d9e84334fbab4ba69.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Pipes.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Bcl.AsyncInterfaces.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Users\user\AppData\Local\Temp\nsoEB83.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Text.Encoding.CodePages.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\zh-Hant\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Data.Odbc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\ICSharpCode.AvalonEdit.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\it\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\zh-TW\LetsPRO.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\driver\tap0901.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\NuGet.Squirrel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEEFF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.Mdb.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\zh-MO\LetsPRO.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\ru\LetsPRO.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\zh-HK\LetsPRO.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID403.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\tap0901.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Data.OleDb.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\WpfAnimatedGif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\arm64\WebView2Loader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\zh-Hans\System.Web.Services.Description.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Http.dll	Jump to dropped file

Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEEFF.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\tap0901.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\SET1348.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDC22.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID403.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF28A.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\tap0901.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\SETB3C.tmp	Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll	Jump to dropped file

Source: C:\Windows\System32\cmd.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tap0901

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage

Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcr120.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcp120.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn\LetsVPN.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn\Uninstall.lnk	Jump to behavior

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Registry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run LetsPRO
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Registry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run LetsPRO

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Code function: 15_2_6C44D40E EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

15_2_6C44D40E

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes			Jump to behavior
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe

Key value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692 Blob

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName="tap0901"
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where GUID="{39123AA6-7B3B-4B52-B2EC-63CEB99F9B9B}"
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::PutInstance - root\cimv2 : Win32_NetworkAdapter.DeviceID="10"
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName="tap0901"
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapterConfiguration where SettingID="{39123AA6-7B3B-4B52-B2EC-63CEB99F9B9B}"
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapterConfiguration.Index=10::EnableStatic
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_networkadapterconfiguration where ServiceName = 'tap0901'
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapterConfiguration.Index=10::EnableStatic
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName="tap0901"
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where GUID="{39123AA6-7B3B-4B52-B2EC-63CEB99F9B9B}"
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::PutInstance - root\cimv2 : Win32_NetworkAdapter.DeviceID="10"
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName="tap0901"
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapterConfiguration where SettingID="{39123AA6-7B3B-4B52-B2EC-63CEB99F9B9B}"
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select MACAddress From Win32_NetworkAdapter WHERE ((MACAddress Is Not NULL) AND (Manufacturer <> 'Microsoft'))

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Memory allocated: B60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Memory allocated: 2530000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Memory allocated: 4630000 memory reserve \| memory write watch

Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Code function: 36_2_00007FF7682B20D8 ??2@YAPEAX_K@Z,GetLastError,??3@YAXPEAX@Z,??2@YAPEAX_K@Z,SetupDiGetDeviceRegistryPropertyW,??3@YAXPEAX@Z,

36_2_00007FF7682B20D8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Thread delayed: delay time: 300000

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 890	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6130
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3658
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Window / User API: threadDelayed 3761
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Window / User API: threadDelayed 5061

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.PatchApi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\ndp462-web.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.SystemEvents.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF28A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Buffers.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\PusherClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Hardcodet.Wpf.TaskbarNotification.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.Rocks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Utils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\runtimes\win-arm\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Squirrel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceProcess.ServiceController.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\runtimes\win-x86\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoEB83.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Web.WebView2.Wpf.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\5985ccaab8164b40a1c1ca44621e6eb9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\libwin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\Update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Ports.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Packaging.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.ProtectedData.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\WindowsInput.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Web.Services.Description.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.nativelibrary.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Permissions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\x64\WebView2Loader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDC22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.CodeDom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Syndication.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\SET1348.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.Pdb.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\uninst.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.provider.dynamic_cdecl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Management.Automation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\ToastNotifications.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLite-net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.Annotations.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\SETB3C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\runtimes\win-x64\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.PerformanceCounter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.IPNetwork.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.batteries_v2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Console.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\MdXaml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoEB83.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Configuration.ConfigurationManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\x86\WebView2Loader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.Analytics.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\81edc0915ea6864aac385e5a3ec27eaa.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsVPNInfraStructure.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.Registry.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\SuperSocket.ClientEngine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\0a44da956e4f4348b70f90f5a63f8a19.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Pipes.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Cng.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\microsoft.identitymodel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoEB83.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\SharpCompress.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLiteNetExtensionsAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Data.SqlClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Data.Odbc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Claims.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\ICSharpCode.AvalonEdit.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsVPNDomainModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\FontAwesome.WPF.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\driver\tap0901.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\NuGet.Squirrel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.NetTcp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEEFF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.Mdb.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Pkcs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Memory.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\CommunityToolkit.Mvvm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\WebSocket4Net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Duplex.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Web.WebView2.WinForms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\tap0901.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Web.WebView2.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Drawing.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.MsDelta.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLiteNetExtensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID403.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\tap0901.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Data.OleDb.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\WpfAnimatedGif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\arm64\WebView2Loader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Http.dll	Jump to dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	API coverage: 1.1 %
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	API coverage: 6.4 %
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	API coverage: 7.6 %
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	API coverage: 3.3 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8044	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe TID: 3760	Thread sleep time: -90000s >= -30000s
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe TID: 1892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe TID: 1340	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe TID: 3588	Thread sleep time: -4800000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4624	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BaseBoard
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select SerialNumber From Win32_BIOS
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BIOS
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BIOS
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BaseBoard
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation	Jump to behavior

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3DF230 SHGetFolderPathW,SHGetFolderPathW,FindNextFileW,FindFirstFileW,FindNextFileW,FindClose,SHGetFolderPathW,SHGetFolderPathW,FindFirstFileW,FindNextFileW,FindClose,	15_2_6C3DF230
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3F0B1B FindFirstFileExW,FindNextFileW,FindClose,FindClose,	15_2_6C3F0B1B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49EB97 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,__fstat64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	15_2_6C49EB97
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49C41C _mbsdec,_mbscmp,_mbscmp,_strdup,strlen,_calloc_crt,__cftof,strcpy_s,_mbsicmp,_invoke_watson,_malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	15_2_6C49C41C
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49E748 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FindClose,_errno,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	15_2_6C49E748
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49C385 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	15_2_6C49C385
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49DCF7 _wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,	15_2_6C49DCF7
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C435C91 _wstat64i32,_wcspbrk,towlower,FindFirstFileExW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,_getdrive,GetLastError,GetLastError,_wcspbrk,wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,GetDriveTypeW,free,free,_wsopen_s,__fstat64i32,_close,_errno,__dosmaperr,FindClose,__dosmaperr,FindClose,	15_2_6C435C91
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49DF35 _wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,	15_2_6C49DF35
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49D86F _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,	15_2_6C49D86F
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49DA9B _wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,	15_2_6C49DA9B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C49F00C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FindClose,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,	15_2_6C49F00C
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Code function: 18_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	18_2_004059CC
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Code function: 18_2_004065FD FindFirstFileW,FindClose,	18_2_004065FD
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Code function: 18_2_00402868 FindFirstFileW,	18_2_00402868
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Code function: 36_2_00007FF7682B71EC GetWindowsDirectoryW,FindFirstFileW,__iob_func,__iob_func,__iob_func,FindNextFileW,FindClose,	36_2_00007FF7682B71EC
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_00364318 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,std::ios_base::_Ios_base_dtor,	59_2_00364318

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Code function: 15_2_6C4C08AC _resetstkoflw,VirtualQuery,GetSystemInfo,__crtSetThreadStackGuarantee,VirtualAlloc,VirtualProtect,

15_2_6C4C08AC

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Thread delayed: delay time: 300000

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: svchost.exe, 0000002C.00000003.2527119325.0000025C4BD17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "@ethernetwlanppipvmnetextension0A}
Source: ModuleAnalysisCache.60.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: LetsPRO.exe, 0000003C.00000002.3012277253.0000000033EAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Serviceonic
Source: LetsPRO.exe, 0000003C.00000002.3018045164.000000003425E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition
Source: LetsPRO.exe, 0000003C.00000002.3033163420.0000000038159000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: LetsPRO.exe, 0000003C.00000002.3033163420.0000000038159000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductFTSDFU71434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.None
Source: LetsPRO.exe, 0000003C.00000002.3018045164.000000003425E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisors
Source: LetsPRO.exe, 0000003C.00000002.3033163420.0000000038159000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: LetsPRO.exe, 0000003C.00000002.3004673584.000000003015C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Servicel^
Source: LetsPRO.exe, 0000003C.00000002.3012277253.0000000033FB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q)Hyper-V Hypervisor Root Virtual Processor
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F0D000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2985679411.00000000055CE000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2984935523.0000000005501000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.3002515195.000000002FFC1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000003D.00000002.2964938909.00000163DCA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000003D.00000002.2966949666.00000163E205A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000017.00000002.1883304048.0000000002F0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(S
Source: LetsPRO.exe, 0000003C.00000002.3012277253.0000000033FB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus PipeswD
Source: ARP.EXE, 00000049.00000002.2701633572.00000000032EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: ModuleAnalysisCache.60.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: svchost.exe, 0000003E.00000002.2963411100.000001D9AE079000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000046.00000002.2695157170.0000000000930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q$Hyper-V Hypervisor Logical Processor
Source: svchost.exe, 0000002C.00000003.2526192111.0000025C4BD1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .@vmnetextension
Source: LetsPRO.exe, 0000003C.00000002.3012277253.0000000033EF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V jeyljxticjdvdxs Bus
Source: LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q*Hyper-V Dynamic Memory Integration Service
Source: LetsPRO.exe, 0000003C.00000002.3032484311.0000000038104000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: ModuleAnalysisCache.60.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q!Hyper-V Hypervisor Root Partition
Source: LetsPRO.exe, 0000003C.00000002.2964203103.0000000000903000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V jeyljxticjdvdxs Bus Pipes90
Source: svchost.exe, 0000003E.00000002.2962888773.000001D9AE000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q!Hyper-V Virtual Machine Bus Pipes
Source: System.Management.Automation.dll.18.dr	Binary or memory string: VirtualMachine

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	API call chain: ExitProcess graph end node			graph_15-109354
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe

Code function: 8_2_00007FF6281C18F8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00007FF6281C18F8

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Code function: 15_2_6C4C4E66 EncodePointer,EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

15_2_6C4C4E66

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Code function: 15_2_6C4C08AC VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

15_2_6C4C08AC

Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Code function: 36_2_00007FF7682B5D18 GetFullPathNameW,GetFileAttributesW,LoadLibraryW,GetProcAddress,__iob_func,GetLastError,printf,__iob_func,FreeLibrary,

36_2_00007FF7682B5D18

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3DF1E0 mov eax, dword ptr fs:[00000030h]	15_2_6C3DF1E0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3DF210 mov eax, dword ptr fs:[00000030h]	15_2_6C3DF210
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_00375217 mov eax, dword ptr fs:[00000030h]	59_2_00375217
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_0036EDE2 mov eax, dword ptr fs:[00000030h]	59_2_0036EDE2
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_6756F366 mov eax, dword ptr fs:[00000030h]	60_2_6756F366
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_6756F3AA mov eax, dword ptr fs:[00000030h]	60_2_6756F3AA

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Code function: 15_2_6C3F226A GetProcessHeap,

15_2_6C3F226A

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Code function: 8_2_00007FF6281C1AA0 SetUnhandledExceptionFilter,	8_2_00007FF6281C1AA0
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Code function: 8_2_00007FF6281C1404 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF6281C1404
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Code function: 8_2_00007FF6281C18F8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF6281C18F8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_00D43D3C ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,	15_2_00D43D3C
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3EA963 SHGetFolderPathW,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_6C3EA963
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3E464C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_6C3E464C
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C3E41E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_6C3E41E8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C4C480C __crtUnhandledException,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_6C4C480C
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C44C7DB __crtSetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	15_2_6C44C7DB
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Code function: 36_2_00007FF7682B7680 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	36_2_00007FF7682B7680
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Code function: 36_2_00007FF7682B1178 SetUnhandledExceptionFilter,	36_2_00007FF7682B1178
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Code function: 36_2_00007FF7682B7798 SetUnhandledExceptionFilter,	36_2_00007FF7682B7798
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_00368A28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	59_2_00368A28
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_0036DAD2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	59_2_0036DAD2
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_00368E32 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	59_2_00368E32
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: 59_2_00368FC5 SetUnhandledExceptionFilter,	59_2_00368FC5
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_675694B0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	60_2_675694B0

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe

Network Connect: 188.114.96.3 8443

Allocates memory in foreign processes

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Memory allocated: C:\Windows\SysWOW64\regsvr32.exe base: 2BB0000 protect: page execute and read and write

Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"

Contains functionality to inject code into remote processes

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Code function: 15_2_6C3E20B0 VirtualAlloc,VirtualAlloc,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,ReadProcessMemory,VirtualProtect,VirtualProtect,ResumeThread,VirtualProtectEx,ReadProcessMemory,VirtualProtectEx,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,TerminateProcess,GetCurrentProcess,TerminateProcess,

15_2_6C3E20B0

Writes to foreign memory regions

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Memory written: C:\Windows\SysWOW64\regsvr32.exe base: 2BB0000

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy desk_compositor_x86.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy msvcr120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcr120.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy msvcp120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcp120.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start "" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start "" "FileVPN.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe Regsvr32.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe "FileVPN.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe Regsvr32.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Process created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7252 -ip 7252
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 1512
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Process created: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe"
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ipconfig /all
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C route print
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C arp -a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ROUTE.EXE route print
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a

Source: runshelldraw_x86.exe	Binary or memory string: Program Manager
Source: runshelldraw_x86.exe, 0000000F.00000002.1776990295.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2994017311.000000000F148000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.3021368237.0000000036292000.00000002.00000001.01000000.00000035.sdmp	Binary or memory string: Shell_TrayWnd
Source: runshelldraw_x86.exe	Binary or memory string: Progman
Source: LetsPRO.exe, 0000003C.00000002.3072334918.0000000068D50000.00000002.00000001.01000000.00000023.sdmp	Binary or memory string: AddFontResourceWAdjustWindowRectAlready ReportedAssocIsDangerousAuditSetSecurityBITMAPINFOHEADERBringWindowToTopCRYPT_OBJID_BLOBCertControlStoreCheckRadioButtonCloseEnhMetaFileCoCreateInstanceCoGetCallContextCoGetInterceptorCoMarshalHresultCoTaskMemReallocCombineTransformConnectNamedPipeContent-EncodingContent-LanguageContent-Length: CopyEnhMetaFileWCreateDIBSectionCreateDirectoryWCreateHatchBrushCreateIpNetEntryCreateJobObjectWCreateMDIWindowWCreateNamedPipeWCreatePolygonRgnCreateSemaphoreWCreateSolidBrushCreateTimerQueueCryptDestroyHashCryptExportPKCS8CryptGetKeyParamCryptMsgGetParamCryptProtectDataCryptQueryObjectCryptSetKeyParamDAD_SetDragImageDPA_EnumCallbackDdeQueryConvInfoDdeSetUserHandleDeactivateActCtxDefMDIChildProcWDefineDosDeviceWDeleteColorSpaceDeleteIpNetEntryDeleteTimerQueueDestination-PortDispatchMessageWDnsNameCompare_WDrawCaptionTempWDrawFrameControlDuplicateTokenExEndBufferedPaintEngCreatePaletteEngDeletePaletteEngDeleteSurfaceEngGetDriverNameEngStretchBltROPEngUnlockSurfaceEnumChildWindowsEnumICMProfilesWExcludeUpdateRgnExtSelectClipRgnFONTOBJ_vGetInfoFRAME_SIZE_ERRORFindFirstFreeAceFindFirstVolumeWFlushFileBuffersGC scavenge waitGC worker (idle)GODEBUG: value "GdiGetBatchLimitGdiIsMetaPrintDCGdiSetBatchLimitGetAsyncKeyStateGetBestInterfaceGetCalendarInfoWGetClassLongPtrWGetClipboardDataGetComputerNameWGetConsoleAliasWGetConsoleTitleWGetConsoleWindowGetCurrentActCtxGetCurrentObjectGetCurrentThreadGetDIBColorTableGetDesktopWindowGetDllDirectoryWGetExpandedNameWGetFileSecurityWGetFullPathNameWGetGUIThreadInfoGetGestureConfigGetGlyphIndicesWGetGlyphOutlineWGetInterfaceInfoGetIpErrorStringGetKerningPairsWGetKeyboardStateGetLastInputInfoGetLogicalDrivesGetLongPathNameWGetMenuItemCountGetMenuItemInfoWGetMenuPosFromIDGetModuleHandleWGetNamedPipeInfoGetNetworkParamsGetOpenFileNameWGetPriorityClassGetProgmanWindowGetSaveFileNameWGetScrollBarInfoGetStringScriptsGetSysColorBrushGetSystemMetricsGetTaskmanWindowGetTcpStatisticsGetTempFileNameWGetThemeFilenameGetThemePartSizeGetThemePositionGetThemeSysColorGetThreadDesktopGetUdpStatisticsGetViewportExtExGetViewportOrgExGlobalDeleteAtomHANIMATIONBUFFERHost-Remote-ListIConnectionPointICreateErrorInfoILLoadFromStreamINTERFACE_HANDLEIOleAdviseHolderIOleInPlaceFrameIP_PREFIX_ORIGINIP_SUFFIX_ORIGINIPropertyStorageIUnknown_GetSiteIUnknown_SetSiteI_CryptDetachTlsI_RpcSendReceiveIcmpParseRepliesImageList_CreateImageList_DrawExImageList_RemoveImmConfigureIMEWImmCreateContextImmGetGuideLineWImmGetOpenStatusImmGetVirtualKeyImmRegisterWordWImmSetOpenStatusImperial_AramaicInitializeFlatSBInstRuneAnyNotNLInterfaceRemovedIntlStrEqWorkerWIpReleaseAddressIsBadHugeReadPtrIsDBCSLeadByteExIsDialogMessageWIsTokenUntrustedIsValidInterfaceJasonMarshalFailK32EnumProcessesLCIDToLocaleNameLPFNVIEWCALLBACKLPPERSISTSTORAGELPPRINTPAGERANGELPSHELLFLAGSTATELPSHFILEOPSTRUCTLPWPUPOSTMESSAGELPWSANSCLASSINFOLocalLinkAddressLocaleNameToLCIDLockWindowUpdateMIB_IPADDRROW_XPMIB_IPFORWARDROWMapVirtualKeyExWMeroitic_CursiveMonitorF
Source: LetsPRO.exe, 0000003C.00000002.2994017311.000000000F148000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: nit.crash1ytics.com.nit.crash1ytics.com.Wnit.crash1ytics.com.nit.crash1ytics.com.nit.crash1ytics.com.qjiwxUnloadKeyboardLayoutUnregisterClassWUnregisterHotKeyUnregisterTouchWindowUpdateLayeredWindowUserHandleGrantAccessWINNLSGetEnableStatusWINNLSGetIMEHotkeyWaitForInputIdleCascadeChildWindowsDrawCaptionTempWGetAppCompatFlagsGetAppCompatFlags2GetCursorFrameInfoGetInternalWindowPosGetProgmanWindowGetTaskmanWindowMessageBoxTimeoutWPrivateExtractIconExWRegisterLogonProcessRegisterServicesProcessRegisterSystemThreadRegisterTasklistSetInternalWindowPosSetLogonNotifyWindowSetProgmanWindowSetShellWindowExSetSysColorsTempSetTaskmanWindowSetWindowStationUserTileChildWindowsUserRealizePaletteUserRegisterWowHandlersBeginPanningFeedbackEndPanningFeedbackUpdatePanningFeedbackBeginBufferedAnimationBeginBufferedPaintBufferedPaintClearBufferedPaintInitBufferedPaintSetAlphaBufferedPaintUnInitDrawThemeBackgroundDrawThemeBackgroundExEndBufferedAnimationEndBufferedPaintGetBufferedPaintBitsGetBufferedPaintDCGetCurrentThemeNameGetThemeAppPropertiesGetThemeEnumValueGetThemeFilenameGetThemePartSizeGetThemePositionGetThemePropertyOriginGetThemeSysColorGetThemeSysColorBrushGetThemeSysStringGetThemeTextExtentGetThemeTextMetricsHitTestThemeBackgroundIsThemePartDefinedSetThemeAppPropertiesGetFileVersionInfoSizeWGetFileVersionInfoWDrvGetModuleHandleGetDriverModuleHandleSendDriverMessagejoyReleaseCapturemciGetCreatorTaskmciGetErrorStringWmidiInGetDevCapsWmidiInGetErrorTextWmidiInGetNumDevsmidiInPrepareHeadermidiInUnprepareHeadermidiOutCacheDrumPatchesmidiOutCachePatchesmidiOutGetDevCapsWmidiOutGetErrorTextWmidiOutGetNumDevsmidiOutGetVolumemidiOutPrepareHeadermidiOutSetVolumemidiOutUnprepareHeadermidiStreamPositionmidiStreamPropertymidiStreamRestartmixerGetControlDetailsWmixerGetDevCapsWmixerGetLineControlsWmixerGetLineInfoWmixerSetControlDetailsmmioInstallIOProcWmmioStringToFOURCCWtimeGetSystemTimewaveInGetDevCapsWwaveInGetErrorTextWwaveInGetNumDevswaveInGetPositionwaveInPrepareHeaderwaveInUnprepareHeaderwaveOutBreakLoopwaveOutGetDevCapsWwaveOutGetErrorTextWwaveOutGetNumDevswaveOutGetPlaybackRatewaveOutGetPositionwaveOutGetVolumewaveOutPrepareHeaderwaveOutSetPlaybackRatewaveOutSetVolumewaveOutUnprepareHeaderjoyConfigChangedmciFreeCommandResourcemciGetDriverDatamciLoadCommandResourcemciSetDriverDatammGetCurrentTaskmmsystemGetVersionWSAAddressToStringWWSAAsyncGetHostByAddrWSAAsyncGetHostByNameWSAAsyncGetProtoByNameWSAAsyncGetServByNameWSAAsyncGetServByPortWSACancelAsyncRequestWSACancelBlockingCallWSADuplicateSocketWWSAEnumNetworkEventsWSAEnumProtocolsWWSAGetOverlappedResultWSAGetServiceClassInfoWWSAInstallServiceClassWWSALookupServiceBeginWWSALookupServiceEndWSALookupServiceNextWWSAProviderConfigChangeWSARecvDisconnectWSARemoveServiceClassWSASendDisconnectWSASetBlockingHookWSAStringToAddressWWSAUnhookBlockingHookWSApSetPostRoutineWSCDeinstallProviderWSCEnableNSProviderWSCEnumProtocolsWSCGetProviderPathWSCInstallNameSpaceWSCInstallProviderWSCUnInstallNameSpaceWSCWriteProviderOrder
Source: runshelldraw_x86.exe, 0000000F.00000000.1761413342.0000000000D45000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: WorkerWSHELLDLL_DefViewSysListView32Program ManagerProgman;=/init:/init/uninit%d,%d,%d,%d%x,%x%d
Source: runshelldraw_x86.exe, 0000000F.00000002.1776990295.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2994017311.000000000F148000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow
Source: runshelldraw_x86.exe.10.dr	Binary or memory string: a@WorkerWSHELLDLL_DefViewSysListView32Program ManagerProgman;=/init:/init/uninit%d,%d,%d,%d%x,%x%d

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Code function: 15_2_6C3E4468 cpuid

15_2_6C3E4468

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_6C3F8C03
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: GetLocaleInfoW,	15_2_6C3F88FE
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_6C3F8A27
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: GetLocaleInfoW,	15_2_6C3F8B2D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: EnumSystemLocalesW,	15_2_6C3F1B43
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: EnumSystemLocalesW,	15_2_6C3F853A
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: EnumSystemLocalesW,	15_2_6C3F8538
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: EnumSystemLocalesW,	15_2_6C3F8585
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: EnumSystemLocalesW,	15_2_6C3F8620
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_6C3F86AB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: GetLocaleInfoW,	15_2_6C3F2013
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: __crtGetLocaleInfoEx,GetLocaleInfoW,	15_2_6C440F41
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: GetLocaleInfoW,_errno,_invalid_parameter_noinfo,_errno,_errno,_errno,_invalid_parameter_noinfo,	15_2_6C43CADD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: __crtGetLocaleInfoEx,wcsncmp,	15_2_6C44845E
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: __crtGetLocaleInfoEx,_wcsicmp,_wcsnicmp,_TestDefaultCountry,wcslen,wcsncpy_s,_getptd,__crtGetLocaleInfoEx,_wcsicmp,__crtGetLocaleInfoEx,_wcsicmp,wcslen,wcsncpy_s,wcslen,_TestDefaultCountry,wcslen,_invoke_watson,__crtGetLocaleInfoEx,	15_2_6C448579
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: __crtEnumSystemLocalesEx,EnumSystemLocalesW,	15_2_6C448660
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: wcslen,wcslen,__crtEnumSystemLocalesEx,	15_2_6C448683
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: _getptd,IsValidCodePage,wcslen,wcsncpy_s,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,wcschr,wcschr,_itow_s,_GetLocaleNameFromLanguage,_GetLocaleNameFromLanguage,__crtGetLocaleInfoEx,_invoke_watson,	15_2_6C448036
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: wcscmp,wcscmp,_wtol,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,	15_2_6C447FE9
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: _getptd,_getptd,_LcidFromHexString,GetLocaleInfoW,_wcsicmp,_wcsicmp,_TestDefaultLanguage,	15_2_6C4C9841
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: wcscmp,wcscmp,GetLocaleInfoW,_wtol,GetLocaleInfoW,GetACP,	15_2_6C4C996B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,WideCharToMultiByte,_freea_s,malloc,	15_2_6C441A74
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: _getptd,GetLocaleInfoW,_GetPrimaryLen,wcslen,	15_2_6C4C9A2C
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: _getptd,memset,_getptd,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,_itow_s,	15_2_6C4C9A96
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: __crtGetLocaleInfoEx,free,_calloc_crt,strncpy_s,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,GetLastError,_calloc_crt,free,free,_invoke_watson,_malloc_crt,memcpy,_siglookup,	15_2_6C441BFC
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: _getptd,_getptd,_LcidFromHexString,GetLocaleInfoW,_wcsicmp,	15_2_6C4C945C
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: _getptd,wcslen,wcslen,_GetPrimaryLen,EnumSystemLocalesW,	15_2_6C4C954C
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: _getptd,wcslen,EnumSystemLocalesW,	15_2_6C4C950C
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: _getptd,wcslen,_GetPrimaryLen,EnumSystemLocalesW,	15_2_6C4C95C9
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: _getptd,_getptd,_LcidFromHexString,GetLocaleInfoW,_wcsicmp,GetLocaleInfoW,_wcsicmp,_wcsnicmp,wcslen,GetLocaleInfoW,_wcsicmp,wcslen,_wcsicmp,_TestDefaultLanguage,	15_2_6C4C964C
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: _getptd,wcsncpy_s,wcslen,wcscmp,wcscmp,memcpy,wcscpy_s,wcscpy_s,wcslen,wcsncpy_s,wcsncpy_s,___get_qualified_locale_downlevel,__crtIsValidLocaleName,__crtGetLocaleInfoEx,GetACP,wcsncpy_s,wcsncpy_s,wcsncpy_s,wcslen,wcsncpy_s,_invoke_watson,_errno,	15_2_6C43314B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: wcslen,__crtEnumSystemLocalesEx,	15_2_6C4C935F
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: _getptd,__crtGetLocaleInfoEx,_wcsicmp,wcslen,wcsncpy_s,_invoke_watson,_getptd,_getptd,_LcidFromHexString,GetLocaleInfoW,	15_2_6C4C93A9
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: EnumSystemLocalesW,	59_2_00378096
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: EnumSystemLocalesW,	59_2_0037808C
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: EnumSystemLocalesW,	59_2_003780E1
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: EnumSystemLocalesW,	59_2_0037817C
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: GetLocaleInfoW,	59_2_0037219D
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	59_2_00378207
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: GetLocaleInfoW,	59_2_0037845C
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: EnumSystemLocalesW,	59_2_00371CFD
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	59_2_00378584
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: GetLocaleInfoW,	59_2_0037868C
Source: C:\Program Files (x86)\letsvpn\LetsPRO.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	59_2_0037875F

Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Code function: 36_2_00007FF7682B20D8 ??2@YAPEAX_K@Z,GetLastError,??3@YAXPEAX@Z,??2@YAPEAX_K@Z,SetupDiGetDeviceRegistryPropertyW,??3@YAXPEAX@Z,

36_2_00007FF7682B20D8

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe	Queries volume information: C:\Program Files (x86)\letsvpn\driver\tap0901.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\tap0901.cat VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\Utils.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\log4net.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsVPNDomainModel.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\CommunityToolkit.Mvvm.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Memory.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\System.Buffers.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsVPNInfraStructure.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.Analytics.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.Crashes.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.batteries_v2.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.core.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.provider.dynamic_cdecl.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.nativelibrary.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\Hardcodet.Wpf.TaskbarNotification.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\SQLite-net.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\PusherClient.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\WebSocket4Net.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Program Files (x86)\letsvpn\app-3.9.1\SuperSocket.ClientEngine.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe

Code function: 8_2_00007FF6281C17D0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_00007FF6281C17D0

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Code function: 15_2_6C448D59 _lock,__tzname,_get_timezone,_get_daylight,_get_dstbias,___lc_codepage_func,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,__timezone,__daylight,__dstbias,strcmp,free,strlen,_malloc_crt,strlen,strcpy_s,_invoke_watson,free,strncpy_s,atol,atol,atol,strncpy_s,__timezone,__daylight,

15_2_6C448D59

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Code function: 15_2_6C446BF4 GetVersionExW,??0exception@std@@QAE@XZ,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetCurrentThread,??2@YAPAXI@Z,??2@YAPAXI@Z,

15_2_6C446BF4

Source: C:\Windows\SysWOW64\expand.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets

Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D Blob

Stealing of Sensitive Information

Modifies the DNS server

Source: C:\Windows\System32\svchost.exe

Registry value created:

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: 00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C48D846 ??0exception@std@@QAE@XZ,??0exception@std@@QAE@XZ,_CxxThrowException,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	15_2_6C48D846
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe	Code function: 15_2_6C48D643 Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	15_2_6C48D643
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674F0730 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	60_2_674F0730
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674DC7E0 sqlite3_blob_close,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	60_2_674DC7E0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674D6610 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	60_2_674D6610
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674DE540 sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	60_2_674DE540
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_67507510 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,	60_2_67507510
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674B3500 sqlite3_clear_bindings,sqlite3_thread_cleanup,sqlite3_thread_cleanup,	60_2_674B3500
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674E0500 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	60_2_674E0500
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674A5450 sqlite3_value_int64,sqlite3_value_int64,sqlite3_value_text,sqlite3_value_int,sqlite3_initialize,sqlite3_free,sqlite3_blob_close,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	60_2_674A5450
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674CA450 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	60_2_674CA450
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674B34B0 sqlite3_bind_parameter_index,	60_2_674B34B0
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674DE340 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_free,sqlite3_thread_cleanup,sqlite3_step,sqlite3_reset,sqlite3_thread_cleanup,	60_2_674DE340
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674D8340 sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_blob,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_reset,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,	60_2_674D8340
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674EC340 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_thread_cleanup,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_thread_cleanup,	60_2_674EC340
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674E0340 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	60_2_674E0340
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674B3360 sqlite3_bind_parameter_count,	60_2_674B3360
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674DA300 sqlite3_bind_int64,sqlite3_step,sqlite3_initialize,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	60_2_674DA300
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674B3380 sqlite3_bind_parameter_name,	60_2_674B3380
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674A83BA sqlite3_value_double,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	60_2_674A83BA
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_67500260 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	60_2_67500260
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674B3230 sqlite3_bind_zeroblob,sqlite3_thread_cleanup,	60_2_674B3230
Source: C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	Code function: 60_2_674B32C0 sqlite3_bind_zeroblob64,sqlite3_thread_cleanup,sqlite3_bind_zeroblob,sqlite3_thread_cleanup,	60_2_674B32C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	331 Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	221 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	31 Windows Service	1 Access Token Manipulation	41 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	121 Registry Run Keys / Startup Folder	31 Windows Service	1 Software Packing	NTDS	178 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Services File Permissions Weakness	412 Process Injection	1 Timestomp	LSA Secrets	2 Query Registry	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	121 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	361 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Services File Permissions Weakness	1 File Deletion	DCSync	261 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	32 Masquerading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	261 Virtualization/Sandbox Evasion	Network Sniffing	2 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	412 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Services File Permissions Weakness	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SBSLMD5qhm.msi	45%	ReversingLabs	Win32.Backdoor.Cobeacon
SBSLMD5qhm.msi	33%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\letsvpn\LetsPRO.exe	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\Update.exe	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\CommunityToolkit.Mvvm.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.MsDelta.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.PatchApi.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\FontAwesome.WPF.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Hardcodet.Wpf.TaskbarNotification.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\ICSharpCode.AvalonEdit.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe	3%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\LetsVPNDomainModel.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\LetsVPNInfraStructure.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\MdXaml.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.Analytics.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.Crashes.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Bcl.AsyncInterfaces.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Expression.Interactions.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Web.WebView2.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Web.WebView2.WinForms.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Web.WebView2.Wpf.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.Primitives.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.Registry.AccessControl.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.Registry.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.SystemEvents.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.Mdb.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.Pdb.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.Rocks.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\NuGet.Squirrel.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\PusherClient.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\SQLite-net.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\SQLiteNetExtensions.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\SQLiteNetExtensionsAsync.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.batteries_v2.dll	0%	ReversingLabs
C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.core.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
nal.fqoqehwib.com	0%	Virustotal	Browse
www.wshifen.com	0%	Virustotal	Browse
d1dmgcawtbm6l9.cloudfront.net	0%	Virustotal	Browse
nit.crash1ytics.com	0%	Virustotal	Browse
yandex.com	0%	Virustotal	Browse
ws-ap1.pusher.com	0%	Virustotal	Browse
ocsp.sectigo.com	0%	Virustotal	Browse
chr.alipayassets.com	0%	Virustotal	Browse
www.yandex.com	0%	Virustotal	Browse
g00g1e.us.kg	2%	Virustotal	Browse
socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com	0%	Virustotal	Browse
crl.sectigo.com	0%	Virustotal	Browse
www.baidu.com	1%	Virustotal	Browse
crt.sectigo.com	0%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
https://g.live.com/odclientsettings/Prod.C:	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://www.newtonsoft.com/jsonschema	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://widget.intercom.io/widget/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://github.com/myuser/myrepo	0%	Avira URL Cloud	safe
https://pngimg.com/uploads/light/light_PNG14440.png	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/2907649-%E9%80%9A%E8%BF%87%E7%94%B3%E8%BF%B0%E6%89%B	0%	Avira URL Cloud	safe
https://aka.ms/toolkit/dotnet	0%	Avira URL Cloud	safe
http://www.kuwo.cn0	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/8263068-how-to-delete-hosts-in-windows	0%	Avira URL Cloud	safe
https://nit.crash1ytics.comSC-Set-NetIPInterface	0%	Avira URL Cloud	safe
https://g00g1e.us.kg:8443/rpc/9659727	0%	Avira URL Cloud	safe
https://pngimg.com/uploads/light/light_PNG14440.png	0%	Virustotal		Browse
https://github.com/myuser/myrepo	0%	Virustotal		Browse
https://postPost142.242.204.31	0%	Avira URL Cloud	safe
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/8262720-special-settings-for-host-network-service	0%	Avira URL Cloud	safe
http://c.p	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/2907649-%E9%80%9A%E8%BF%87%E7%94%B3%E8%BF%B0%E6%89%B	0%	Virustotal		Browse
https://aka.ms/toolkit/dotnet	0%	Virustotal		Browse
https://intercom.help/letsvpn-world/en/articles/8263068-how-to-delete-hosts-in-windows	0%	Virustotal		Browse
https://letsvpn.world/registerterm.html	0%	Avira URL Cloud	safe
https://nit.crash1ytics.comi	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/2830420-special-settings-for-killer-networking-produ	0%	Avira URL Cloud	safe
http://www.hardcodet.net/taskbar	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/8262720-special-settings-for-host-network-service	0%	Virustotal		Browse
https://g00g1e.us.kg:8443/rpc/9659727	1%	Virustotal		Browse
https://intercom.help/letsvpn-world/en/articles/3401886-special-settings-for-smartbyte	0%	Avira URL Cloud	safe
https://d1dmgcawtbm6l9.cloudfront.net/rest-apiinvalid	0%	Avira URL Cloud	safe
https://nit.crash1ytics.comTo	0%	Avira URL Cloud	safe
https://letsvpn.world/registerterm.html	0%	Virustotal		Browse
https://github.com/dotnet/corefx/tree/7ee84596d92e178bce54c986df31ccc52479e772	0%	Avira URL Cloud	safe
http://ws-ap1.pusher.com/app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2	0%	Avira URL Cloud	safe
https://g00g1e.us.kg/P	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/2830420-special-settings-for-killer-networking-produ	0%	Virustotal		Browse
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	0%	Virustotal		Browse
https://intercom.help/letsvpn-world/en/articles/8262690-special-settings-for-intel-connectivity-serv	0%	Avira URL Cloud	safe
https://github.com/dotnet/corefx/tree/7ee84596d92e178bce54c986df31ccc52479e772	0%	Virustotal		Browse
http://i.pki.goog/r4.crt0	0%	Avira URL Cloud	safe
http://www.hardcodet.net/taskbar	0%	Virustotal		Browse
https://intercom.help/letsvpn-world/en/collections/Killer	0%	Avira URL Cloud	safe
http://ws-ap1.pusher.com/app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2	0%	Virustotal		Browse
https://intercom.help/letsvpn-world/en/articles/8262690-special-settings-for-intel-connectivity-serv	0%	Virustotal		Browse
http://schemas.fontawesome.io/icons/	0%	Avira URL Cloud	safe
https://d1dmgcawtbm6l9.cloudfront.net/rest-apiinvalid	0%	Virustotal		Browse
http://o.pki.goog/s/we1/tq00%	0%	Avira URL Cloud	safe
http://i.pki.goog/r4.crt0	0%	Virustotal		Browse
https://in.appcenter.ms./logs?api-version=1.0.0	0%	Avira URL Cloud	safe
http://wpfanimatedgif.codeplex.com	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/3081101-adjust-the-settings-for-ipv6	0%	Avira URL Cloud	safe
http://schemas.fontawesome.io/icons/	0%	Virustotal		Browse
http://logging.apache.org/log4ne	0%	Avira URL Cloud	safe
https://0.0.0.0%2F0infoinfo	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/collections/1611781-%E4%B8%AD%E6%96%87%E5%B8%AE%E5%8A%A9	0%	Avira URL Cloud	safe
http://o.pki.goog/s/we1/tq00%	0%	Virustotal		Browse
https://d1dmgcawtbm6l9.cloudfront.net/rest-apiedns_client_subnet=0.0.0.0%2F0&name=d1dmgcawtbm6l9.clo	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/3401886-special-settings-for-smartbyte	0%	Virustotal		Browse
http://wpfanimatedgif.codeplex.com	1%	Virustotal		Browse
https://intercom.help/letsvpn-world/en/collections/Killer	0%	Virustotal		Browse
https://nit.crash1ytics.comG	0%	Avira URL Cloud	safe
http://g00g1e.us.kg/rpc/9659727	1%	Virustotal		Browse
http://g00g1e.us.kg/rpc/9659727	0%	Avira URL Cloud	safe
https://in.appcenter.ms./logs?api-version=1.0.0	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://d1dmgcawtbm6l9.cloudfront.net/rest-apiedns_client_subnet=0.0.0.0%2F0&name=d1dmgcawtbm6l9.clo	0%	Virustotal		Browse
https://intercom.help/letsvpn-world/en/articles/2926044-what-if-i-reached-maximum-connection-limit	0%	Avira URL Cloud	safe
https://github.com/CommunityToolkit/dotnet	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/3081101-adjust-the-settings-for-ipv6	0%	Virustotal		Browse
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/8262801-special-settings-for-killer-network-service	0%	Avira URL Cloud	safe
http://i.pki.goog/we1.crt0	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/2926044-what-if-i-reached-maximum-connection-limit	0%	Virustotal		Browse
http://c.pki.goog/r/gsr1.crl0	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://intercom.help/letsvpn-world/en/collections/1611781-%E4%B8%AD%E6%96%87%E5%B8%AE%E5%8A%A9	0%	Virustotal		Browse
https://api.github.com/#	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://i.pki.goog/gsr1.crt0-	0%	Avira URL Cloud	safe
https://intercom.help/letsvpn-world/en/articles/2925752-how-to-download-letsvpn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nal.fqoqehwib.com	99.34.124.121	true	false	0%, Virustotal, Browse	unknown
www.wshifen.com	103.235.47.188	true	false	0%, Virustotal, Browse	unknown
d1dmgcawtbm6l9.cloudfront.net	108.138.24.227	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.250.185.132	true	false	0%, Virustotal, Browse	unknown
nit.crash1ytics.com	223.61.70.52	true	false	0%, Virustotal, Browse	unknown
socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com	18.139.76.7	true	false	0%, Virustotal, Browse	unknown
yandex.com	5.255.255.77	true	false	0%, Virustotal, Browse	unknown
g00g1e.us.kg	188.114.96.3	true	true	2%, Virustotal, Browse	unknown
chr.alipayassets.com	222.91.58.119	true	false	0%, Virustotal, Browse	unknown
ocsp.sectigo.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
ws-ap1.pusher.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.yandex.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
crt.sectigo.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
crl.sectigo.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.baidu.com	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ws-ap1.pusher.com/app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://g00g1e.us.kg/rpc/9659727	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://d1dmgcawtbm6l9.cloudfront.net/rest-api?edns_client_subnet=0.0.0.0%2F0&name=nal.fqoqehwib.com.&type=1	false	Avira URL Cloud: safe	unknown
https://d1dmgcawtbm6l9.cloudfront.net/rest-api?edns_client_subnet=0.0.0.0%2F0&name=chr.alipayassets.com.&type=1	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/myuser/myrepo	Squirrel.dll.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/articles/2907649-%E9%80%9A%E8%BF%87%E7%94%B3%E8%BF%B0%E6%89%B	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://pngimg.com/uploads/light/light_PNG14440.png	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/toolkit/dotnet	LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987269506.0000000005AD2000.00000002.00000001.01000000.0000001D.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.kuwo.cn0	expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, runshelldraw_x86.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr, System.IO.Pipes.AccessControl.dll.18.dr	false	URL Reputation: safe	unknown
https://intercom.help/letsvpn-world/en/articles/8263068-how-to-delete-hosts-in-windows	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nit.crash1ytics.comSC-Set-NetIPInterface	LetsPRO.exe, 0000003C.00000002.2999516217.000000000F404000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g00g1e.us.kg:8443/rpc/9659727	regsvr32.exe, 00000017.00000002.1883304048.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://postPost142.242.204.31	LetsPRO.exe, 0000003C.00000002.2998029190.000000000F34E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	LetsPRO.exe, 0000003C.00000002.2983311972.0000000005112000.00000002.00000001.01000000.0000001A.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.61.dr	false	URL Reputation: safe	unknown
https://intercom.help/letsvpn-world/en/articles/8262720-special-settings-for-host-network-service	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://c.p	regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://letsvpn.world/registerterm.html	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.61.dr	false	URL Reputation: safe	unknown
https://nit.crash1ytics.comi	LetsPRO.exe, 0000003C.00000002.2997717778.000000000F316000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/articles/2830420-special-settings-for-killer-networking-produ	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.hardcodet.net/taskbar	LetsPRO.exe, 0000003C.00000002.3021368237.0000000036292000.00000002.00000001.01000000.00000035.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/articles/3401886-special-settings-for-smartbyte	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://d1dmgcawtbm6l9.cloudfront.net/rest-apiinvalid	LetsPRO.exe, 0000003C.00000002.3072334918.0000000068D50000.00000002.00000001.01000000.00000023.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000014.00000002.1781149519.0000000004C05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1781149519.0000000004C28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2471537574.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nit.crash1ytics.comTo	LetsPRO.exe, 0000003C.00000002.2990642865.000000000F02A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/7ee84596d92e178bce54c986df31ccc52479e772	System.IO.Pipes.AccessControl.dll.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000020.00000002.2475363240.0000000005A62000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2974879264.0000000003704000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g00g1e.us.kg/P	regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/articles/8262690-special-settings-for-intel-connectivity-serv	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://i.pki.goog/r4.crt0	regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/collections/Killer	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.fontawesome.io/icons/	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe, 0000003C.00000002.2965823184.0000000002531000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://o.pki.goog/s/we1/tq00%	regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://in.appcenter.ms./logs?api-version=1.0.0	LetsPRO.exe, 0000003C.00000002.3000689023.000000002F482000.00000002.00000001.01000000.00000026.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/articles/3081101-adjust-the-settings-for-ipv6	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000014.00000002.1781149519.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2471537574.0000000004A01000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2965823184.0000000002531000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wpfanimatedgif.codeplex.com	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://logging.apache.org/log4ne	LetsPRO.exe	false	Avira URL Cloud: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 0000003D.00000003.2621351490.00000163E22C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.61.dr	false	URL Reputation: safe	unknown
https://0.0.0.0%2F0infoinfo	LetsPRO.exe, 0000003C.00000002.2996384380.000000000F270000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/collections/1611781-%E4%B8%AD%E6%96%87%E5%B8%AE%E5%8A%A9	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://d1dmgcawtbm6l9.cloudfront.net/rest-apiedns_client_subnet=0.0.0.0%2F0&name=d1dmgcawtbm6l9.clo	LetsPRO.exe, 0000003C.00000002.2990642865.000000000F0A4000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2994883965.000000000F1A6000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nit.crash1ytics.comG	LetsPRO.exe, 0000003C.00000002.2999516217.000000000F404000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000020.00000002.2471537574.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/articles/2926044-what-if-i-reached-maximum-connection-limit	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/CommunityToolkit/dotnet	LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987269506.0000000005AD2000.00000002.00000001.01000000.0000001D.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f	LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2987886234.0000000005BC2000.00000002.00000001.01000000.00000021.sdmp, System.Threading.Tasks.Extensions.dll.18.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/articles/8262801-special-settings-for-killer-network-service	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	Avira URL Cloud: safe	unknown
http://i.pki.goog/we1.crt0	regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	LetsPRO.exe, 0000003C.00000002.2974879264.0000000003704000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://c.pki.goog/r/gsr1.crl0	regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 0000003D.00000002.2966785275.00000163E2000000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.github.com/#	Squirrel.dll.18.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	FileVPN.exe, 00000012.00000000.1762414728.000000000040A000.00000008.00000001.01000000.00000008.sdmp, FileVPN.exe, 00000012.00000003.2559995413.0000000000803000.00000004.00000020.00020000.00000000.sdmp, FileVPN.exe, 00000012.00000002.2595658102.000000000040A000.00000004.00000001.01000000.00000008.sdmp, SBSLMD5qhm.msi, uninst.exe.18.dr	false	URL Reputation: safe	unknown
http://www.symauth.com/cps0(	expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	powershell.exe, 00000020.00000002.2480362877.0000000008183000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	false	URL Reputation: safe	unknown
http://i.pki.goog/gsr1.crt0-	regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/articles/2925752-how-to-download-letsvpn	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000020.00000002.2471537574.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2965823184.0000000002764000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.newtonsoft.com/jsonschema	LetsPRO.exe, 0000003C.00000002.2984155245.0000000005422000.00000002.00000001.01000000.0000001C.sdmp	false	URL Reputation: safe	unknown
https://postPost67.137.174.254	LetsPRO.exe, 0000003C.00000002.2998876528.000000000F3B2000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://c.pki.goog/we1/r1Lq4vMcD8c.crl0	regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/articles/2780068-%E5%A6%82%E4%BD%95%E4%B8%8B%E8%BD%BD%E5%BE%9	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	Avira URL Cloud: safe	unknown
http://www.xmlspy.com)	System.Data.Odbc.dll.18.dr	false	Avira URL Cloud: safe	unknown
https://g00g1e.us.kg/	regsvr32.exe, 00000017.00000002.1883304048.0000000002EBA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crlw	LetsPRO.exe, 0000003C.00000002.2985679411.00000000055CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQVD%2BnGf79Hpedv3mhy6uKMVZkPCQQUDyrLIIcouOxvSK	LetsPRO.exe, 0000003C.00000002.2984935523.0000000005565000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2984935523.0000000005501000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8	LetsPRO.exe, 0000003C.00000002.2987923125.0000000005BC6000.00000002.00000001.01000000.00000021.sdmp, System.Threading.Tasks.Extensions.dll.18.dr	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/en/collections/1628560-help-documents	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe, 0000003C.00000002.2965823184.0000000002531000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe0.18.dr	false	Avira URL Cloud: safe	unknown
https://nit.crash1ytics.comhttpCode=-2	LetsPRO.exe, 0000003C.00000002.2990642865.000000000F02A000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2993917653.000000000F11C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nit.crash1ytics.com/app34/devicehttps://nit.crash1ytics.com/app34/device	LetsPRO.exe, 0000003C.00000002.2999626621.000000000F43E000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2990642865.000000000F084000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	System.Diagnostics.TraceSource.dll.18.dr	false	URL Reputation: safe	unknown
https://0.0.0.0%2F0	LetsPRO.exe, 0000003C.00000002.2996384380.000000000F270000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://letsvpn.world/terms.html	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	LetsPRO.exe, 0000003C.00000002.2974879264.0000000003704000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nit.crash1ytics.com/app34/device	LetsPRO.exe, 0000003C.00000002.2995260865.000000000F200000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	SBSLMD5qhm.msi, System.Runtime.dll.18.dr, System.Runtime.CompilerServices.Unsafe.dll.18.dr, System.Threading.Tasks.Extensions.dll.18.dr, Squirrel.dll.18.dr, System.Security.Cryptography.Xml.dll.18.dr, Microsoft.Web.WebView2.Core.dll.18.dr, System.Console.dll.18.dr, MdXaml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Linq.Parallel.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.ComponentModel.EventBasedAsync.dll.18.dr, System.IO.FileSystem.DriveInfo.dll.18.dr, Microsoft.Web.WebView2.Wpf.dll.18.dr, System.ComponentModel.dll.18.dr, SQLitePCLRaw.nativelibrary.dll.18.dr, SQLitePCLRaw.core.dll.18.dr, System.Memory.dll.18.dr, System.Web.Services.Description.resources.dll4.18.dr, System.IO.Pipes.AccessControl.dll.18.dr	false	URL Reputation: safe	unknown
https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf	System.Numerics.Vectors.dll.18.dr	false	Avira URL Cloud: safe	unknown
https://nit.crash1ytics.com/app34/deviceH	LetsPRO.exe, 0000003C.00000002.2999057700.000000000F3CE000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2995260865.000000000F200000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://intercom.help/letsvpn-world/-N	FileVPN.exe, 00000012.00000002.2596014183.000000000079A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://letsvpn.world/privacy.html	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime	System.Security.Cryptography.Xml.dll.18.dr, System.IO.Ports.dll.18.dr, System.Security.AccessControl.dll.18.dr, System.Configuration.ConfigurationManager.dll.18.dr, System.IO.Packaging.dll.18.dr, System.ServiceProcess.ServiceController.dll.18.dr, System.Data.Odbc.dll.18.dr, System.Threading.AccessControl.dll.18.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/32b4919	LetsPRO.exe	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2	edb.log.61.dr	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	expand.exe, 00000006.00000003.1747499154.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, SBSLMD5qhm.msi, msvcr120.dll.12.dr, 0a44da956e4f4348b70f90f5a63f8a19.tmp.6.dr, runshelldraw_x86.exe.10.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.comhttp://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl	LetsPRO.exe, 0000003C.00000002.2985679411.0000000005583000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://widget.intercom.io/widget/	LetsPRO.exe, 0000003C.00000000.2595550405.0000000000232000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe0.18.dr	false	URL Reputation: safe	unknown
http://c.pki.goog/r/r4.crl0	regsvr32.exe, 00000017.00000002.1883304048.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000017.00000002.1883304048.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	LetsPRO.exe, 0000003C.00000002.2974879264.0000000003704000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588	LetsPRO.exe, 0000003C.00000002.2988088538.0000000006242000.00000002.00000001.01000000.0000001F.sdmp, System.Memory.dll.18.dr	false	Avira URL Cloud: safe	unknown
https://github.com/JamesNK/Newtonsoft.Json	LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2984155245.0000000005422000.00000002.00000001.01000000.0000001C.sdmp	false	Avira URL Cloud: safe	unknown
https://nit.crash1ytics.com/app34/devicechecking	LetsPRO.exe, 0000003C.00000002.2999626621.000000000F43E000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2999057700.000000000F3CE000.00000004.00001000.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2995260865.000000000F200000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000020.00000002.2475363240.0000000005A62000.00000004.00000800.00020000.00000000.sdmp, LetsPRO.exe, 0000003C.00000002.2974879264.0000000003704000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958	LetsPRO.exe, LetsPRO.exe, 0000003C.00000002.2988088538.0000000006242000.00000002.00000001.01000000.0000001F.sdmp, System.Memory.dll.18.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
183.60.146.66	unknown	China	134763	CT-DONGGUAN-IDCCHINANETGuangdongprovincenetworkCN	false
5.255.255.77	yandex.com	Russian Federation	13238	YANDEXRU	false
35.227.223.56	unknown	United States	15169	GOOGLEUS	false
18.139.76.7	socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com	United States	16509	AMAZON-02US	false
103.235.47.188	www.wshifen.com	Hong Kong	55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
23.98.101.155	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
188.114.96.3	g00g1e.us.kg	European Union	13335	CLOUDFLARENETUS	true
108.138.24.227	d1dmgcawtbm6l9.cloudfront.net	United States	16509	AMAZON-02US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501115
Start date and time:	2024-08-29 12:48:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	75
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SBSLMD5qhm.msi renamed because original name is a hash value
Original Sample Name:	66bfca2c51b6b49c0900b8b401dba81e638ff97885418a5fdcfc95fd1d21a8e6.msi
Detection:	MAL
Classification:	mal80.spre.troj.adwa.spyw.evad.winMSI@110/330@13/10
EGA Information:	Successful, ratio: 77.8%
HCA Information:	Successful, ratio: 96% Number of executed functions: 12 Number of non-executed functions: 365
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212, 172.64.149.23, 104.18.38.233, 2.23.209.163, 2.23.209.176, 2.23.209.171, 2.23.209.166, 2.23.209.167, 2.23.209.162, 2.23.209.169, 2.23.209.175, 2.23.209.168, 184.28.90.27
Excluded domains from analysis (whitelisted): www.bing.com, ocsp.comodoca.com.cdn.cloudflare.net, crt.comodoca.com.cdn.cloudflare.net, fs.microsoft.com, ocsp.usertrust.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, crl.usertrust.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ocsp.comodoca.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, www.bing.com.edgekey.net, login.live.com, crl.comodoca.com.cdn.cloudflare.net, crl.comodoca.com, e16604.g.akamaiedge.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target powershell.exe, PID 5956 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7936 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:49:21	API Interceptor	1x Sleep call for process: WerFault.exe modified
06:50:15	API Interceptor	35x Sleep call for process: powershell.exe modified
06:50:34	API Interceptor	188x Sleep call for process: LetsPRO.exe modified
06:50:35	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
183.60.146.66	KLL.exe	Get hash	malicious	Unknown	Browse
	KLL.exe	Get hash	malicious	Unknown	Browse
	KLL.exe	Get hash	malicious	Unknown	Browse
	KLL.exe	Get hash	malicious	Unknown	Browse
	KLL_1.exe	Get hash	malicious	Unknown	Browse
	KLL.exe	Get hash	malicious	Unknown	Browse
	KLL_1.exe	Get hash	malicious	Unknown	Browse
	KLL.exe	Get hash	malicious	Unknown	Browse
	lets-test.msi	Get hash	malicious	Unknown	Browse
	zx.exe	Get hash	malicious	Unknown	Browse
5.255.255.77	http://manga-netflix10737.tinyblogging.com.xx3.kz/	Get hash	malicious	Unknown	Browse	www.yandex.com/favicon.ico
103.235.47.188	3.exe	Get hash	malicious	BlackMoon, XRed	Browse	www.baidu.com/
	CZyOWoN2hiszA6d.exe	Get hash	malicious	FormBook	Browse	www.vicmvm649n.top/v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd
	f2.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	f1.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	chAJcIK6ZO.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	LisectAVT_2403002A_489.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exe	Get hash	malicious	Bdaejec	Browse	www.baidu.com/
	7Y18r(100).exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	7Y18r(100).exe	Get hash	malicious	Unknown	Browse	www.baidu.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
d1dmgcawtbm6l9.cloudfront.net	KLL.exe	Get hash	malicious	Unknown	Browse	18.239.15.26
	KLL.exe	Get hash	malicious	Unknown	Browse	18.239.15.216
	KLL.exe	Get hash	malicious	Unknown	Browse	108.138.187.72
	KLL.exe	Get hash	malicious	Unknown	Browse	18.239.15.44
	KLL_1.exe	Get hash	malicious	Unknown	Browse	108.138.24.182
	KLL.exe	Get hash	malicious	Unknown	Browse	108.138.24.227
	KLL_1.exe	Get hash	malicious	Unknown	Browse	108.138.24.115
	KLL.exe	Get hash	malicious	Unknown	Browse	108.138.24.115
	lets-test.msi	Get hash	malicious	Unknown	Browse	3.164.160.102
	zx.exe	Get hash	malicious	Unknown	Browse	18.239.15.216
www.wshifen.com	New Al Maktoum International Airport Enquiry Ref #2401249.exe	Get hash	malicious	FormBook	Browse	103.235.46.96
	3621103789.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	https://www.baidu.com/link?url=PR7h_t_ZizoWZdjSMLubWVmCX_p6239c2z0KzH4cKS_&wd=ZC5rZW5uZWR5QGNoY2ZsLm9yZw==	Get hash	malicious	Unknown	Browse	103.235.47.188
	S8faD2qee3.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	103.235.47.188
	S8faD2qee3.exe	Get hash	malicious	PureLog Stealer	Browse	103.235.46.96
	https://m.163.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	https://t0kenp0cket.com/zh/download/app/	Get hash	malicious	Unknown	Browse	103.235.47.188
	4.exe	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	2.exe	Get hash	malicious	BlackMoon	Browse	103.235.47.188
	1.exe	Get hash	malicious	BlackMoon	Browse	103.235.46.96
nal.fqoqehwib.com	KLL.exe	Get hash	malicious	Unknown	Browse	5.217.108.181
	KLL.exe	Get hash	malicious	Unknown	Browse	99.34.124.121
	KLL.exe	Get hash	malicious	Unknown	Browse	99.34.124.121
	KLL.exe	Get hash	malicious	Unknown	Browse	5.217.108.181
	KLL_1.exe	Get hash	malicious	Unknown	Browse	104.112.172.245
	KLL.exe	Get hash	malicious	Unknown	Browse	5.217.108.181
	KLL_1.exe	Get hash	malicious	Unknown	Browse	10.176.38.125
	KLL.exe	Get hash	malicious	Unknown	Browse	104.112.172.245
	lets-test.msi	Get hash	malicious	Unknown	Browse	104.112.172.245
	zx.exe	Get hash	malicious	Unknown	Browse	33.86.72.19

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CT-DONGGUAN-IDCCHINANETGuangdongprovincenetworkCN	SecuriteInfo.com.Win32.MalwareX-gen.12431.9721.exe	Get hash	malicious	Unknown	Browse	183.61.168.1
	KLL.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	KLL.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	KLL.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	KLL.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	KLL_1.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	KLL.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	KLL_1.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	KLL.exe	Get hash	malicious	Unknown	Browse	183.60.146.66
	SecuriteInfo.com.not-a-virus.HEUR.Downloader.Win32.Duba.gen.28830.27730.exe	Get hash	malicious	Unknown	Browse	183.61.243.1
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	New Al Maktoum International Airport Enquiry Ref #2401249.exe	Get hash	malicious	FormBook	Browse	103.235.46.96
	3621103789.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	sora.m68k.elf	Get hash	malicious	Unknown	Browse	180.76.142.155
	sora.spc.elf	Get hash	malicious	Unknown	Browse	182.61.27.101
	https://www.baidu.com/link?url=PR7h_t_ZizoWZdjSMLubWVmCX_p6239c2z0KzH4cKS_&wd=ZC5rZW5uZWR5QGNoY2ZsLm9yZw==	Get hash	malicious	Unknown	Browse	103.235.47.188
	S8faD2qee3.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	103.235.46.96
	S8faD2qee3.exe	Get hash	malicious	PureLog Stealer	Browse	103.235.46.96
	https://m.163.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	https://t0kenp0cket.com/zh/download/app/	Get hash	malicious	Unknown	Browse	103.235.46.96
	4.exe	Get hash	malicious	BlackMoon	Browse	103.235.46.96
YANDEXRU	https://oh3y.ulvantiro.su/82xG/	Get hash	malicious	HTMLPhisher	Browse	5.255.255.77
	https://steamcommmuinity.com/user1298323/action	Get hash	malicious	Unknown	Browse	93.158.134.242
	Remittance 728 Norriselectric0032xslx.pdf	Get hash	malicious	HTMLPhisher	Browse	77.88.44.55
	https://lenta.ru/articles/2023/01/13/darkpr/	Get hash	malicious	HTMLPhisher	Browse	5.255.255.77
	http://tg84.leetgems.h1n.ru/	Get hash	malicious	HTMLPhisher	Browse	77.88.21.119
	https://reword-ff-garena.ru/freefire/	Get hash	malicious	Unknown	Browse	77.88.21.119
	http://www.goo.su/JpY9S/	Get hash	malicious	Unknown	Browse	87.250.251.15
	http://manga-netflix10737.tinyblogging.com.xx3.kz/	Get hash	malicious	Unknown	Browse	77.88.21.179
	ExeFile (299).exe	Get hash	malicious	Sage	Browse	5.45.240.183
	ExeFile (57).exe	Get hash	malicious	Sage	Browse	5.45.240.183
AMAZON-02US	bintoday1.exe	Get hash	malicious	FormBook	Browse	18.162.124.14
	https://my.manychat.com/r?act=179c825ab8add5f9e8bacb82e520a126&u=7459244230843026&p=108345799024755&h=708b8c96be&fbclid=IwZXh0bgNhZW0CMTAAAR07FD8Q65AMa77uMdYFT9FANMjTbvHV0BrVDR-o7WBQKwVAUtHYk2rnVVU_aem_OFd7GNUGsZzyslAWr711gg	Get hash	malicious	Unknown	Browse	18.185.191.84
	https://tinyurl.com/NDCEurope	Get hash	malicious	Unknown	Browse	18.239.83.58
	SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi	Get hash	malicious	AteraAgent	Browse	18.239.36.2
	OJO!!! No lo he abiertoFwd_ Message From 646___xbx2.eml	Get hash	malicious	Unknown	Browse	52.50.50.234
	http://rebrand.ly	Get hash	malicious	Unknown	Browse	52.217.120.128
	quotation.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	13.248.169.48
	https://iam.ngscout.org/account/resetpassword?id=d05ffe24-cb73-4f03-bf4f-9e9ff83127f7&code=cc2ff9ab-5352-4ab7-90d6-7459bc6ea5db	Get hash	malicious	Unknown	Browse	54.177.56.198
	https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1E	Get hash	malicious	Unknown	Browse	3.160.150.40

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	8174
Entropy (8bit):	5.618930920944156
Encrypted:	false
SSDEEP:	192:gru3uQl8ef+dZIwdZemumvuAi07+HuEepBo:gru3uQgdHdPuwux07+Hus
MD5:	D703C3EB0A453FEB125B21DC76AF7E1B
SHA1:	26F7F1341DEC344DAA14BBF8958307F1AD3EE58D
SHA-256:	CC2D58983DAFED4A29380F2EBF997D2E2D6D7A03C4A007E51C7E68154ECAFBF6
SHA-512:	E4F319C07DD98FDC1A4CBC559EB156EE096ABE0CF460A24011CC497672B231066DCA762D16E45571C7AE02FD75C719BAA96DD1A7026C733860B3232C3F514245
Malicious:	false
Preview:	...@IXOS.@.....@#6.Y.@.....@.....@.....@.....@.....@......&.{FC07A022-E0BF-4B1C-97CC-BF53E9AA5724}P.7-Zip 23.01 (x64) - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com..SBSLMD5qhm.msi.@.....@.....@.....@......ProductIcon..&.{2C440493-81B6-4F08-8BAF-7B29575A145C}.....@.....@.....@.....@.......@.....@.....@.......@....P.7-Zip 23.01 (x64) - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}&.{FC07A022-E0BF-4B1C-97CC-BF53E9AA5724}.@........bz.LateInstallFinish1....bz.LateInstallFinish2....WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@..../.SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\7-Zip...@....(.&...LogonUser..user'.&...USERNAME..hardz'.&...Date..29/08/2024'.&...Time..06:49:05'.&...WRAPPED_ARGUMENTS....RegisterProduct..Registering product..

C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	318
Entropy (8bit):	4.740682303463164
Encrypted:	false
SSDEEP:	6:IPeGgdEYC5BeGgdEEFmJovkBPeGgdEEFrGvkBPeGgdEEFwn0ZkBPeGgdEEFQr4MF:ISuFAuEcJxSuEJGQSuEyPSuESr1SuE6
MD5:	B34636A4E04DE02D079BA7325E7565F0
SHA1:	F32C1211EAC22409BB195415CB5A8063431F75CD
SHA-256:	A9901397D39C0FC74ADFDB95DD5F95C3A14DEF3F9D58EF44AB45FC74A56D46DF
SHA-512:	6EB3255E3C89E2894F0085095FB5F6AB97349F0ED63C267820C82916F43A0AC014A94F98C186FF5D54806469A00C3C700A34D26DE90AFB090B80AC824A05AA2F
Malicious:	false
Preview:	Add-MpPreference -ExclusionPath "C:\Program Files (x86)\letsvpn"..Add-MpPreference -ExclusionProcess "LetsPRO.exe"..Add-MpPreference -ExclusionProcess "tapinstall.exe"..Add-MpPreference -ExclusionProcess "uninst.exe"..Add-MpPreference -ExclusionProcess "Update.exe"..Add-MpPreference -ExclusionProcess "ndp462-web.exe"

C:\Program Files (x86)\letsvpn\LetsPRO.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245880
Entropy (8bit):	6.886751766290259
Encrypted:	false
SSDEEP:	6144:hZzvhs2Z4n1E7g34XtVYAOfTdxz44JsQwxU4h7:hJ+2Z4nShVY5HULUe7
MD5:	51F74B2422CA5C2E15A4FF761B9AF586
SHA1:	FDA56A51099314FE8B6490D53931877BF251EC0A
SHA-256:	4F5BD20A0C213ACFC74436E2F1987F023F5051CEA447EC558FBE5964E087035A
SHA-512:	33AF64A1431DF02CCEC538A62714E81F513DFC12233CD271D1F0946AAF2648C19C21536EEB7968A6091BFE2CC55A89C2032DBF7C61796F406362A358D839934A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..O.S.O.S.O.S.).R.O.S.).R.O.S.).R.O.S.'.R.O.S.'.R.O.S.'.R.O.S.).R.O.S.O.S.O.S5&.R.O.S5&.S.O.S.O.S.O.S5&.R.O.SRich.O.S........................PE..L.....p_............................+.............@.......................................@.....................................<.......L...............x&.......!......p...............................@...............,............................text...8........................... ..`.rdata..V...........................@..@.data....#..........................@....rsrc...L...........................@..@.reloc...!......."...x..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\Update.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1909368
Entropy (8bit):	5.908620778423276
Encrypted:	false
SSDEEP:	24576:zWltPuAnUCiag6CKM2zCy9sQuOjj1VgZej6GeS4lNrCze5qhYp4t9m245r:6t3UCiag6CKM2zCyZuOjJaxSS5qhy
MD5:	5C545A41DB4EAC7028AF629DCF9C12F3
SHA1:	1D38AC314CAB807C952C7B4C1D308AEC93AF71AD
SHA-256:	7B9DDBCF91F4118B701599AAF05D31BADA4921AC6C36CC685D3BBB829419540D
SHA-512:	1689E1E313DD641CB02CF798F364B2193184E10500AA2B22FB5E020F6C3CF3CFEAAB3F69D13FBB944CF1376064988F302014AA524FE16E4424EDFD8A679195EF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\letsvpn\Update.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.p_............................>.... ........@.. .......................`......D/....@.....................................W.... ..................x&...@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H.......LU..............,.................................................{......{......{....r.(......}......}......}........0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o.......0..K....... .A. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X..0...........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(........{......{....

C:\Program Files (x86)\letsvpn\app-3.9.1\CommunityToolkit.Mvvm.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	111736
Entropy (8bit):	6.28528803677509
Encrypted:	false
SSDEEP:	1536:2ARI0MvSAA6U7ks4jhOWE8i6wrNMRjYAZlfNASZfSOi3jAwrxrT:2WMpA6Agg8ahQYAZlFnUjhtT
MD5:	12D1DA69C8A76720AD6F9103462D673D
SHA1:	7BCB9B561506391329D9E84DDE283AA4CCC6A194
SHA-256:	A35C521591DFDE563A28D856361112C9EDF9BE1429E97F238B1477F8D3BD70D9
SHA-512:	00FA49A04190984B72BB3CC734BEE879047E7A723A90F55737C99450D270D8A7197664F53E47D842B0136B5819730D3D6BF47C72512322A09153ECDD69BD9CF6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..~............... ........... ....................................`.................................a...O.......................x&..............T............................................ ............... ..H............text....\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B........................H.........................................................................{9.....{:...V.(;.....}9.....}:......0..A........u#.......4.,/(<....{9....{9...o=...,.(>....{:....{:...o?...... ..1 )UU.Z(<....{9...o@...X )UU.Z(>....{:...oA...X...0..b........r...p......%..{9......%q&....&...-.&.+...&...oB....%..{:......%q'....'...-.&.+...'...oB....(C.....{D.....{E...V.(;.....}D.....}E....0..A........u(.......4.,/(<....{D....{D...o=...,.(>....{E....{E...o?...... ...[ )UU.

C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.MsDelta.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.859029658435407
Encrypted:	false
SSDEEP:	384:Ku/ZC45lzjNynsAw/98E9VF3AM+ozD4CU8:1/Z/lNAw/KENAMxzX
MD5:	D00244CE8AB8C53C97FF20D6BC01C46D
SHA1:	0DE20116EA40CEA02C54F95A9E57BC85C98325BB
SHA-256:	BA41A9E9B2438DA651D56A28EC5E62EABEC4AA7CBEDD286846CA51579FB9BAA5
SHA-512:	ADA39BF85B1F4147F3493C11158B5FD43E91C9020CFB03F3BFDF0B3EF27ECA6CDCE82B0855BCDCB931288969C1341561A1B95764A7D22038EABD4A9D9FCFC9FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.6S...........!.................-... ...@....... ..............................{.....@..................................,..S....@..................x&...`.......+............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......$!..l...................P .......................................h....X\|f.........+.j$....r.~.3i....m2.....'.\|..OZ.ep..)t?...P6c.<<Qe.M...M.0.B.(+.v.Kk!...Y.....H..7r.[(.r....J_.!.....l.0..,...............~.......j.j.j....... .(....-.s....zN.j...(....-.s....z..(....*BSJB............v2.0.50727......l.......#~..(... ...#Strings....H.......#US.P.......#GUID...`.......#Blob...........W?........%3....................................................................

C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.PatchApi.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.872468604750542
Encrypted:	false
SSDEEP:	192:MZ4RJdXpeNynC5c77bgfU5izh/y2sE9jBF3A5K+ohAZbIUf:g4Td5eNynsAw/98E9VF3AM+ohCRf
MD5:	9785D279139C73B24389A70F88C32009
SHA1:	C9C5A7EBA76246F8DFAFA2699E2E329BF8C5A57B
SHA-256:	5AB476C471556D402E2C60588045A09CDE8C60DE99DFD434EAC8DA7D98BAF7F0
SHA-512:	0FD6551E40269C33FE3EFD1C65D81A64A59583F129B2DBA1F37C445D30F0B9E9805D5D7DC1E5E295A8A0CED992C4148F5B71784BF6A5F2E6D3CD682520E8A289
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.6S...........!.................... ...@....... ..............................I.....@....................................K....@..................x&...`......H)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.......................H........!..D...................P .......................................!{.`DzN?...dr..1..9..NN/...[..t...2......C.......x..YCU......=....{.9W.J......^S.N;...iY........RBA......{..u..\~..1/M..^....~....(....-.s....zJ....(....-.s....z..(.....BSJB............v2.0.50727......l.......#~......`...#Strings....\|.......#US.........#GUID...........#Blob...........G7........%3......................................................................y............... .......y.....

C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14456
Entropy (8bit):	6.835710671992813
Encrypted:	false
SSDEEP:	192:4YN8BSNynC5c77bgfU5izh/y2sE9jBF3A5K+org2J0yTt/9:4YMSNynsAw/98E9VF3AM+orLnF
MD5:	4EEF74F9BD0FD122B99781ACE2BC9C99
SHA1:	CCB83448D23CFEE0D89D212D0A2C50EC3B08E3D9
SHA-256:	00D62959DDB13CA93F8BB9C5342CFDE5FB068B4E9FC86BFAA43E60F794C7964B
SHA-512:	4BD05B2B539BE65FD60E0E0B3898556D63E2E269FD3CADA830BAD555D0D53869CEFAA4AC7676FF9F57F610054779949F479C891C98E23E397823811F72AA4A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.6S...........!.................(... ...@....... ....................................@..................................'..W....@..................x&...`.......&............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H........ ......................P ......................................%.&...Fm........f...Dj..[..(...:w........s4H.. ...p.+^z...;_....~.k...\|... ..q..+.cv.VZ.A.[[\|..m.0...w.._m.<0...d-.[.R.BSJB............v2.0.50727......l.......#~...... ...#Strings.... .......#US.(.......#GUID...8.......#Blob...........G.........%3............................................................................3.....G.....U.....n.........'...................................%.7.........

C:\Program Files (x86)\letsvpn\app-3.9.1\FontAwesome.WPF.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	219256
Entropy (8bit):	7.166602453856108
Encrypted:	false
SSDEEP:	6144:yxP7/P97ilHDqO01ktQOzB4YjDnX08RYA3fP5SChB:yxPpilHD+kQA4uk8RYA3fPB
MD5:	3ADC0CBD5BBC06AC77FD89361340B2A0
SHA1:	3B258C23CF18533FC701A10AAE165B15C1A98438
SHA-256:	EA250B4BD3A99C4F1112E8DB3F2CC8A520988EDAF60452000A4E36A2C2998F67
SHA-512:	2C087823196AED97AB9561E7E631472941CE2C8A6B3764781223FCEF571D25B4C1324BAB7C644BB4924815AA49F15D6686B593953817F52C79D3BA7C07D38B83
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....nX...........!.....(...........G... ........@.. ..............................y.....@.................................`G..K....`...............2..x&...........F............................................... ............... ..H............text....'... ...(.................. ..`.rsrc........`.....................@..@.reloc...............0..............@..B.................G......H........C..............D1......LC......................................F.~....o...........J.~..........o......0..E........u....-..t.......(....u....-...(............~....o...........o........0..T.......r...ps....re..ps.........r...p.....(.........(.................s....s....(.........*.0..G.............o....u....%-.&s......o....(...+(...+..,..#........o....+G.o....#........s....o...........o..........#.......?#.......?s....o....s.....s....%#........s....o....% h...ls...

C:\Program Files (x86)\letsvpn\app-3.9.1\Hardcodet.Wpf.TaskbarNotification.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	54904
Entropy (8bit):	6.147127458237624
Encrypted:	false
SSDEEP:	768:4fgAOG37OIh4Pqr8OvsQu4wwC9ZBMvAw/KENAMxQ4q:4fgng6Ie1OvI4wwC98vAwrxQN
MD5:	9450E748211F9E3937760C1A8E400597
SHA1:	9C884E07F1A8C947968705E5B1D16BAA5B054751
SHA-256:	987CDE9E0BA3E15D82F4ABBC9A4240D4D055F13CBD9EBF7B73E72BACFB018F4A
SHA-512:	84FFC0E6FD67D2B3C5EF348DCB4A9E33220BB24F851F38B0939CAA78D71728363C4FC39D319CCE9FC54A543E456B249A072A68A1E7748D1829B58322C40532E9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Kn.V...........!..................... ........... ....................... ............`.....................................O.......X...............x&........................................................... ............... ..H............text........ ...................... ..`.rsrc...X...........................@..@.reloc..............................@..B........................H........O...s...........................................................0..b............(....-P....=....s......o....o.......(.....o....o.......(....s....s............,..o.....~..............7R.......0..).......(.......(....-.#.......?..( ......(!.......0..).......(.......(....-.#.......?..( ......("...*....0............s......o.....o...........o....-...(#....X...($.....+p.o.....3...(#......($.....(%...Y.Y..+J.o.....3...(#......(&.....(%...X.X..+$.o.....3...(#.....('...Y.

C:\Program Files (x86)\letsvpn\app-3.9.1\ICSharpCode.AvalonEdit.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	627320
Entropy (8bit):	6.133740292289312
Encrypted:	false
SSDEEP:	6144:4TTh6UXqQ0l0l2b4GQnn9lXNbOpIeQjDfjJcxm04FSh+0Nsj8X+iKbH2Yjotiht:AaQ0SnPNb8IbJImZo4LPt
MD5:	17D9902B352CAE1C0361B10B75E98D61
SHA1:	85A482C13BC17191B8F9DE3FF738CB32EDFBD650
SHA-256:	E2290C155766908AD6C5EDA469EDD8AE1A038F8F61B9F11BBD99A8E526FEE95C
SHA-512:	37DAC5B0D90AE73201DE605D8AF44744DD156954B3EE1A552ABC3D5CEE8CB171DE61996098B11AE7ECE4034EBA763BA39675D40806FD96DFF96D0F1919465AB5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....L..........." ..0..b.............. ........... ....................................`.....................................O....................l..x&..............T............................................ ............... ..H............text....`... ...b.................. ..`.rsrc................d..............@..@.reloc...............j..............@..B.......................H...........<N...........a..`...(.........................................{w.....{x...V.(y.....}w.....}x......0..;........u;.....,/(z....{w....{w...o{...,.(\|....{x....{x...o}..... .7.^ )UU.Z(z....{w...o~...X )UU.Z(\|....{x...o....X.0...........r...p......%..{w..........>.....>...-.q>........>...-.&.+...>...o.....%..{x..........?.....?...-.q?........?...-.&.+...?...o.....(......{......{....V.(y.....}......}.......0..;........u@.....,/(z....{.....{....o{...,.(\|....{...

C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1482360
Entropy (8bit):	6.898865909289962
Encrypted:	false
SSDEEP:	12288:lhEeFIzTVKaNhKYsPmZ485e++hLNMyfHPsEofSpTUGQfd+5ZDMxvJONjHtJEyZPI:fEec5NcM4ppAGQV+5aTAjHtKfYqnz1
MD5:	5C8BA6EB1D1C2F078C4C812EA51E1701
SHA1:	726C3F9A314829F79B0A5B651F374FB7117EE789
SHA-256:	71A6246F2FE215800E84F6646639A83EA6254D32F016A57F6AC780FD593D294E
SHA-512:	CDE6B457678F9591F5D3BFFE19E8EF2F6E6437D16870D69B62E576C1CDD1C37F55BC48B702AEE8F6BF5579AA5AE6E9F79A19DF8550302B61558419D4CD8E3AE7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............>.... ........@.. ...................................`.....................................O.......P............x..x&..........p...8............................................ ............... ..H............text...D.... ...................... ..`.rsrc...P...........................@..@.reloc...............v..............@..B........................H........w...............6..p.............................................{.....{+...V.(,.....}.....}+......0..A........u........4.,/(-....{....{...o....,.(/....{+....{+...o0...... .z.. )UU.Z(-....{...o1...X )UU.Z(/....{+...o2...X...0..b........r...p......%..{......%q.........-.&.+.......o3....%..{+......%q.........-.&.+.......o3....(4.....(5...^.(5..........%...}....:.(5.....}....:.(5.....}....:.(,.....}......(6.....(7.....J.{....%-.&.o8.....(5...*:.(

C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe.config

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	22806
Entropy (8bit):	5.010006506689088
Encrypted:	false
SSDEEP:	96:liBqrIfWGJHowfGli6CkuMcuiuwuwu8ux0GReGWeGFuGgeKCUDuTeHOTu0U5e3eE:liBqr4OpPUDRTHffIC
MD5:	80CD36C1636D869834F0E3DC84E8E897
SHA1:	268B56DB4932EA4CCF94C205A555D134EBF2903B
SHA-256:	C9BE169872CC441D02F8027B07FDF00619E28BC588F1ED830FDD6888CD783E3F
SHA-512:	8A391677A4D1826F0CAEB1B7662B557FE1C2820768DB873D9101C1703CFE64E54069D624F7CA37ABED1A1DECEC5ED73EDDF4ACF3A182E5E6F3177D77F211A2A9
Malicious:	true
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="EnvConfig" type="System.Configuration.NameValueSectionHandler" />.. <section name="Production" type="System.Configuration.DictionarySectionHandler" />.. <section name="Stage" type="System.Configuration.DictionarySectionHandler" />.. </configSections>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.2" />.. </startup>.. <EnvConfig>.. <add key="env" value="Production" />.. <add key="adCampaign" value="own_ssa_ty_0000_gb_11" />.. <add key="buildNumber" value="" />.. </EnvConfig>.. <Production>.. </Production>.. <Stage>.. </Stage>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.3.851" newVersion="2.0.3.851" />.. </dependen

C:\Program Files (x86)\letsvpn\app-3.9.1\LetsVPNDomainModel.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	21624
Entropy (8bit):	6.3340523628728045
Encrypted:	false
SSDEEP:	384:+c8KmV2K7tmrZoeSdmNNynsAw/98E9VF3AM+obqrYq:U2KZsunILAw/KENAMxmsq
MD5:	39EA05A72895A68FF966418E622786F5
SHA1:	492086492E7F8A9CBD0D18FBDE4FE08DE00C48A0
SHA-256:	8070F0581BBD344CCFF5F6B66C83DB2E82C9A5B7D84EFE44B8398E6B1CB2923B
SHA-512:	8070E947CBF1FC2EA5CD2A4F27D7ECA64C9C5CAD796766895DDA7B1AC6E0CD732EEDCB336D099208451758BE8C29BF70971ED1EA517386ECC565FD596B8A097D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....z..........." ..0..&...........D... ...`....... ...............................j....`.................................OD..O....`..................x&...........C..8............................................ ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................D......H.......P#..p ..........................................................2r...p.(......(......(....6r%..p..(....6ru..p..(....2r...p.(....6r...p..(....6rg..p..(....2r...p.(....2r...p.(....:r...p...(.....rs..p......%...%...%...%...%....(......(....6r...p..(....2rn..p.(....2r...p.(....2r...p.(....2r...p.(.....rz..p......%...%...%...%...%....%....(....2r...p.(......(....2r...p.(....6r...p..(....:rI..p...(....2r...p.(....2r...p.(....6r...p..(....*6ro..p..(

C:\Program Files (x86)\letsvpn\app-3.9.1\LetsVPNInfraStructure.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23672
Entropy (8bit):	6.435946277254727
Encrypted:	false
SSDEEP:	384:YbylDxE/VNJO1fTgQTpGb6I+WevNynsAw/98E9VF3AM+opQEe:tD4ZOWqpGuseVAw/KENAMxg
MD5:	2DC2B200E69BD42EBA5A1EFE421B90C0
SHA1:	D31914C040AD49C2E4ADE5BB0298739DF49DEF1F
SHA-256:	2A6CBB0978039DF33C8747A92232AF78DB83D1C256E75178E8804ABC7D8FB4E1
SHA-512:	0ACE0D316B9C4460930D5BD9AE0DCD190D27AA047CEF8A289657B02F0ED315D6421C9E235DB7B4E086FEAB01C2BEE872057730FF2E81AD33C42371B687F475E9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+..........." ..0.............6L... ...`....... ....................................`..................................K..O....`...............6..x&..........LK..8............................................ ............... ..H............text...<,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................L......H........$...&..........................................................2.(1...(....2.(1...(....6.(1....(....2.(1...(......(....6.(.....(0...6.(.....(0.....(....6.(.....(0...6.(.....(0.....(......(....b.(1....(1...(.....(0...v.r...p.(....(.....(1...(....2(.....(0...2.(1...( ......0..o...............................................(1...~....(...+~....(...+~....(...+~....(...+~....(...+~....(...+("....(&....((...2.(1...(...2.(1...(,...J.(1....(1...(....*..

C:\Program Files (x86)\letsvpn\app-3.9.1\Log\20240829.log

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	228
Entropy (8bit):	5.1633881310114775
Encrypted:	false
SSDEEP:	6:C3/tN5EfrOz+mAJXm1n9qdW8VRxDLM03fYn:Cbu21sXpUULH3wn
MD5:	20BEC77790DEAC2016215E9EFE985A85
SHA1:	7328EA6133C7DB7063A57C002CE9D7466660D935
SHA-256:	30F13E72A448E08C3E813AE57775F77EF5AB736E38262970B3EF5491AFFCCD54
SHA-512:	C243607C77CB8E73523759C94B7CD1E868241DB8BB9B6B7714D0523D5E8F01E7CD6F7E6E793DE282F0AF39E4539EB38CA956014C94C0BCD7716717B9CE8E27A6
Malicious:	false
Preview:	2024-08-29 08:22:31,470 [Level: ERROR] [Thread: 3] [class:logger] [(null)]: SC-PusherHelper _pusher_Error ..PusherClient.PusherException: App key 4fc436ef36f4026102d7 not in this cluster. Did you forget to specify the cluster?..

C:\Program Files (x86)\letsvpn\app-3.9.1\Log\Lets.log

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	ASCII text, with very long lines (8928)
Category:	dropped
Size (bytes):	112621
Entropy (8bit):	6.0129595975493135
Encrypted:	false
SSDEEP:	1536:ukY32KgUT0ivbUx/lqP0PvEvTh1mZWs2nvPsqSfvsTjotYvRPvkQJnu08aF7:ZigUwiv4iPqsviZennsqKvsT11sAu084
MD5:	2A27460E4AC931F0AFA588B389427BCB
SHA1:	1304C51AECF26801C63C33C0FF3D93E16C8FC5EB
SHA-256:	057AC7794CBF3C8953C7926539B61CCFAC708B2A055ADFCA285D4F4637B2A6C6
SHA-512:	41645DD61EEFD62A64B002A9312D293300D1151C7A95687B3C06993EA62444907919177271DCEB92A5A020944D79426D8E66612BB39BDEDD5A5A0CBCD68F7D90
Malicious:	false
Preview:	TUhp7MNjuEusbT6b6h1C/Saqq/mVjkRwvpQK0MJWyVKTEBQoclnoWJ+d4Ktd0i01Xi959trA.TUhp7MNjuEusbT6b6h1C/Saqq/mVjkRwvpQK0MJWyVKTEBQocl7pUJ+t8LVCmzI6HdnqlmAY3mb/gAiugZ7BX4mPEYqEuF8=.TUhp7MNjuEusbT6b6h1C/Saqq/mVjkRwvpQK0MJWyVKTEBQoclnoWJ+i661L3DAylbS/xzQuocEMigcnzQ==.TUhp7MNjuEusbT6b6h1C/Saqq/mVjkRwvpQK0MJWyVKTEBQoclHLY9Ou87xC8iwys3qXt0XyQLqRue9wHDwcdURr6PMivvg+aU+Am+2sE60wswP8Yo0rij53rU9DP+3vwpqjr4TTyO2Lw8VRmOOg4maN9AgjKY9IPuJf0eF8ztIC+YWt8QFd/tJigSv7cc5S9DSoRAu61bJVlQE4tVmD1eA5GCrD1WqfgnAPeT4AtyvGnGGL1bsGn7tgh247PyI4r1w2wNdEwxjQBBgIswPYh9lr2bkxfjDjxfmo6+ZashyEcvInFE2Y1ty+6gU5WBGreV9AE2O4t2Vk9kwajqse2BdBtNJ/v5HRvU5q6HREJYgAQR18ru3qqVuhdZVaGeun3+cdw0C5fgPUB4HfobbLg5GemtiA+QAxGngqI2mQKfC6XFTHpZC9eP2Rnqa3Ncxn7Vdgnh8VnMPkEVJxK/LR66Gv81UHwH+J5uF50ftrM45plPaoPSggUqNkELAZTe6rfcqRYxVRgs5f3GrUC+M6CxPGbRDzW1/ak8was4SdljctFpoeD3Jn97bqKTwfmZlyII9y.TUhp7MNjuEusbT6b6h1C/Saqq/mVjkRwvpQK0MJWyVKTEBQocl7Ifdql8flL1TQyoMjT4ubbVKjuNzcZZrxocb5bzw==.TUhp7MNjuEusbT6b6h1C/Saqq/mVgEFwvpQK0MJWyVoX+8YxsMc++QjiHhuHYNaERAwt0KC

C:\Program Files (x86)\letsvpn\app-3.9.1\MdXaml.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	121464
Entropy (8bit):	6.233730372896347
Encrypted:	false
SSDEEP:	1536:W0OQlavbPZKNK9hhmPZEMn5xGFE45N+cX8fZzd97WWhT5wNSAQr7YTFoVaoOT8TH:Wb5vb/lmhMNGzWWhTdTK5N8shG
MD5:	2D8469AD585539DFEDE7D16DAAB54B76
SHA1:	B78BA06947083DDF48A4795A5C688D271DF11370
SHA-256:	3E0F0E9D6B0F99E38F93E6C4BB7731D9D6EB00470132BB00E61862E8F6F43389
SHA-512:	820E359FF327426528B949FC1CD47B2A48A1AF6900136B0C27AAA8775DFFF1AB99FFA9636C632653FA129BDB92AD71FAB9C3BB5F436391965B2F25E78E5A9203
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....w..........." ..0.............R.... ........... ....................... ............`.....................................O.......................x&..........4...T............................................ ............... ..H............text...X.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................3.......H........z..@...........,D...............................................(......0..l.......r...p.s.........( ....o!......s"....+%...n...%....o#.....~............o$....o%...%.-....,..o......,..o...........$.3W..........Ea......f~....-.(....~......o&.....{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{ ..."..} ...F.~!...('...t....6.~!....((.....{"..."..}".....{#..."..}#.....{$..."..}$.....{%..."..}%...*..{&...

C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.Analytics.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23160
Entropy (8bit):	6.540221612523894
Encrypted:	false
SSDEEP:	384:xH9ooU6Xrcnt9sXZ0WQb+Jx4veT6pmj7tkWUVMW9NynsAw/98E9VF3AM+o+Kuazu:xH9oR6XScb7Fj7t6FAw/KENAMx+G6
MD5:	324BD1B27A5B35D5C29902628416C8AA
SHA1:	5D70170A74FBEB9BD5CBB369733C668BDD6B2A50
SHA-256:	41A5C0CD47BD38B418E56B75907B2282C9DA2821F6B1B27EFA663A42D8118CE3
SHA-512:	4EA8A515E625D39B4459D8AC411D31B4A71664B27180AF39DC06DFCE93B27809A1D0DDC96005673FC10015C8A115DCE54CF05D544E15901986373B692C7877BC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.q..........." ..0..,...........J... ...`....... ..............................Gc....`.................................UJ..O....`...............4..x&..........@I..T............................................ ............... ..H............text....... ...,.................. ..`.rsrc........`......................@..@.reloc...............2..............@..B.................J......H.......`...............................................................0..H.........~....,...~....~..........(......~....%-.&s....%...........,..(..............#<.......0..%.......~..........(...............,..(.........................0..........~..........(....(....o....(...+....,..(.................".......0..0.......~..........(....(.....o.....(...+....,..(...............$.......0..).......~..........(....(......o.......,..(.........................0..C........(..

C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.Crashes.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	51832
Entropy (8bit):	6.22522289723924
Encrypted:	false
SSDEEP:	768:Vqr8YZ2IPJ1hCmfPzcscksOOWwp/fFCHUHGoH0w8eKYIySh6THAw/KENAMxL:V3aJBOkAHaUm08eKYIITHAwrxL
MD5:	D85C6DFC9C453249A35EA3165699048B
SHA1:	5D59A24734710587E2948985EBE2A51A8579883E
SHA-256:	B4F141A9F6C30B666AA77C9F8758DE80EC06362FB5DD9A5DA4558702AD55BAF0
SHA-512:	5D8D09CCADEE9868DDAAFBCAC1AFAA6C3F3296FE18ABD250E3ECED26E596F202E54B452E1D905A1DC6D0812C4BC76A05D038E5BFE118982073C649CF52BCAB86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............." ..0.................. ........... ...............................Z....`.....................................O.......................x&..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........D...t..........................................................&...(....2.r...p(......0..'.......~.........(....t............(...+...3...0..'.......~.........(....t............(...+...3...0..'.......~.........(....t............(...+...3...0..'.......~.........(....t............(...+...3...0..'.......~.........(....t............(...+...3...0..'.......~.........(....t............(...+...3...(.....(......(.....(.....(.....(.....s....zr.-.rM..pro..p(....*..

C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.AppCenter.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	141944
Entropy (8bit):	6.008110944183994
Encrypted:	false
SSDEEP:	3072:SXiDdWM0c7K9ES99d3+uVIQNlHK6Uav1vP8F6NhT:NdWM0cW9EONvHKwvP8FEhT
MD5:	57E7346C3DB78320D869494257961565
SHA1:	A5F933219F23765DCB61A7A503BBC24251C81774
SHA-256:	FCC627695D80BC1BFD29B647E8BCCEDFC386F725BA5D305507503BA402DC3359
SHA-512:	F65EF68727557C265BF885F2C2642A8FDFE22FE05DC3B34043389EF0C805CF53D6FC0EB1B63CB51AA60E5D277F032143F528D7AF29FB0AFABD65BADDD78A15BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....gu..........." ..0.............f.... ... ....... .......................`............`.....................................O.... ..\|...............x&...@..........T............................................ ............... ..H............text...\|.... ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B................H.......H...........PR...........................................................0..H.........~....,...~....~..........(......~....%-.&s....%...........,..(..............#<.......0..%.......~..........(...............,..(.........................(g.....(h.....,..o.......(e...r...p(n....(......0..#.......~..........(.............,..(.......................0..#.......~..........(.............,..(.......................0..........~..........(....(....o....(...+....,..(........

C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Bcl.AsyncInterfaces.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22648
Entropy (8bit):	6.619772690177469
Encrypted:	false
SSDEEP:	384:n/9b512C4dABe070VJI0Ftdalemxxf34wqsWeb/WjDNynsAw/98E9VF3AM+oj6wj:n/f1IDjV9UPPpW5Aw/KENAMxmQ
MD5:	3DE48A118BDC2D412B809856DF21D21E
SHA1:	BC3CD1FD5F059A2B0836DCAD5D713B5086F23DC7
SHA-256:	E97FE5DDFABE071448D3226877FDB867AD2B63B32CFD971C9308355AB6956556
SHA-512:	D407BE688A062D98102B89A53F8427B035D81FD4E92244FDD27B406B12A06FBA3F1B5F31CC7451B14145527F2ABC8AE4A944F4D28EE39CA255CB1E4CC351D3D7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Q..........." ..0..&...........E... ...`....... ..............................73....`.................................[E..O....`...............2..x&..........hD..T............................................ ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................E......H.......4&.......................C........................................(......(.....0....................(....}.....6.\|.....(...+:.\|......(...+:.\|......(...+2.\|....(......{....%-.&.\|....s.....(....%-.&.{...."..(....>..}......}......0...........{....o........{....(....Z..}......}......}....N.{......{....s ...N.{.....{.....s ...v.{.....{....o!....{....s".....(...."..s.....0.....................s#...&...s#.....{$..."..}$...*.0..F.........{%....Xh}%.....}&.

C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Expression.Interactions.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	101496
Entropy (8bit):	6.10364057240709
Encrypted:	false
SSDEEP:	1536:Arf5GttgxHXEuRmG5rtkGY4CEmWAxXSSYhhS98ca2Wvsd65FJDlGWwkEyTAwrxem:05GttWHXEUx5r65LxXshk8JDIWPThAm
MD5:	2D56A82CB3839B47776190E5DFF73B5C
SHA1:	81FE8FEDB7E38C6D85C39443141BA96450F581B0
SHA-256:	DD7885ADAF4A3B48B75150AFC111570BFF4D75767FC4BB522B22BBC12F22A1FC
SHA-512:	6928713E61475E2B6D7DFF0C69E4D19757418BD297B48D1DD834EF88C47295D37BAFD439F814DD95B6852EF16C7FF8DA0B15A37ED34E83280D07912DF1A53A17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...eu.K...........!.....\...........z... ........@.. ....................................@..................................y..K....................f..x&...........x............................................... ............... ..H............text...$Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................z......H...........L...........x...1...P ........................................z...y.k.....bdd I..`..).PsR@... .aL...%:...y.....XDgM.X}..~)2.v-..4..........EAZZ...,..[..H...o5C.o...5/I.m.!2...#.:.(......}....:.(......}.......0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3."..(...."..(........{....,..{.....o.....{....o....2.~....(....6.~.....(....F.~....(....td...6.~.....(....J.(.....s ...}....*F.(...

C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Web.WebView2.Core.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	144504
Entropy (8bit):	5.770706132135282
Encrypted:	false
SSDEEP:	3072:mSiitDW10Oug94BeCCepM1STU/xnW+W6jfM0amyw0VzGLC1grekKtk0do/9o8af9:tiNang9meCCepM1ST+xnW+W6jfM0amy5
MD5:	130173CEE3B8744126686834E6DAC9A1
SHA1:	72F6969EE082D722324765BBF9C24A0F8B381FF5
SHA-256:	37EE5E64020B7E21A9E5466D247B5EBEB0273D67069EE4999DF794BA9E392F13
SHA-512:	2DFA6F87C9CACC898B9B3AA8B1734B7F740C26602F2C1F7F08626DBCAA0D1260CD5A794088CF3AD720A32B6D86A1263BF20E8DF6D99D86EEEA22D0D5318E8A28
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...vJ.`.........." ..0..............$... ...@....... ..............................<.....@..................................$..O....@..................x&...`......T#............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H........q......................".......................................0..H.........(....o.........,....+..{.........,....(....o....s`...}......{.....+...0..a.........(.........,R..(....o......uQ........, .sd.....uQ........{....o6.....+...r...ps........og..........0..>.........{.........,%....{....ti...}.........ru..p.s)...z..{.....+.............$......&...}....z..}.....(.......}.....(.....>.(....o.......R.(.....-..+..o........0............(....o....(.....+..*R..(..

C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Web.WebView2.WinForms.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	29816
Entropy (8bit):	6.46425346800302
Encrypted:	false
SSDEEP:	768:aLNoCdzhFQj/hJTBbGXZDDcULH4JVrwRSgBucQgJa5/Zi/dUDyqz1POMreAw/KEy:aLqCHmTxGXZDDcULH4JVrwRSgBuvgJaJ
MD5:	0AD23FD64A5B39EA1BBD9C0B513F5964
SHA1:	888BBE5DC20AA24E2B7B79769E66494F21F6C5A5
SHA-256:	D16B2201AACCE95A53BD563D4EDCDC2AB5DC5A408DB84020315C7FAC03A7FB5C
SHA-512:	B998D415973E0B205DAFF16F50E93DFA8FA290FB7B0E94A4A798D0A48F5FD5541A6E62F0B3C3321A0A40E5D094DDECC71547CCB12729522E63C4E3E6E125503D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dCd..........." ..0..D...........b... ........... ...............................A....`..................................b..O....................N..x&...........a..8............................................ ............... ..H............text....B... ...D.................. ..`.rsrc................F..............@..@.reloc...............L..............@..B.................b......H........0..h0..................Da........................................(......{....>..}......}......{....>..}......}......{....>..}......}......{....-%..(.....(......(......s....(....}.....{....r.#.......?}.....(.....(I.....,..(....,..(....,..(.....{....,..{....o......(.....0..................s....(............s....(.....(.......?...s ...o!....(.......>...s"...o#....(.......A...s$...o%....(.......@...s&...o'....(.......B...s(...o)....{.......C...s...o+....{....

C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Web.WebView2.Wpf.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32376
Entropy (8bit):	6.459125673193438
Encrypted:	false
SSDEEP:	768:0nD8wecsVygSvqa8ZDPLryER0SO4JVrTYIWUpDkS/Ka5/Bi/W7v4F4zfKw/Aw/K5:07eN4vqa8ZDPLryER0SO4JVrTYIWUpDi
MD5:	B116ECDF00A5A8881DAC4CDEEE8FA953
SHA1:	68545E28EDB89FC5E3C54D9EEBE0DA4B4FF18324
SHA-256:	8CE83243196096B572264815097E2DC575855C2174D302849DF8B3D88D47B877
SHA-512:	5FEDAE5A92E817EBDBC5A0292ACC667C67A14670403FC2437CADDF703F9736ADF06CF05F76D0B49F4ECB8D1CD60054B32C840DFE5B1F8DE04A02D1052DC2B342
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]............" ..0..P...........n... ........... ...............................\|....`.................................Gn..O....................X..x&..........xm..8............................................ ............... ..H............text....N... ...P.................. ..`.rsrc................R..............@..@.reloc...............V..............@..B................{n......H........5...7...................l........................................(....F.~....(....t:...6.~.....(....F.~....(....t:...6.~.....(....F.~....(....t:...6.~.....(....6.t.....}......{....-%..(.....(......(......s....(....}.....{......0..........r...p.:...(.........(............s....s....(.........r1..p.:...(.........(............s....s....(.........rO..p.:...(.........(............s....s....(.........J.s....}.....(....F.~....(....t....6.~.....(....*V.t....o....,

C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.Primitives.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.808545006671888
Encrypted:	false
SSDEEP:	384:JN9VWhX3WJNynsAw/98E9VF3AM+ojjaJH:7GgAw/KENAMxql
MD5:	D3F74FB6913142C26441F8F83003D36F
SHA1:	8899F14A279A266353BD99719ED764013CDA074F
SHA-256:	8A87B49AE4A54FE2A4EA66061A5734ACA65487B1C3D69DAE2BFFDD876E49A2DB
SHA-512:	D8682E00F6041D8DBA1CB2B0E6D939F9533233102DE377AAFA00B15B6F8BDC7B285F0EDAAEB314DAD9CAD903A243ADB39AFA7BE795A59B3432A390DCF1ED97C0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@..0...............x&...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...\|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.Registry.AccessControl.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	20600
Entropy (8bit):	6.638769528902698
Encrypted:	false
SSDEEP:	384:9Sk7xWUHIx0S3WF7rWoNynsAw/98E9VF3AM+oMy8DwR:9/0UHU0SOjAw/KENAMxi8R
MD5:	4C905EAEAD923DA5090E77F2BE2A2650
SHA1:	1F3047F1F16EA54C5666CF30E79EF73F5DD5DEE1
SHA-256:	CEF7F831FDE775B891B44D7E3363B285F7BECE824478ED5ACB1F947F8D024E04
SHA-512:	87850E041168A06A47FF844EC07357E4C06CD95858CCA3343FE05698508D7CC29B40A7EF045B82A83DEE086F4CD06C1725F9B5D2998A06C6193C75B8EC04C627
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9.2..........." ..0..............=... ...@....... ....................................`..................................<..O....@.................x&...`.......;..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B.................<......H....... "...............8..(... ;........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}....:.(......}......{...."..(...."..(...."..(...."..(...."..(......(......(......(......(....:.(......}......{....:.(......}......{....:.(......}......{......(....:.(......}......{....^.(...........%...}....:.(......}......{....z.(......}...........%...}....V.(......}......}......{......{....*V.-.r...ps....z

C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.Registry.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	27256
Entropy (8bit):	6.340837593862486
Encrypted:	false
SSDEEP:	384:I4nLpSumfSQrlHViaCZYvLPQmlJLfjnWn6GWnNynsAw/98E9VF3AM+oPxesZ:I4QVrxViR9mlxd1Aw/KENAMxssZ
MD5:	AAF3685B2B7AE973D85EB8A6C9E26EA7
SHA1:	0A59606C7C887765E30D70CD0716A28F4BFC60C3
SHA-256:	D91DA2F186704061E3F5C299E008DACD63770D6E97646106A601FC433D0D8FC6
SHA-512:	01128BF2628910E4C542913BC255CF61E22A2B1A23B97A040D445CB4D557A4384976DC98AF08133DA40A90F79935092B650EF5B695C1533276B67C2995DEDD3B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j............" ..0..:..........jX... ...`....... ....................................`..................................X..O....`...............D..x&..........$W..T............................................ ............... ..H............text...p8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B................LX......H........$..8"...........G.......V.......................................~......0..1.......(....,..%-.&...(.....o.......&...,...o....,.......................(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(.....(....,"r...p......%...%...%...%....(..........(

C:\Program Files (x86)\letsvpn\app-3.9.1\Microsoft.Win32.SystemEvents.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23160
Entropy (8bit):	6.540699910710379
Encrypted:	false
SSDEEP:	384:rdIaf4rbDyIb/KcWCNRWr7JW9NynsAw/98E9VF3AM+oC6pN:r+THDHbs6GGAw/KENAMx3
MD5:	2E997165A604388759AF0D6F5F83FAA3
SHA1:	386B531B704B2DF75A2B048C7C88E99BDD6F50BF
SHA-256:	292AC965EF3994D7DA5D80E399A7525CFE80CD2B5DD4427CA6197634589779DB
SHA-512:	77148F7BC0566D4BC25E4C98D68E3E0633F1708EFCD62E567D99A470496FA09DEB01D439629F58BE9DA98C0320AA8BE362A9F217502F6CA9D8C78BDBD9A8031E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8............." ..0.............H... ...`....... ..............................Bv....`.................................yH..O....`..d............4..x&...........G..T............................................ ............... ..H............text....(... ..................... ..`.rsrc...d....`.......,..............@..@.reloc...............2..............@..B.................H......H........$...............A.......G.......................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(.....(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.Mdb.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	52856
Entropy (8bit):	6.213811437693105
Encrypted:	false
SSDEEP:	1536:Ir59g98C87KHeBUbwgKirbdwMRTzAt9lYAwrxJ:Ir5HC87rUbwgKirJw1DlYhv
MD5:	DF15FC36C496646D5FF01D591FBD790B
SHA1:	10E2C72ADEF0F3A9A47EE463A5DDD644235D9F42
SHA-256:	A4A1E9CA86C45B28FEA8AE26A28959B81DDE152101C7CB8894A0A6D7372D1042
SHA-512:	BCB020CF11213FBC6E16CAA71ED47511AAD0BE6EAF8CBCE470C3D75DE6211548EDC3809028AF2DABFC3D76A30FA256A141ACB639276F77259E87DD8D1476EF78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u-..........." ..0................. ........... ..............................I.....@.....................................O.......`...............x&..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B.......................H........a..x\..................@.........................................(....:...(....(....&...(...."..(...."..(...."..(......(.....0..,........o....o......o.....jo.....o.....o.....o......s....}.....s....}.....s....}......2}.....(.....s4...}....b.{.....o ....{....o!...b.{.....o"....{....o#...6.{.....o$....0..-........{....,.s%...z................s.......(.......{....,.s%...z.{....-..s&...}.....{......sS...o'.....{....,.s%...z.{.....o(.......oU...*..{....,.s%..

C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.Pdb.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	98936
Entropy (8bit):	6.382461760870499
Encrypted:	false
SSDEEP:	1536:1U2qJ+RazRt/Kc4oJiOxFR4NdJF0/RfhF46HAoYKHgPzpS6w7fa1C9rdAwrx:22MRtrfrR+Pe/xAiAzpQ7y1C9rdh
MD5:	20A0EAC4B8049ACC51471F36506FD060
SHA1:	5A76F21257FCF084B07E656A8AD8A3427F4EF2DB
SHA-256:	F91038C26BC3434D8691B67185DB95DD13889FFD6739335EB05D8D308516B7BB
SHA-512:	A2202074FE7970D7F5A8B04249F42E4CB672B6DA6F37889ABD1597F836CE4B32FAA05F6067A10ED43AAC7D80A17F036FAF5E5775AC10C49965A10E641CB50464
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rd..........." ..0..T...........q... ........... ...................................@.................................eq..O.......`............\..x&...........p..T............................................ ............... ..H............text....S... ...T.................. ..`.rsrc...`............V..............@..@.reloc...............Z..............@..B.................q......H.......<s.......................p......................................:.(......}......{....-...{....(.....{......o......{....-...{....(.....{......o........0..a........s....}.....s....}.....o....o.....+(.o......{.....o.......(.....o......(.....o....-....,..o..............".4V.......0..J........o....o ....+"..(!.....{.....o.......(.....o".....(#...-...........o.....*........../;.......s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$.

C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.Rocks.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	37496
Entropy (8bit):	6.4021578680286995
Encrypted:	false
SSDEEP:	768:j+meiCyrXOwS8uRssveum1peFLHFBbOuAw/KENAMxK3:iyrewFassveuPbBCuAwrxK3
MD5:	25A028BCCC12613D0B827FBA2BD3DDFE
SHA1:	264B74C2F99F51EE10FABD4F29BB3238D734AB59
SHA-256:	0AB5D52D31BE358EBC9A896D1AC1CA581CC2908359BFCF99EA96E5A0264C3552
SHA-512:	9A1BCE9E6C80DAF2655D091BB8AEDDC25C2E2F528BE4027ACBF7515DA6D65A417E86FFD369628A8BB2027E6E10DC0DF1678C8443CC4F3BFC464FCB9A786B838B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....i............" ..0..d............... ........... ..............................;M....@....................................O.......l............l..x&..............T............................................ ............... ..H............text...4c... ...d.................. ..`.rsrc...l............f..............@..@.reloc...............j..............@..B........................H.......,A..\@..........................................................J.(.....s....}......F.(......E.(....z.{.....To.....:o....&...(.....0..a.........M.(.....o....,,.{.....`o.....`o....&.{.....o....o....o....&.o....,...o....(.....(....,...(......-.r...ps ...z.o!...,%.o"...r...p(#...-..o"...r#..p(#.....n.{.....~o....&..o$...(....z..P.(.....o%...,...o&...(......{.....(o....&.........s'...(...+.{.....)o....&*..0..3........o(.......YE........3...........m...&...`...

C:\Program Files (x86)\letsvpn\app-3.9.1\Mono.Cecil.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	354936
Entropy (8bit):	6.236264310384278
Encrypted:	false
SSDEEP:	6144:9FzzF5VOCxfiKKhsw4NiL0XRzx9WoCklyusQht:ndfiKI4RzWSyuTt
MD5:	90AB64612D1CABF23E7D9586F9906A75
SHA1:	80E426E69F26DD25E0FB2AD5733FC25455E0C022
SHA-256:	4EB7460FAF38346F2EA68C520431AF6848A1F1E23747987711F9395F2CB01125
SHA-512:	7851576907A696F71FEF6528A7684B4BDB2724BCA3D6DBFDF515C75BACCA45BCF987723AED500111CDECC3E15212099C64501EC53D49005B5DFB8A19EC34B750
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i.}..........." ..0..<...........Q... ...`....... ....................................@..................................Q..O....`..H............D..x&...........P..T............................................ ............... ..H............text....:... ...<.................. ..`.rsrc...H....`.......>..............@..@.reloc...............B..............@..B.................Q......H........b..@...................DP......................................"..s0..."..s0...>..}1.....}2.....{1....O...,..{2...,..{1....O...o&...2..O....3...6.r...p.(4.....(5.....}6......i.O...}7....{6....{7.....i(8.....}9...2....i.(:...>..s;.....(<...V..{7....{6.....(=.....0..1..........Y./....X.[......(=.........(=..........(>.......0.._..............+P.../5.../..{9......O......O...o?....0.....%.X..O....O...+.....%.X..O....O.....X....2.*z...X...b...X...b`...X..b`...

C:\Program Files (x86)\letsvpn\app-3.9.1\Newtonsoft.Json.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	709752
Entropy (8bit):	5.958971377429236
Encrypted:	false
SSDEEP:	12288:RBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUa2m:RBjk38WuBcAbwoA/BkjSHXP36RMGvd
MD5:	98ED0AA301DE411AE32E86155E17AF93
SHA1:	350459EB87F437FBB572048846C0762B740578B8
SHA-256:	FABF78F3D9244713379745D2781F0F358371EDE8D384D1C398FED04D0E604CF1
SHA-512:	47C6D79814957EA3290891AD0D6207E1E9E02F5954654D05120481C078D6C2B07B03583FDEBAE80E2C998847F939F98F91F04824BAA0985031207C17DDF2CFAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................x&.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..\|....(......._..{........+,..{\|....3...{{......(....,...{{.....{}.......-.....0...........-.r...ps....z.o......-.~.....~....

C:\Program Files (x86)\letsvpn\app-3.9.1\NuGet.Squirrel.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	519800
Entropy (8bit):	6.039228457766847
Encrypted:	false
SSDEEP:	6144:ERKflaWVRA6+LX9c1t3HpbOmhYIeDUQjcaPlq1fQx7NqEaElDp3sL2blV/VyUd9z:ERt6+A1pbOsBQAa4f0pWSbb+1ikM/
MD5:	136866113A4EEE285A9372E8916CEC0B
SHA1:	1525F64AB1945D2CD2768723201FAB3E16461C38
SHA-256:	7A0CFB5FEA696DF44AF904E1B10B6452D1317E678348E80DEEC61815F4A9DF05
SHA-512:	2BF5CA0DACEDBBBBB732146FDFB5BB59FE7F2A531A7B667D941473037B87A6C8486A3DA920BD3972F7A1861F26D05CB21DDDD50417341CC6EC977ABF3D1CE304
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....p_.........." ..0.................. ........... ....................... ......z(....`.....................................O.......................x&........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Xw...............r...i............................................{E.....{F...V.(G.....}E.....}F......0..;........u1.....,/(H....{E....{E...oI...,.(J....{F....{F...oK..... .... )UU.Z(H....{E...oL...X )UU.Z(J....{F...oM...X.0..b........r...p......%..{E......%q4....4...-.&.+...4...oN....%..{F......%q5....5...-.&.+...5...oN....(O.....{P.....{Q...V.(G.....}P.....}Q....0..;........u6.....,/(H....{P....{P...oI...,.(J....{Q....{Q...oK..... .2;. )UU.Z(H....{P...oL

C:\Program Files (x86)\letsvpn\app-3.9.1\PusherClient.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	52344
Entropy (8bit):	6.240716378458609
Encrypted:	false
SSDEEP:	768:p2xghQUndJrmbnJAM6LjB4Mz5k+/FdS0/MuLs/09P24Aw/KENAMxaXt:pGghQaJiFAMAhH/Dw/09O4AwrxMt
MD5:	20CAC785EF6EBAF5D79A9E95FDAB385E
SHA1:	3E2AA4950B599805C9E411F9D611D6CF50F67155
SHA-256:	B9D894DD30D7EAE6DF0DCDD91A23F3162AA48DEE70024D81D343AC6268B41A3F
SHA-512:	0FAAD8DED9D2D4875DAC9D919BE8A8A75032B74E52D9FB32A2D216099E9B09FE4CBDA0827F89005E8578EF2B152F4277A76C908F608AAC2A9D0366695DAC0F1B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0................. ........... ..............................-.....`.....................................O.......D...............x&..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...D...........................@..@.reloc..............................@..B.......................H........M...o............................................................{......{......{....r.(......}......}......}........0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o.......0..K....... ..,. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X..0..{........r...p......%..{.............-.&.+.......o ....%..{.............-.&.+.......o ....%..{.............-.&.+.......o ....(!.....{"...:.(......}"......0..#...

C:\Program Files (x86)\letsvpn\app-3.9.1\SQLite-net.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	103032
Entropy (8bit):	6.180572600260306
Encrypted:	false
SSDEEP:	1536:OdAKzGN0ifSJxFlm+FpoHloqUIdmJlllf07gllfUzb1kUyN1e/rWhsCMbdynB5AL:Abcl5mJlllf07gllfUzb6W/+b+O5hA
MD5:	AFF09B361B77DC254938FE65C1402C51
SHA1:	7B3C558CF45C7C70268BC884D1C0EB5DCFC292CC
SHA-256:	517A320A5AEA68B6983E7A6A90C689CB5DB597D4F30CC472F0480D011420AB95
SHA-512:	5B9D9A5807308EC19532A3DF8CAE16F3458FC3D2268733F5EB936C53CA250B9F52549E61A6B29AA8BA1184DFEDAD3E77A9DB8AF2C075E2E93372FD6947C4259C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#............" ..0..b..........&.... ........... ....................................`.....................................O....................l..x&........................................................... ............... ..H............text...,`... ...b.................. ..`.rsrc................d..............@..@.reloc...............j..............@..B........................H.......@...x.............................................................{...."..}....>..(......(...."..s......{...."..}..........(......0..?.......s........}\|......(.....,%.{\|...,...o...........s....(...+(...."..s....*....s....R.o.....o......s......{...."..}......{!..."..}!.....{"..."..}".....{#..."..}#.....{$..."..}$.....{%..."..}%.....{&..."..}&.....{'..."..}'.....{(..."..}(.....{)..."..})...rs................. ...(......0..................

C:\Program Files (x86)\letsvpn\app-3.9.1\SQLiteNetExtensions.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	47224
Entropy (8bit):	6.173630295497463
Encrypted:	false
SSDEEP:	768:YqRdLDFPhe5rHMgWVCMlh8Xlrmyac4yPeZrZ3QAw/KENAMxUK:YqRdL3e5rHMgWVTnyac4oeZrZ3QAwrxF
MD5:	AEA133855A28D8E2EF01EAFEC482D7DE
SHA1:	311C9FA4D8E346A2D03201A3476CD2A17D98CAD9
SHA-256:	2B020576424302B8B4D0F2A78719F388308774D85A26F2F59AF291191B27742F
SHA-512:	CC0D2C1895D32BAC6D0D22DAA8C72DCBC6CE860957BFB6BC17E83140195487E63427BBD079D4867CD44AD8DD1F7F83A7E704119053BE8AA1671503D66F6D136B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:. Z.........." ..0.................. ........... ...............................E....@.....................................O.......L...............x&..........\|................................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B.......................H........K...Y............................................................{......{....V.(......}......}.......0..;........u......,/(.....{.....{....o....,.(.....{.....{....o...... ...E )UU.Z(.....{....o....X )UU.Z(.....{....o....X.0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....(......{...."..}......{...."..}......ra..p......%...%...%...(....( ......0..M........o...+..,...

C:\Program Files (x86)\letsvpn\app-3.9.1\SQLiteNetExtensionsAsync.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23160
Entropy (8bit):	6.489432143863481
Encrypted:	false
SSDEEP:	384:s90wriHD7R3d4Q5ENmiL31SAAh1OSxJJssUJqgG/232nd4l4ue8NynsAw/98E9VA:Q0w2j7R3d4Q5ENmiL31SAAh1OSxJJsst
MD5:	A93F89B94C1E312406A26C433446F0CA
SHA1:	DC936543133145CE80656311A0635E0B5CBE62A5
SHA-256:	7004ADF3B4C968350E15C061CB0F6E2F10CA3AC1C1B05E7E61CE2F171A5E6C56
SHA-512:	E15322F2AF8979E916261F385138DE41632E52553BEE17B6DB56C70B38D2B7007E13633C82BE9B7BAC3904E9419C46C8AEDA7CE5AAFD3C9E6569E6A67E266FCA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g..........." ..0.............H... ...`....... ....................................@..................................G..O....`..\|............4..x&...........F..T............................................ ............... ..H............text....(... ..................... ..`.rsrc...\|....`.......,..............@..@.reloc...............2..............@..B.................G......H.......8)...............................................................0..:.......s.......}......}......}......}...........s.....{....(...+...0..:.......s.......}......}......}......}...........s.....{....(...+...0..:.......s.......} .....}!.....}".....}#......$...s.....{ ...(...+...0..:.......s%......}&.....}'.....}(.....}).........s+....{&...(,......0..B.......s-.......}......}/.....}0.....}1.....}2......3...s+....{....(,...F...(...+...(...+*.0..B.......s5.......}6.

C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.batteries_v2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15992
Entropy (8bit):	6.728423808043774
Encrypted:	false
SSDEEP:	192:yvyW1ESCmPkcpu3NynC5c77bgfU5izh/y2sE9jBF3A5K+ouJJkzqQpn38:y6x4u3NynsAw/98E9VF3AM+ouJ5un38
MD5:	D01D6652FFDFF78B8B00D5D1EDF0D179
SHA1:	C49F64ED0A6115C5A7FB6C885614DC3FCDAFA427
SHA-256:	50EC6C706D423DD7C70948D632DE2B3C159627D3412F86C9ACF095A3E61416A6
SHA-512:	099D09CF81B02D83E7B8EFC0B027BD50DDF79B0F73DC3A493D79F0D5B1C6BA605A8156CCA77922C5978130AED7288FF9927D64B25A806B4B2AC389320F992DC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............,... ...@....... ..............................:v....@..................................+..O....@..X...............x&...`.........T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................+......H........ ..<...................(.......................................(......0...............(....o........(....s.......0............(.......(....s....(....2r...p.(....:.(......}.......0...........{.......(....,..~....*BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID.......p...#Blob...........W..........3..........................................................9.........[...............................c.....c...{.c...>.c.....

C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.core.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	56440
Entropy (8bit):	6.23786896068277
Encrypted:	false
SSDEEP:	768:t0GhwEvUmz5IR5tUe9CiXmEkzKeGIsNif11gNsNj8cIjqabmAw/KENAMxLH:NlIR56kCckz2DhiNIchabmAwrxLH
MD5:	AB8D9D14CFD678C80D6F9C9FD5969F86
SHA1:	0D6E77686805C8A68F4C0A463C9880A605D11336
SHA-256:	8636C15D6F4BF795809E04FF396100AB136F33C8ACE1FE19E824C352C8F580E0
SHA-512:	4AA8596D2C9FBA22FA5B71E6B4020518DAE9F930759CA8F914BB6C1BA3DDB6876F2E7D288257BD9CC571C51D958BDEE0736C61DE4CF12FFDAA16C11E057FD197
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d............" ..0.............B.... ........... ....................... ......s.....@.....................................O.......(...............x&..............T............................................ ............... ..H............text...H.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................".......H........=.....................t.........................................(......(......(...........Z~....,..o...&.............b~....-.r...ps....z~.....(#...o ....0..........(#......o!.....(....Q6.(.....(%....0..........(#........o".....(....QR.(.......(....('...:(#......o'...N.(.....(.....()...2(#....o#...2(#....o$.....o......o....2(#....o%...2(#....o&...6(#.....ok......0..........s.......}.....{....-...+........s.......(1...6(#.....ol...*6..(....(3..

C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.nativelibrary.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19576
Entropy (8bit):	6.60961858637822
Encrypted:	false
SSDEEP:	384:CKX0gijditBKMBRBHsEQoNynsAw/98E9VF3AM+oHIo0:CKkVRiBB80Aw/KENAMxof
MD5:	CB05A2F6C5369DB41F7D2264BD20462F
SHA1:	986AC47682CE21C0C2E9180BF8E48FCF0C7FE21C
SHA-256:	A407763FC6D99B2261EAC5FDBFD4A068E035EBD9860912CA6BC110751E8ACBE5
SHA-512:	C6632959CE287194B2E8D63A7F1EF9A1EEA82DA837396D58F95E73D2D4ED0C0C113BB05C3B8B327E87BD387C19DAB768564CC82F0112EF763FFBED093FFD6F8D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D............" ..0..............:... ...@....... ..............................nN....@.................................X:..O....@..d............&..x&...`......L9..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`.......$..............@..B.................:......H........%.......................8.......................................0..K..........~....%-.&~..........s....%.....(....%~....(....,.r...p.r...p(....s....z..0..#.......(......-...(......3...(....s....z...(....%~....(....,.r)..p.r...p(....s....z..0..#.......(......-..(....&..3..(....&s....z..0..7..........~....%-.&~..........s....%.....(.........~....(......0............(.........~....(......E................+$r9..p.(....rI..p.(....rc..p.(....*s....z...0..........

C:\Program Files (x86)\letsvpn\app-3.9.1\SQLitePCLRaw.provider.dynamic_cdecl.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	66680
Entropy (8bit):	6.002483892945911
Encrypted:	false
SSDEEP:	768:CMXMG2QW0RgqGlel80eX3xFhofnnN+HHHHns6sbEpyqJW6N0yAw/KENAMxWcmA:N2UTGlel80eXSfnUnM6sbwXN0yAwrxWg
MD5:	B8B01FDEFF971677B7E228310D2FF1F3
SHA1:	D8F0CE87088628AEC2D16B04C3342E3063B57DCF
SHA-256:	A2BC9B6828E0B71D4723A10754A5C97D93A79259549297A80C78E5728012F36B
SHA-512:	6CD14D54583B7CE8D6050B601968BC804BCCBAD6E04BB75AA0DC048DB7CABD7AFC3693A7838857D8BBB30C22B6BB13E89C9DC9D8BD22F1C0EEFE79572F3A69CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............." ..0.................. ........... .......................@.......z....@.................................R...O.......................x&... ......4...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......dB..P...........................................................6.......(.....~....F~H......on......N........s....o...+..0............(........~......o.....0............(........~I.....or....0..%.........(..........(........~J.......ov.......0..H.........(..........(........~K....oz............(....(.........{........o....2~#....o....2~"....o....2~F....of...6~G.....oj...:~H......on...2~$....o....2~%....o....>.(.......o.......0..N........,........s.....

C:\Program Files (x86)\letsvpn\app-3.9.1\SharpCompress.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	463992
Entropy (8bit):	6.214149579680768
Encrypted:	false
SSDEEP:	6144:rcGv7iCPwqEYosfdBtmXaxWoXY06nQk2zLRC+oRZkR4CDy2sqIT0czX1hlmA:3+CoCoCBtmXWnL6nd2ZiUR4WylT0qbl1
MD5:	99E89F68A768E9BBBDA13F432BDB603D
SHA1:	835B33EC4AEC20E61046D7889D702EA9FF3E6A26
SHA-256:	6BEF1439D500BF894BBA9B0D2C398D224F181F28509A110EA1B1BA4518E2C1F0
SHA-512:	3F0D1D13B9237810D7E361CE3DFE9442100D098DAE5483DD9659A1687EA7AEEA30D1DDFD17888B7B37C80F2AC6693914DB43C9A2D422A421D770C2DDF2DFEDB1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._]..........." ..0.............v.... ... ....... .......................`......X+....`.................................$...O.... ..................x&...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................X.......H........f..D[............................................................(G..."..(H...&...(I.....(...."..(....&...(....r.,.~......~...... ...._X..n.,.~.....~...... ...._X..R..2.~.... .....X..F..2.~.....h.X..R..2.~.... .....X..R..2.~.... .....X...0..A.........{.......a}......{.......a}......{.......a}......{.......a}........0..(..........?_d....1...n_....{.....Y.?_b`.{...._.0..@..........{.......(....}.......{.......(....}.......{.......(....}....*.0..5...

C:\Program Files (x86)\letsvpn\app-3.9.1\Squirrel.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	277112
Entropy (8bit):	6.039535278333178
Encrypted:	false
SSDEEP:	6144:SbwZzM/arIPizbgQtYYYncnWDOsksHgtBwsbe+/uAhD:hzM/arIPizxUncQfZHgD
MD5:	9CEF34FDB0AD02D84CB4D734D61BF0E4
SHA1:	C4F003B0AD5575E31A18CD831E92219339BF50FF
SHA-256:	297C9FF5954BA04F0EE81DC14CB9F71D87787612B29868073EA4E0C322C1702C
SHA-512:	C9809E858652F21DDBDD2256013A7A2F83EA2FFDDD41DEDBB83F33ACFC0B379F450C3A6CB21E88A603B6CF22EFA8AF5275CEE2D1E6D2E2C38C489FCA02B67C47
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ...@....... ..............................+9....`.................................e..O....@..................x&...`......x)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.......................H.......X... .............................................................{0.....{1...V.(2.....}0.....}1......0..;........u......,/(3....{0....{0...o4...,.(5....{1....{1...o6..... ... )UU.Z(3....{0...o7...X )UU.Z(5....{1...o8...X.0..b........r...p......%..{0......%q.........-.&.+.......o9....%..{1......%q.........-.&.+.......o9....(:...V!..../c...s;..........{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......(2.....

C:\Program Files (x86)\letsvpn\app-3.9.1\SuperSocket.ClientEngine.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	51832
Entropy (8bit):	6.136156530910471
Encrypted:	false
SSDEEP:	768:5DGXmBiIOJv2IIXs4UOPhbY+m/rihAt5A8o4/aBS8XpTt/yO0ysAw/KENAMxHGV:5DGXmBiXanx+zehk/WpB/yO0ysAwrxHO
MD5:	1319AF5B79037F5358EDB74370B6A91F
SHA1:	7C7938263AA6FFD67FF02E9B3671812CB9BB4BD4
SHA-256:	8A9E1D9925AE07EB220F128418276626FFDE51070BD1DA52C86B7517345636F8
SHA-512:	F5BA0F5B7697B26F609EEFAC83AEA842E7436FA79AAF03E29C2E9D543E6DC392EFC5901AABABC9BC7F9F3838C7E318BD4D818CE1EA29887B1C08643F08A6EAC5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h@qZ.........." ..0.............~.... ........... ....................................`....................................O.......................x&........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................^.......H........O...g..................(.......................................&...(....6.......(....:........(.......~....%-.&~..........s....%.....(......0..@........(....s.......o......}.....s....}.....{......i.....o......}.....0..............(.....`,........0..Q.........R.{....u......o......{ .......i2...R...{........\| .....X.(!....................0..............("....`,........0............R.{....u......o......{ .....o#......X......i1...R...{........\| ......(!.....

C:\Program Files (x86)\letsvpn\app-3.9.1\System.AppContext.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.771608204190216
Encrypted:	false
SSDEEP:	384:iDNxWQFWbNynsAw/98E9VF3AM+o1MHuId:iDNVgAw/KENAMxi7d
MD5:	DC19950E96CF80298BF02BED9043A5BB
SHA1:	5D8D7F3059A122427FA247223FA0EF6780EB7037
SHA-256:	3211C449F5B7F8EA706DBFE388ADB0F53BCFA1B25F47751D720587D236F9CC59
SHA-512:	6B2E9D8BB0BDC36439A50CEE150029D78BB38F73FFB3DC5C3866AA650AF64281D49B4B2798FA3E14A5AAE7FC68027EAFCFC974625CA61BD2698E7BAB4841E4B9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ...............................W....@..................................(..O....@..................x&...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...\|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Buffers.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	21624
Entropy (8bit):	6.63982271939058
Encrypted:	false
SSDEEP:	384:mrMdp9yXOfPfAxR5zwWvYW8anNynsAw/98E9VF3AM+oSrWKbfP:mrMcXP60Aw/KENAMxXs
MD5:	B21A02092186881462E209A05E50C871
SHA1:	B257F0BF5970E2C14B7D241FD00A854BF50CCB37
SHA-256:	7A36E13C2A394F9DEAD9464B53EA0DD897D3F13ECA14D57BF7AFAD7E6D31EB70
SHA-512:	091CF5C9A118C30CF22AEB37B91296CCD2F60987DC9CCD549E2679B4E14E8DD6A3AEA0A76556833C6BE7666971B6ACB14223B6450D82A8C2269B91CE6E1E3B6D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ...............................o....@..................................B..O....`..@...............x&...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%..........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(.....~....2r...p.(....B.....(.........R.....(...+%-.&(!...^.....("....(...+&~.....s$..."..s%.....(&........0......................

C:\Program Files (x86)\letsvpn\app-3.9.1\System.CodeDom.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28792
Entropy (8bit):	6.245237352114942
Encrypted:	false
SSDEEP:	384:UdgrnDxt3942O1NEIY3lzZIcKBxehzsCtZ7U6r1fDXJx/WpuWRNynsAw/98E9VFd:YgXxtu5jEIYDhzZpmvAw/KENAMxnOHo
MD5:	FCC14AE5F6C3D4E7854CDACC07471DC4
SHA1:	48AFAD74D270F802FD11F88FD45DD90F313A5A9C
SHA-256:	2A3BC49AB5C9ED4A1CBC1625ADD217322F28106C554C50864BF4E3003F4DE23C
SHA-512:	FF4B1B69D24DDCF2B0ACD28E2EC2A7E37587ED8134BE96D77CB4FE2CD683604737C4ECA46ED7DAAAE0DB70E3EED053EE182028C34ACB4FEC6BBB420046A2C6E5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dP'..........." ..0..>..........\... ...`....... ....................................`..................................[..O....`...............J..x&...........[..T............................................ ............... ..H............text...0<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............H..............@..B.................\......H........#...)...........L.......Z.......................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(....*.(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Collections.Concurrent.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.874052426693802
Encrypted:	false
SSDEEP:	384:Tm2igOWnW8rW4NynsAw/98E9VF3AM+oacmxiu:TtvAw/KENAMxkxiu
MD5:	07BAABC732898D966B2EE278A8AA65BB
SHA1:	5BD62D05C2A1DCD13625F4E0645489700C488A1F
SHA-256:	B8C110E53009DA3C5B03D884C7392A531BCF20092545D8AC897623DC12BDC9D2
SHA-512:	2C4A89B5FF06AA74392A635F78FDD6A6D0345B9AA18B7181BA99CDB2B8571BDA9EACCF8DEB9EDDD68FF76DB63304D9D364C7A578CEB5E8BE8B1D5777B4448EF2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................}....@.................................t)..O....@..D...............x&...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Collections.NonGeneric.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.867458676938084
Encrypted:	false
SSDEEP:	384:fnapn1iwwPWcGWeNynsAw/98E9VF3AM+ookbc3:iDuaAw/KENAMxzc3
MD5:	EF0446EB462EFC3031059653D7134155
SHA1:	9CF2AE558BDAE5BE63B37685899B1FE1BC2F8F1A
SHA-256:	7CAEE338E2F6CE75FDB73F13234651250E221DD82855DCBFCA375A43BEB8F7F5
SHA-512:	1A8432CBE7EBFB45AACB1A6C01C54EF0B64423F189D11489E78D864A058B42AA07E40F5A0984C31C43922E126FD8125875D637E99A76EED922AA5302749C8337
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................t.....@.................................p)..O....@..@...............x&...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Collections.Specialized.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.873593231864663
Encrypted:	false
SSDEEP:	384:2HLaEav5aaUa6arWVLWlNynsAw/98E9VF3AM+oS3KfyjV:fPv5t/NOgAw/KENAMxujV
MD5:	E4802CBDB22EB8BF4D2543C6438F8010
SHA1:	6DABDE5B21E3E489E67061F649493B990366F090
SHA-256:	546ECA0C98A70DDD7890043A6810FD7A7D0881A2FA2FD9CA32AD71E0C80A5866
SHA-512:	00C0CE9DF137E6DD8909211767DC1ADE6AD66D61C62C972D4993C6A140CB2ABBA4B8A086C95298C4452B839D83A1E9266ECCBEC7CCB7D2F7CE6F8DBF305F135B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..P...............x&...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Collections.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.722257644248458
Encrypted:	false
SSDEEP:	384:i6iIJq56dOuWSKeWWNynsAw/98E9VF3AM+obtoYR:0iAKAw/KENAMxb1R
MD5:	52520801352810FC58F52966765E025C
SHA1:	1C9BE9F9190C0EF113796F8461D9408E841E7A5D
SHA-256:	8E8324FD7AF8BDE9B24D7B5D5AC562586B5202B8C5DEE12707D104E08A73862F
SHA-512:	BED3AF832792CBE775AD4E790131833A41AB53CE03045ADDE358541142EEF2ECE4268739A134CB1174BE3E170CE5A64B3C75CEE22861DBDCE5BFD2016B04CA9B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0................. ...@....... ...............................E....@....................................O....@..................x&...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.......................H.......P ..\|....................(......................................BSJB............v4.0.30319......l.......#~..\|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k..............0....M...............................#..........x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.Annotations.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36984
Entropy (8bit):	5.904316349189297
Encrypted:	false
SSDEEP:	768:/XDQsPurQcR3y6JOnSHDYFD6Aw/KENAMxp5MUpl:/zPtcE6JhHEF2Awrxp5MUH
MD5:	50B0EDC741074137AF85E60543C68AE1
SHA1:	431A8CF8322DF2B82711D5C2CEBB868DF7E1FB1D
SHA-256:	124A4DA624ECAFC3961FAB4741990BF336888403ACA8F3887951D87AF630B85F
SHA-512:	1F525CBF6E6F149B8C898266B66E3F5A50AE86DB6C894E66CF9BE16D4A5D97DA96FCA166729F8676FFFCA20B01CD1223339E6E5032BFEDF13E16EDA6A0D95656
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0..Z..........Bx... ........... ..............................}B....@..................................w..O....................j..x&..........8w............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............h..............@..B................"x......H........$...............R.. $...v......................................j~....%-.&(....s....%..........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(.....~....2r...p.(....2r=..p.(....2r}..p.(....2r...p.(....2r...p.(....2r%..p.(....2r]..p.(....2r...p.(....2r/..p.(....*2r...p.(...

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.EventBasedAsync.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.777825114970958
Encrypted:	false
SSDEEP:	384:wnzz+MpSaLWW0+WnNynsAw/98E9VF3AM+o0XZl8:eputAw/KENAMxI8
MD5:	42EF2C4EF72633F81EE54FEABEFDA739
SHA1:	66EBCE6F66B16639F00BB73D572F352242EB8CD6
SHA-256:	51DF9C2300CB2A72732B4C322F64F2FD872497FF64D5B89ACCA5389852FBE098
SHA-512:	E9E071E8F6798EE491FE8B05DD9BCB7B7E116C16F9F6C418D0F790BD8E105B8DF4527D4DEB5EA572D9DA4D07D2E4A824526D724FB74CAF3A913D49057A28B9E4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B... ...@....... ..............................F.....@..................................)..O....@..................x&...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.Primitives.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.834220282648923
Encrypted:	false
SSDEEP:	384:rGhr+YUfyHxsW/HW4NynsAw/98E9VF3AM+oMIndC:wkmjAw/KENAMx18
MD5:	BEDA4F5188573A34BA5671B38D057A32
SHA1:	1EE41D476128B8A9B0B61D23FCA51118DD2AF9CC
SHA-256:	342DA6F7C7BC4BCC60B1EC2C96E115FBFF7BABF2A93EEF38547571F55C851EAC
SHA-512:	181909BACE7287777C445E3A63ADEB0C8994D0F0A4CF4962B55CCBC034490969894198A94273406A23CC5745F032982D2AA7CCA9487D626B0076A6B6A72A7E57
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ..............................q+....@.................................<+..O....@..`...............x&...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.TypeConverter.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16504
Entropy (8bit):	6.765029641621278
Encrypted:	false
SSDEEP:	384:PRE+ruiA5vzWeNWqNynsAw/98E9VF3AM+ouAYrI/:PS9bPAw/KENAMx17
MD5:	AD93D02CC8C89F793C4515A380A46718
SHA1:	616228604E35087D3A9256524AD93B88D636D0E9
SHA-256:	145747830B4F2BAA01D07C0388D3F62654AA74999C958B188354EE086590CB37
SHA-512:	2F57CC418CEFB6FBA68E6C1A6498F2DE098B8E362100FCFD668CC506E72E3C6EF5620F374F1BA2DE13F7BE99CBE1E05B91C34B775EE099D4F6ED7AC0751F6733
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ...............................T....@................................../..O....@..p...............x&...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ComponentModel.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.817681722746365
Encrypted:	false
SSDEEP:	384:FT+6ywnVvW0LW6NynsAw/98E9VF3AM+oTUmu:F99lAw/KENAMxwn
MD5:	C38F95B8EE852E52DB5E9DA80C10C522
SHA1:	7AE8C2C504B5EA8799952D90D2295B8BB9A106E9
SHA-256:	F477834D13EC4AFAEBD36684B1ACBDD7B4093815C77FBEEE470C7540DE6793D1
SHA-512:	E7C90F40D9BCA7007A406059DCAB76932DA9195475557AC9362AB14D6B473214D774547CF98F7E0F9843C6F2B4666E658509E6A773ADD8D370E39F6F2A61F84F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................N....@..................................(..O....@..................x&...`......\|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Configuration.ConfigurationManager.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	86648
Entropy (8bit):	5.357164907925872
Encrypted:	false
SSDEEP:	1536:P8KGCEPg1QqF3BhejEpvS/ZFQ+2/NVQ8GLa0Uh55T3lEC/IOPbZkxqN4bENZJlfu:kHCXBheNQ+2/NVQ8GLa0Uh55T3lEC/Ih
MD5:	1C3B513759BF32B183AD1EF883242E04
SHA1:	B00C07E5ECCC8196337D8E7BED057878D6DBFF3D
SHA-256:	CBECBD11E559CB8505A39B592C823915F2ACEF44C7ABA4DE3A677FDA8EE1DC84
SHA-512:	9D8FC9C3237057C549B485F124E83020ADD078BE3E8CF8ECEFC3A2D94ADDAC920A62FAA99142882A9EB164D3EB3ECCDA3E1DCC7CA09F095FD1DB38AB26F9EDD6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.. ...........?... ...@....... ...............................y....`..................................>..O....@...............,..x&...`.......=..T............................................ ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.....................@..B.................>......H....... ,..$...........D....}...=.......................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(....*.(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Console.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.81384155196029
Encrypted:	false
SSDEEP:	384:CRbzriaXT+WlEWaNynsAw/98E9VF3AM+oQiX:g7ic8Aw/KENAMx5
MD5:	C829224E1C599BC690A6A053535862C5
SHA1:	35718D2D6476FBFC7C3CBB6365D3ED567D1F39F0
SHA-256:	B28381903BF6E677A42BEAF03E49D8557009426771BA95B771FE03554822C0B6
SHA-512:	D33B1813796C9AF6B688012FC45D989ED34726E19A11270E080A7F9F8C5BDC7C7D9362076D44C81FB929ED4D30AC911BEBF1DA45AF3A7C2A5EDE366A17498E2F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ...............................X....@..................................(..O....@..................x&...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Data.Common.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	148088
Entropy (8bit):	5.408203656428527
Encrypted:	false
SSDEEP:	3072:udYO+3m9R6e1x03BZ6bDSzZ8B0uAP+jh0:8+2jv1x0ebezWiuNh0
MD5:	5B113569BFBA133317E6989CD1060889
SHA1:	EFE6A744C37C2427573C2EF2A3F4E259081F860D
SHA-256:	721A8848D7CB48DD44D55C498FFF37971DB8D99D5DCBA382F89355F321E211A7
SHA-512:	18FFE3EECED4B61DAC7F3A2FD94593BC10CE6CBB344BE57A4C0068A5B6A58D402C392A8E3A1955802A1CC6AC4A106C77D198B33EADFB53553E0EC1A011C8CDD4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ..............................L.....@..................................,..O....@..................x&...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%..........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(....2r...p.(....2r;..p.(....2ro..p.(....2r...p.(....2r...p.(....2r...p.(....2rK..p.(....2r...p.(....2r...p.(....2r...p.(....*2rM..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Data.Odbc.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81528
Entropy (8bit):	5.9067487828280605
Encrypted:	false
SSDEEP:	768:YsCikxiUPLkOWoYSAkm4fHLofFv9Rit9zzv5dnCRAw/KENAMxmg:JfkxBIOYSq4/2biHrnCRAwrxmg
MD5:	DA216F794DB24A87AC858EB7DF7ED19B
SHA1:	912B9686132EB2B6282E110D8D9CD33C3AC89AA0
SHA-256:	B277DE060A8864884705E9234B6C7B49AE653D08957728BBFA8DAA2CCC7AAF58
SHA-512:	FDD7223B9032810787F45815FA292AC3A3973850CF16E9898520E1942C26E1D44AF5086321E5F865E62EA52B301CFF478C1C9C20C98876DEE97901B1E1C493B9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............&... ...@....... .............................."u....`..................................)..O....@..................x&...`.......(..T............................................ ............... ..H............text...,.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.......................H........(...I..........0r..@...p(.......................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(.....(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Data.OleDb.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	99448
Entropy (8bit):	5.768488723686742
Encrypted:	false
SSDEEP:	1536:r+kZKluk7ZFrtpAauVXrbtYC/xBu9LCAwrx+:r+kzk7p4rbtYC/xBOChM
MD5:	5FD9F8685B8B9A438FC8FDC5BEEBB361
SHA1:	58FB6F54E936D23BDECE7D096E75EAE7006EE4F9
SHA-256:	76E837E8FFA64531CD61E1311ADD4EC5446586CE7606C4825CE1B552301FDC71
SHA-512:	AC034418772B5B590E89AF2E868E9B73BD4017CD151687747E93D24A3C45098DB4C5908F2785C5FF8C5B850830C8AE3A0A27BCF439E23FD2ED563643360D8E05
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................`..................................o..O....................^..x&...........n..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............\..............@..B.................o......H...........^..................Pn.......................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(....*.(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Data.SqlClient.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	223352
Entropy (8bit):	5.664641058719897
Encrypted:	false
SSDEEP:	6144:bXFpBZBJL3rBxad7/bAkGF60FhFoFmF8cjcsc4FEFbFgcbFmFiF6FhFuFBFuFDFr:7FRf60FhFoFmF8cjcsc4FEFbFgcbFmFr
MD5:	8190DDCF172FB4256AB34D06D287D904
SHA1:	ADF24ED3E1549A70470F838C4FA396F01DBBDCA9
SHA-256:	0698ED52B6EF66CFD1E921A84149094237D2BDF1C113226544F2E565973695E2
SHA-512:	8A70DCE3EB9A84C4D3F86387488154B5EBE8B9569D5FCE8D994AE94D7BF9CE7C475754FBEAFA2C90D6072838F7965A031D7087F9FFF6D4875EE772B9749DE473
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..8...........W... ...`....... ..............................).....`..................................V..O....`...............B..x&...........V..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................V......H.......h7..............@...XW...U..........................................0..1.......(....,..%-.&...(.....o.......&...,...o....,.......................(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(.....(....,"r...p......%...%...%...%....(..........(....

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Contracts.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.780883003826737
Encrypted:	false
SSDEEP:	384:WRtRWjYWwNynsAw/98E9VF3AM+onGJAIkWVbq:AiGAw/KENAMxGJAroW
MD5:	E9FAA134FA35C900230F40AA92780BC9
SHA1:	BE64BD779CFDC3C8C1466E9C5D15A648D08516E3
SHA-256:	3F75B989B9B62429A9B9ED96326A43982911AFD9AE330FE6647FDFE90835AD56
SHA-512:	D15BCB6A88F4722489B6CAD8AE68CCF9E415E7D5E65DAB764A57EE23809F243096C38EF3EECCF69D99D65E6F760E7340736E5E080C223184164EE66D9DBA6DFA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0................. ...@....... ...............................I....@.................................x..O....@..@...............x&...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.......................H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Debug.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.860145403849104
Encrypted:	false
SSDEEP:	192:PFxrIFWnoW5mNynC5c77bgfU5izh/y2sE9jBF3A5K+oGliwJlondu:XeWnoWoNynsAw/98E9VF3AM+oGli6lEu
MD5:	4325184D616C23EFF7EA8D14440C9408
SHA1:	DB5C2D8593616CA1EF7C11809E6DF303EF21BC47
SHA-256:	660B3F54D45D129A86FFA65F3A73718B1E55BBFC9D25C396A2FB2C74CD2D5815
SHA-512:	13FF31295809E8DA52573C67C3C7F5B6A1906D602A84048919A696E50914F9802D947AF90314E684D1CC8EE654DD5878368821CD8A9CB946E002439B8D1CBF6E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................X)..O....@..$...............x&...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.EventLog.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32376
Entropy (8bit):	6.2713672809047125
Encrypted:	false
SSDEEP:	768:nVdeQes+wUTHP0G3cmL+7NQ1OaY74EnAw/KENAMxz1:nXeQes+wUTHPbANP7tnAwrxz1
MD5:	0F23FAAE136E2D6E79A1FF186F5EA09E
SHA1:	8557300FDD89F5CC079E82B7B42CFCA8BEDF748F
SHA-256:	5787C44A505A8A174C51D240B7AF4B6EBC847FD6DB243B8F7495162DBD14A57A
SHA-512:	D86268AC4359B640ECA2C9FF46E03B053BEC120A0A6427911741131EC934586DBC0D5F12A12E39CF99CC5E962A586A5FFD406DC08CD986BF7EF0F101303A9133
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K............" ..0..N...........l... ........... ...............................f....`................................._l..O....................X..x&..........pk..T............................................ ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B.................l......H.......<%...,...........Q.......j.......................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........( ....(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.FileVersionInfo.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.819227808689891
Encrypted:	false
SSDEEP:	192:TxGxIZWJjW5TNynC5c77bgfU5izh/y2sE9jBF3A5K+oC9Rv3GWFu1:T6oWJjWVNynsAw/98E9VF3AM+oC6WFu1
MD5:	B34AE529CC79512477153576537B21FB
SHA1:	23D65FF11D4394F46BBEAE41051A5B84BDC9C704
SHA-256:	3CFAD08F4119488FC0710DD66146CC05DED876D2DF1C57234E1D5DD2D531CBE5
SHA-512:	1C05C7E567AD189EC21F2664C9E4FF7DA66CEC82DD2601E4EA097C74311EE08DDC80902A29E10CC469AD1DC389EA70043EE5740992E933108299C74E4DF1A6E3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...................................@.................................H(..O....@..p...............x&...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................\|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...\|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.PerformanceCounter.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41080
Entropy (8bit):	5.9391481535384445
Encrypted:	false
SSDEEP:	384:4GAHVcV8a5cg1YeEBfVmVYSGS4W+FyLVRVStbaB/PRTlBRBMJnnvnL0++WYbWPNn:4Tyj5cKJfE+MJnnvnL0jSAw/KENAMx7n
MD5:	493138EDAA737E253B37C246F6D8E355
SHA1:	C7A35DEEC7CB46F65E2CEA25E7B07FF086967805
SHA-256:	7A82B032A573A2BDD97A0E00AB3B81AC299049EDA53831F106AF05A48B2CBB56
SHA-512:	4AC26848DCE577A9C97D49FFE346DD26DF1DD8053A3C8EA75605B514BB83E37AFB6CBAA4F82F3C9EEB7DE245A131AAF88E3C8CAA6850C0E31FEE4717F0D46917
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....D..........." ..0..n.............. ........... ....................................`.....................................O....................z..x&..............T............................................ ............... ..H............text....l... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B........................H.......\&...5...........\...............................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(.....(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Process.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.740978857859148
Encrypted:	false
SSDEEP:	384:Bqk53/hW3fZ+zWcgNynsAw/98E9VF3AM+oe2SRRs:Bqk53MwMAw/KENAMxp
MD5:	CBEE27DBA77C7CF7C59103B6ECE06747
SHA1:	7874A2A40DFA785607A2114CBF4C6038CB1D14D6
SHA-256:	8D42D8749626650B32568A6D18EA2D744D431815B749B460B2D82100F3948E31
SHA-512:	6A2683DF0A516FD5094D3283AA2A7FCFB30ACEAA9735794A5BD5F8F71B8B5A4489138CBB9FEBDDA7E6A05E7E92F5568C15D2D8D0CCBBFB6498E22E245561011B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*... ...@....... ..............................y.....@..................................)..O....@..0...............x&...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.......................H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.StackTrace.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	17528
Entropy (8bit):	6.625432816145671
Encrypted:	false
SSDEEP:	384:6SFCc4Y4OJWfOWqWWOWgNynsAw/98E9VF3AM+of9G/dGfWu0bvU:pCcyCcAw/KENAMx1G/w+ZQ
MD5:	CB947E2917EC4F82E2B9625EE76A7B41
SHA1:	9C33176929C1276CC886C935640D48E3F0955A6E
SHA-256:	78A84B8425DB0AE9059638CA7AEBA5A65479C2CBFAEBC0FBFD8D66F898E892E1
SHA-512:	313CD1620CC46AA7DA1B3172811D72835329B86E0BE49E7BA9464E7E0FE1803D596FA4691A99E890681F7623A6C406936AECFA1E5BFFF456A3F8EC4B11B87CB6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ...............................,....@..................................-..O....@..................x&...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....6.o.....(....6.o..........*.o........~.....~.....BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.\|.....Z...1.Z.....$.....$.......3.D.......\|...F.\|...c.\|.....\|.....\|.....\|.....\|.....\|.....Z...I.\|...}.Z.....Z.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.TextWriterTraceListener.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.846165372327434
Encrypted:	false
SSDEEP:	192:OlTx93aWxMW5iNynC5c77bgfU5izh/y2sE9jBF3A5K+o0tI7950:2AWxMWcNynsAw/98E9VF3AM+o0q9u
MD5:	9DF0CC3CAC024AF0BAD8F2BD4A808407
SHA1:	9739A7D0A7DED9959E03D812C8B38F126C187F38
SHA-256:	5D2B381D6BB5517B64400B8BF3033948CBF31842E58A1EC4F9F4684035E00050
SHA-512:	FFD4551C7059480C472EE98BF2629BA6A0F726D76AEEC65ECB0E16FC3207F9D934F15BC427127822FAC5FF129EA0684163DE908E9DD2386C844294D16A85EBDD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................R.....@..................................(..O....@..................x&...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..\|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Tools.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.819316086882705
Encrypted:	false
SSDEEP:	192:eYqArxbYWHaW5GNynC5c77bgfU5izh/y2sE9jBF3A5K+oj35Op1gR:cAlcWHaWsNynsAw/98E9VF3AM+oj35uw
MD5:	798409B7B926B313E2C6F1706750730B
SHA1:	B4298634A9284C0607FD6AE9C3A0433417BA73F2
SHA-256:	EB45ECC9BDB2F39803E71AF00874F6696474F78FF6B36263E3DD9C137C581A0C
SHA-512:	9B0BB4D6465675D1D5ADCF105EAFB50547CD040C24F52C89E95DA98832200D09D03B01EFAFA8F98101A5AD70DE93A6F4513F020EA6282C0B2FE414918C263670
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...................................@..................................(..O....@.. ...............x&...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.TraceSource.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.742488884379173
Encrypted:	false
SSDEEP:	384:w8IZnWlNWUNynsAw/98E9VF3AM+oFZ+b0Z:zUy9Aw/KENAMxjZ
MD5:	9C85EB3BC39604E8C119E4F688C96863
SHA1:	DCF3EF20A06B316B632D4D0F4FA91DABA5B6FD87
SHA-256:	5F46A27028317001B47F6D69B170B4C357E4BFC223B8B596E8C98138B91B9ED4
SHA-512:	6F3F3A9034E8F16EC10B3763D9DDFE0344AAA61E1C483FB3F1D5FFFA31CC91F9EBCE36AD9EE4A3C7D57B95B6E9C057568CD4F47531C25B0C322AB8FD918FFE86
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2... ...@....... ....................................@..................................)..O....@..P...............x&...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.......................H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Diagnostics.Tracing.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	25208
Entropy (8bit):	6.467437956037252
Encrypted:	false
SSDEEP:	384:llQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdWtNynsAw/98EZ:bQq33333333kX+TBi8aAw/KENAMxHBP
MD5:	73A2D817D1EC528E5853596180372614
SHA1:	D0B860273A6EDD942D2A83384003955E26914B54
SHA-256:	B4206621646D532669DBAD226BDD94FBB47DFB6D6E0448DE1F2EBDBA071E105B
SHA-512:	6BD10864083F8459393017D2BA629EB3739C5567C0369D0E52E9D5D931FBA3BFAFCBDC4598E9EAE8EAADFDCA8AEA4078F4FFE2831C1D2C8BC9E9AFCE310E1580
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ....................................@..................................L..O....`..x............<..x&..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o...."..(........0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....&...{.....0..4.................}......+....{.....".......X.....{.....i2..0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Drawing.Common.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	53880
Entropy (8bit):	5.833648420918623
Encrypted:	false
SSDEEP:	1536:gJbgUxvrIn01EkO/69KzwmOiGeCcSP8UIrMAwrxy:g1xvrInsEkO/AKzwm3C0UOMhc
MD5:	01B025AC145C79D6F40FBCDFDAC3D11F
SHA1:	0D3F49E6EB8D034B6E5BEA52B59BCCA9F5A0EF85
SHA-256:	B79E7EC22F2761FF01004016DD97348F3CF670CBF16727782C077F8CAB74CF0F
SHA-512:	21E6505C178AF4CD5152578EC78CBA7F16E4E10485A8062845933E68FC73566E99B0A1100EE2C31239A830C8C77605A7E48DD59BF13206DF5F23C6B8499DFD61
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............n.... ........... ..............................O.....`.....................................O.......................x&..........8...T............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........)...\...............6...........................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(.....(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Drawing.Primitives.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.813469937408214
Encrypted:	false
SSDEEP:	384:k28YFlXulWY/WMNynsAw/98E9VF3AM+ohHpSmHng:k0qjAw/KENAMxhJSmHg
MD5:	27638E6E859314B1F1D392C0D171C012
SHA1:	BB27E41A80CF7433D38238321B064371AE58A146
SHA-256:	CA9E092E26EE68E9C7632A2C88FFF599AC212A8AD2D69FD428B79A1017A76CA5
SHA-512:	926E6B00FE9F748F7405C9F557C438C32644CC8143483B4DAEB5599A755D062B4BD057BE688332FEAF01AD112B1DC8A70A32F68983096A4D34325F7E9C37344C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................#....@..................................(..O....@.. ...............x&...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....\|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Dynamic.Runtime.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15992
Entropy (8bit):	6.695947810858173
Encrypted:	false
SSDEEP:	384:buMLcdQ5MW9MWxNynsAw/98E9VF3AM+ojzV7Mp:qOcSptAw/KENAMxep
MD5:	44F158E62FF8CCC848E96DD6B7BD25F2
SHA1:	E7F0CF0A1BDFA9080B5193903676A2209EE55F25
SHA-256:	344AF35FC7940E857C22C24ABCC49740A26EAF1574E79262DD39CB6CA08D878B
SHA-512:	EE6FF5E6433763CAE459BAB1F1126C8530653D0A6FAC779E05385D1E9AE77B76D2057CD4D4988B61087802C8A3524D19CD9D46B2368BE35906EF06644DDAC8EE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ..............................8#....@..................................+..O....@..................x&...`...................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .............................................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Globalization.Calendars.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.774749531978505
Encrypted:	false
SSDEEP:	384:6Z7RqXWDRqlRqj0RqFWcNynsAw/98E9VF3AM+o86luOynI4:a9qKqjqjuqVAw/KENAMxx4
MD5:	293EF3187D5FACB4A3CD1A7F0E5D40D2
SHA1:	DF277A789CC87DA351EB908AB744BB51EA10AEEE
SHA-256:	1665176EE868A0C4636F37448166AB75BB7C18651C8799CDB9B1E1B741696308
SHA-512:	419E366F76AF9147FD68885E1811091400F4C34F6A4441B9EFD7CBC8FEDC9E08FB70D0A1244D6E103954A7B3CDEE8A63D3931D3EEB99DAF98B45155B0C88D485
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0................. ...@....... ..............................\#....@.................................X..O....@..P...............x&...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Globalization.Extensions.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19576
Entropy (8bit):	6.593754612334134
Encrypted:	false
SSDEEP:	384:JNBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9WjNynsAw/98E9VF3AM+oyVvgL:JvMhF2SzNzwu/NljuwAw/KENAMxYI
MD5:	E7FF6DDC1406016A7EBADB98EC5E74D4
SHA1:	8BFCC53FE0A319C10D3FB72FF63C67EDF899393B
SHA-256:	59D27BC17163567FCBB2B4B2DA2B656823E4EB7210D339AE7ECE430CDD9DE52A
SHA-512:	27EFE98F9D7FA6ECA60E2B5FA9A24E03D1F4B5047D92412DD1403F81AF20BD2CE3D232DDB35E0A9E79A0D2A21FD39B01FC1603DF17E3F71F7DDFCEC804C09253
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ....................................@.................................a6..O....@...............&..x&...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o...."..o......o...."..o....j~....%-.&(....s....%........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(....2r...p.(..........(.......0..K........-.r1..ps....z. ...@3.(..... ....3.(....*. ...._,.(....rI..ps..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Globalization.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.8663193575049135
Encrypted:	false
SSDEEP:	384:mZ4RLWdRfRJ0RZWANynsAw/98E9VF3AM+oTEG8/Ik3:mZK0pJu1Aw/KENAMxABIk3
MD5:	830BB8433DA765BC3B143894D136F1D3
SHA1:	3E6DB7817DCD22914609B0D5E5E4A1396234C9AD
SHA-256:	21B1C64448A08515A7CDA1567F9D54DBA90938220E54C2962515C771F7FE171C
SHA-512:	58E475765124CA95AC3928FAA6D591602786C5EB0C2267607BEA319CB3F362658CDF74589EECD780AB1E8C035C6676416D1EC935649AE48D6E963C73D3CA0968
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................5.....@..................................)..O....@..................x&...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.\|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Compression.ZipFile.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.758090711918702
Encrypted:	false
SSDEEP:	192:AFx+WTIEfW5nNynC5c77bgfU5izh/y2sE9jBF3A5K+o2DMKRuNMWM:QYWsmWhNynsAw/98E9VF3AM+o2DJeM/
MD5:	D99A8C6272913C442EC12066E2705272
SHA1:	247E198E79D207F5A6C6EBA0262FF595B0ED9AFF
SHA-256:	629432D143B7EFA45A333ED9DCF905007901494422D20F04625D9C629B469AD1
SHA-512:	1F897203FCB1FEF027D844EE421234C8FB7AA0C32D6581EE1E3420F4B521DDBFF4E8CEC1EE717F14EF8D6D4189BA83668F5FED1B6DC8349B9D68A0992E9CC2B7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ....................................@..................................'..O....@..@...............x&...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Compression.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	104568
Entropy (8bit):	6.374300849227252
Encrypted:	false
SSDEEP:	1536:Evc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXxAwrxe:Egk1tiLMYiDFvxqrWDWNoJXxhI
MD5:	77186839DA97BFC390E23FC9C713CAEC
SHA1:	0C3B130D7559485F3E826760D52BF614FB799D4B
SHA-256:	2F3AC5BA835DFA587A21F8520C7BCD3E6FAF9782F79DB5FFCBAC44AA7E9AE3C5
SHA-512:	32308D089A8AAF399DCDD4AE120EE512A6D2E7ABA074B597A67FFDC42C5818EE75F4C454BDA4A8246180D7485B530BE40726BB3DCE1470F317C04318F9AD11ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................#D....@.................................5W..O....................r..x&...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%..........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(....2r...p.(....2r7..p.(....2rs..p.(....2r...p.(....2r...p.(....2r...p.(....2r=..p.(....2r_..p.(....2r...p.(....2r...p.(....*2r...

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.AccessControl.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	29304
Entropy (8bit):	6.357625727503903
Encrypted:	false
SSDEEP:	768:uCN9VYp/OiRcnZIfk8P4Aw/KENAMx8sse:uQ9ycnn04Awrx8sse
MD5:	637C6958CA2988B728CD5804AD63B283
SHA1:	A0CAC5CAF1C826DB69DD58AAEA172C0C31CD3D5D
SHA-256:	A7BEB06A35B21C1EB273EC29ED6B23F7D4D7E977266700B1106462D27856F07B
SHA-512:	A511DE1766583A292F629A0CE000EEB8D9A7A26C482B53B995239EE35C820F682CC949C1B82FBAF15FE4F7AF9B79F6AA8C75FBD308699476CEECE06C7C867409
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._............" ..0..B...........`... ........... ....................................`.................................t`..O....................L..x&..........l_..T............................................ ............... ..H............text....@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B.................`......H........&..t)...........P.......^........................................(....^.(.......(...%...}....:.(......}....:.(......}....:.(......}.....~.....0..1.......(....,..%-.&...(.....o.......&...,...o....,.......................(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.DriveInfo.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.8221803223223265
Encrypted:	false
SSDEEP:	192:EutKWx14zRLW1cW5qNynC5c77bgfU5izh/y2sE9jBF3A5K+oVd3ggR:VKcuz1W1cW4NynsAw/98E9VF3AM+oVyK
MD5:	A6D101FFA40384800447DA99F93218CD
SHA1:	77A152E499257651DC0C3C37C7F1D00BDF26BA35
SHA-256:	7BF698AD8464A397A18DF12BD9F94E12346DB11484145D587700DD2D826D9BE0
SHA-512:	A43EA394924AA5AE23D5CDD6C823DFC6D1E0E46353FDDB6531DC45E9CA3443F641FA4B1A7336C446B9C6085A931A2AD16026D19293645F1A7DB6A39802A5567A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................<.....@..................................(..O....@..P...............x&...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.Primitives.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.831882662881197
Encrypted:	false
SSDEEP:	384:B+SWikW/NynsAw/98E9VF3AM+oVfWQafC:B+e7Aw/KENAMxozK
MD5:	80E7F954575912F11B56EFB4CF8D6F27
SHA1:	CCA9D2E36C5B805D3FC5382F89923196F5E049D9
SHA-256:	5E8D1E5A7063B9F75E14AB4F7BD3C13983E6BDE66839DF65B840F4E1E7C564A2
SHA-512:	4A5E8552DF1337FD7200C9D260E26161F4234DF5989313C90A9AC4FE5A553E173E54DC1195C2DEF38D02BEFDD9A6BD0FEDEBA7688D9A9C3D8F7BD940370107B8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............x&...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...\|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.Watcher.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.878148932049412
Encrypted:	false
SSDEEP:	384:RAWzgWSqNynsAw/98E9VF3AM+omH72/LC:RtpAw/KENAMxWULC
MD5:	8273FF33737D92F6B787ADE2C9CD6684
SHA1:	9AA008A3E6A378011438327830D272D665980B71
SHA-256:	1FFD58F193CCDA68BB11451783F1A4E6771F3E5553AC221D7EF6449C8AC3E037
SHA-512:	008E4341D71B317E472F322EFFD01D7EBB758EDDB90C41D53B76E5F7E7934FCEA7F9B0B3A02794ED8FA87ABC55004933E6C43AD77DF7191129F24D57ECE0F5DA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............x&...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ................................)....1....9....A....I....Q....Y....a....i....q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.FileSystem.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.829418662608107
Encrypted:	false
SSDEEP:	192:dJWx7VLRWbYW55NynC5c77bgfU5izh/y2sE9jBF3A5K+oYHj9ZSPuVz4:kBLRWbYWHNynsAw/98E9VF3AM+oYH+mu
MD5:	986967FF5F150646294BEDAE9C3509E9
SHA1:	D2C2547C8C853F4EEAB5675F0EDD9EF72AEA5E2D
SHA-256:	81F5062E4E2C8899C50BAF04CEB992E27C491F6720A3B08DA55F011A5E744008
SHA-512:	28888CB9085718DFC846434C4DFBFAF463AB4E10336E419AC80554EC5D3834DAF1B1BB6E3FF15CA7FCC48036F36F7CFE19B7223094E2B043ED8F9E5A881F7D00
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ....................................@..................................)..O....@..................x&...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.IsolatedStorage.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.818084088565536
Encrypted:	false
SSDEEP:	192:uZxcMRW4/W5ydNynC5c77bgfU5izh/y2sE9jBF3A5K+om7CbhllLy:eHW4/WodNynsAw/98E9VF3AM+om7C75y
MD5:	7990CEBE3F6CCB7146DAE3C29FB2318D
SHA1:	660C4295D95DE4BF1FE886E1859E35EEF158B6FA
SHA-256:	039B0BB743A311241F5BC78E491C4296816C271A8E9BFE235232168BEC22DD3B
SHA-512:	DB6C40C885CB66A385D6290D5CAB572F64FB292C0C9960EA7E3A22797A5A8B03225355A02045432501975C54AFB5CFB8D34C8F68FC5994428BD718879D3ABE0E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................5....@..................................(..O....@.. ...............x&...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.MemoryMappedFiles.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.878370184280462
Encrypted:	false
SSDEEP:	384:yvk7hWmCWgNynsAw/98E9VF3AM+oP2b5Ae:ys7/gAw/KENAMxS5
MD5:	B9B2BEA2BF29AA4BE202561B1EEA809B
SHA1:	D831049124EF30D47AC7EF7932F8C4EBB4BEAD42
SHA-256:	B9552F23268923328AA716D828F77514C422C1E1308B6C60A12EC0698A555A33
SHA-512:	5BD3E338F8C5CBECDF9C786A75B1D1CBA5B8141CF0450FB9E420C9D755CB33A87B3C03B9244410CB2F18FCFFD06C80A7757311C064E5FC0C4831DC0DF194D68F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... .............................._%....@.................................h)..O....@..0...............x&...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]................................)....1....9....A....I....Q....Y....a....i....q.*.......................#.....+.....3.....;.....C.8...K.X...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Packaging.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46712
Entropy (8bit):	5.881532617686532
Encrypted:	false
SSDEEP:	768:3xua7db+smzMnSzBt++0YfTF61O+luv5ty5Aw/KENAMxtRG:3xH7ssKugt+++1luv5ty5AwrxtY
MD5:	E3B58E495C6436728739935AED7AF720
SHA1:	2EB90369E35F027A8D781EB2725A7FBC6D5BFFED
SHA-256:	C2F56E5C94FD9A0A2B43EC4A1175414F19095D59D236F83BB4424255EE7CB36D
SHA-512:	D000C9E616B1D983ABF228D8292F254258B6B34D2E3212CB0861FECEE0996EF538175E3C0A548B9356CAA018B705943FAC5174D0EEB5CCB50C9CEDEB4FCB1F63
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)1............" ..0.................. ........... ..............................Q>....`.................................S...O.......................x&..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......`(...D...........l...6...........................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(.....(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Pipes.AccessControl.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19576
Entropy (8bit):	6.533696219917538
Encrypted:	false
SSDEEP:	384:mANJdesEvbDYUgmpWrxWNPfWqxWfPsNynsAw/98E9VF3AM+oAtOkdoV:3clTD/yod2wAw/KENAMxEa
MD5:	D9EE5599035133554B3C07D728B99E98
SHA1:	8C274C7B4C0E1FC3BD594407D2FA82B0C34382F8
SHA-256:	03E1140FDAB8031434FBFD70933342F99E7E2D2BF037130D22B8BAFDC7EF3195
SHA-512:	8C58E2F0A0317796B15797BB6D5971C41BE822F621A9D399F6810CAC8D381F1C4FDAC1EA70962E3E9E60B0D5E47A147199F3D0EBB0F0D6FE2B21B219EC3EE9B9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.[.........." ..0.............Z5... ...@....... ..............................%4....@..................................5..O....@..P............&..x&...`......T4............................................... ............... ..H............text...`.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`.......$..............@..B................;5......H........!...............0..(....3......................................j~....%-.&(....s....%..........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(.....~....2r...p.(....2ra..p.(....2r...p.(....2r...p.(....2r...p.(....B.....(...........o...."..o.....BSJB............v4.0.30319..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Pipes.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.838088711694262
Encrypted:	false
SSDEEP:	384:KGMWCUWKNynsAw/98E9VF3AM+o3303rTU6:K3oAw/KENAMxU3Z
MD5:	FA3B99AD60E4A9695E6B4A31D7F79CCB
SHA1:	B488CE6D0BB9D29D862952EF5A869251C33A2D4E
SHA-256:	1E695452DF201DBC9C9D00C1B195F7D75546342F2FD80B4F2555ADB09A301E52
SHA-512:	0EF7674F3DDAC9119A5A16A1EAFEE19FDF36C90DBAA0697C4F10E5DD0DB8FDB04EB9449BD8358BA050DD2C7D942259A07A7A2B84329A85CBB6E6BA18B43185C5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................@)..O....@..................x&...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.Ports.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33912
Entropy (8bit):	6.191653852946371
Encrypted:	false
SSDEEP:	768:244bN5hwABzKGUn11fF+1WnAw/KENAMxX:25bLhLBzcn1gWnAwrxX
MD5:	99C18E00C1AA8C955FBD17A5D87CB0E9
SHA1:	42B923D6C6CB2007847AECE6CB4DEB7A8F6DB25D
SHA-256:	4D87A7EE69729B5DAA6265DA588F7C96B552E5DA85574B5C1B0BDDBF5B5D30F7
SHA-512:	CD9F8A00BEB03A1B70CCA5B5F24C8D247D03BAA918F36D19242D0D7CD0BB0ADAEE5BADDC2CCBEBC60608C5C53E9E99362AFCC78DDE4B3450C2C45B7D5A183929
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..T...........s... ........... ...................................`..................................r..O....................^..x&...........q..T............................................ ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............\..............@..B.................r......H........&...............U..X...`q.......................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(.....(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.UnmanagedMemoryStream.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.824928366235198
Encrypted:	false
SSDEEP:	384:YBhwI7WSQWHNynsAw/98E9VF3AM+o2YpCcZC:YDwIBPAw/KENAMxh7C
MD5:	4C2E3ADB8AC7365833044CE7F930B46C
SHA1:	E0E7CFE0AF1D1DBCF7F8F57EA2DF75CE1F7DAFDD
SHA-256:	A36D349BD3BC97EAB5EFA9081A2DF5D3FEDC77907362975FED2666F5E9F5065A
SHA-512:	A6D97B320491CB769939315F91CC8E62AE093EEADF9FAFC434A7D6CDEB9EA21BAFA9F75E482E8FDF56F5C4A37AFCE77184210FCF085B4655D0EC8E6F781ACCE7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................f.....@.................................l(..O....@..P...............x&...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.IO.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.838731259231518
Encrypted:	false
SSDEEP:	384:KyvPRW4lW2NynsAw/98E9VF3AM+oayAT184:P39vAw/KENAMx+/
MD5:	CB1CA391DA15D41EA7AD42051E52F9B7
SHA1:	EA93400D20C896B1DB6D9954461F1E80EE71FB9E
SHA-256:	6CC4FB0C84E65C90529E42B04E4CDD083C862D08F0A3EF3C419C27100D2134A4
SHA-512:	99A15B2E265297CC85ECB8C67F0B3E969449810E8B0C51589F3ADA01F74AC55CC006E313A5AABD3357BEC52B53FEAC0E85EA9ED5B9F31E8E52B70837695CBB36
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................x&...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Linq.Expressions.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15992
Entropy (8bit):	6.7870886815252955
Encrypted:	false
SSDEEP:	192:gnhp+J2sx/5W6eW59NynC5c77bgfU5izh/y2sE9jBF3A5K+odSxqz3x/iXQd:26RW6eWLNynsAw/98E9VF3AM+od0q96W
MD5:	62C92B9573431B3736160A52EE9EDA62
SHA1:	FA2B1FEFA40A8D79008A5B3A0C4B4506A793C019
SHA-256:	8D54F1FCD0B757921479FEB5ECE70D5BFC4E6829E6CCFB41273A621DB908C19D
SHA-512:	096CC1646C9791DA8DE1D77F5FDD2785A37A455CE52B3EFA439489134DF214135F99AD462A17B5504776E9063106701CDDCBADC4E9DF1342FA861C115E5E9FEB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ....................................@..................................-..O....@..................x&...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Linq.Parallel.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.822896008053891
Encrypted:	false
SSDEEP:	384:zSUP9W70WMNynsAw/98E9VF3AM+ox/7gF:2UeeAw/KENAMxxc
MD5:	BE497BAF2B28526190127CEB3F28D1A3
SHA1:	E32A8BD8835DA89A133292E1C3F9C4F3B07B0A86
SHA-256:	19EDAE56C407CF69154E77E7FB213B56B9C9CC2EF84927E0E4AFD46BA0724B30
SHA-512:	85C31EA7382ABB41B2A5837A0E73449CDB0A8D2BF39DE38F154ED94A63E34A7A63FB7A95DC0BD7946880691BA9F763AE40E707EC2CE84C5362FE79C931ADD7FF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................x&...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Linq.Queryable.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.813133433389741
Encrypted:	false
SSDEEP:	384:p8yg07W0/WPNynsAw/98E9VF3AM+ob/3Pa:pBHOAw/KENAMx7/a
MD5:	5997F2EFB80E251051EFBCCA93D1FE66
SHA1:	41769403CC169CBAE99946C7566D6F3FD81BFF42
SHA-256:	43475010B399F2044E3CBC541B107B5D832D63365240F13EC47D839E5E74A0F5
SHA-512:	FF7DB3188C2E4851BC45EB480C090D1146D2CCFDF7DAE5F67233F30940D5D6C543CBAA0311E84353E2138E0D648F47D9CDF91491245CD3636D22FA45572A8F5F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................x&...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Linq.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.77953046853243
Encrypted:	false
SSDEEP:	384:Se1WmRWHNynsAw/98E9VF3AM+oTypeAJF:SejYAw/KENAMx+p3JF
MD5:	06A1C65B143C8F0FB4A0879218D77D66
SHA1:	D2E290A1AA848BF3F9DEDFF4737B8799B04A63F0
SHA-256:	063E7FD242F1AAFEC39000F6817A59CF4EAD1C1992B5CB88747550071798BAE4
SHA-512:	367A27289D4A35E89262EA23CCC5CD619E0A963D3D69B32F013404F897C566C98FC049B9DB501F132FE5A713152A8F5FE2D6167EF478F55370DBF49787B86A86
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................Z.....@.................................p(..O....@..................x&...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Management.Automation.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	364152
Entropy (8bit):	5.897762265981335
Encrypted:	false
SSDEEP:	6144:HA0HY8o04jatc9MCELK5h+BO2L1fsqF030NhJ:HA0HYnitRCOFOI1W8J
MD5:	47F5CDBD34F0C83760764EECFAE4D4A1
SHA1:	581938D170D496B90A07B65779D1DB9DE44C462C
SHA-256:	CACFDFD66683EC2D51838C13C9B97A822A33D6EE6215AF7E4267DD4562DC8B2F
SHA-512:	F8FEA46EE5AFAEF1EDC11BFA52117DF46869E5EEE115F5E798C4233A1B758C29A860F62419859975C941E87366ED8599E1F0747FB1ADE82004E729C63B6762CA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;..........." ..0..`...........~... ........... ....................................`.................................?~..O....................h..x&..........\}..T............................................ ............... ..H............text....^... ...`.................. ..`.rsrc................b..............@..@.reloc...............f..............@..B................s~......H.......t\|..h....................\|........................................('.....((.....(#............(......(......(......(.........(1.......(....................(......(......(......(......(......(......(......(.....................().....()...........(........(......(......(......(......('.......Q...(.....................('.....((..............('.....('.......................('.........

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Memory.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	141944
Entropy (8bit):	6.155850089489525
Encrypted:	false
SSDEEP:	3072:lUGrszKKLB8a9DvrJeeesIf3amN32AW/rcchFd:0B8l3/aK32fhb
MD5:	D5879EC1646C8A704FE4A624224B1D38
SHA1:	82A3581D7B95FC1BEC98A6CB5BB91B2194C6F254
SHA-256:	A2533C75AF4EBA3FA7EBD0D8E2990052FED788D99630A8935229D15ADAAAE0AE
SHA-512:	216BD26D1B12EAED056741E21BD62277ABC41F67C752C0679D56F2F0B954E174C384A024CE2E189D16529F3878406114EB472EE589FA2A763831103DEAC2EDEF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`......l.....@.................................`...O.... ..@...............x&...@......(................................................ ............... ..H............text........ ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...>..}......}......{......{......{.....{....3..{.....{....((......0...........%.u....,..........(.....z.{....%-.&.+.o)....{....(a.....(....zN........o...s+....(....z.s,.....(....zF(U....(O...s-....(....z.(V...s-....(....z.s.....(....z.s/.....(....zN........o...s0....(....zrr...p(\....c.K...(O...s1....(....zBr...p(Y...s1....(....z.s2....(....z.(X...s3....(!...z.(_...s3...*.(#...z

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Http.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	192120
Entropy (8bit):	6.109263234015186
Encrypted:	false
SSDEEP:	3072:seruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgeh9:FW60VcTvakcXcApO9h9
MD5:	91F987E5A56EE503E1123B0E07234808
SHA1:	97877C41CBFBF6014D3CBEFE009969FA539AFCC2
SHA-256:	DC7E265C59843D16DAD273D4A4FBAAE9F67472983F63D2776FC0A62050CE438E
SHA-512:	91D066AF8DD92ADD12AC8AC213F80DD3B25F77702C66D6155742671C7F361F689C931921EB5334A5B2A4FE92ED253725C9BF356B961A3F4463A2B904535963BD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... ............@.....................................O.......h...............x&........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1....0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2..J.Xo3.....J.Xo3...(...... ........J.XT....J...XT.o3.....o2....Y./....o3....%3 ...Xo3......Xo3...(.... ..........0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._......0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.IPNetwork.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36472
Entropy (8bit):	6.360884439283189
Encrypted:	false
SSDEEP:	768:EVc1GUMB/z6XmY/iee58Aw/KENAMx8oIi:EVcHMBm/ieW8Awrx8oh
MD5:	8AA562F1F7F83A8B158319E1B8B23737
SHA1:	1756B5F811BF675B9889E6DBFD59587CE588E292
SHA-256:	A0C8959D43FFE30B1C11836618313CB760DF6BE71D0F7942F454C83A3DB97E56
SHA-512:	95EC5B8D9AA28582B2880207DA974F9251704A226908B3CA34FC406E20DEB3E485AFBE8306AD397FE020111658C9362EAA045767BCEC04FF0E8A8ADE43E137F0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..\..........r{... ........... ....................................`..................................{..O.......h............h..x&..........0z..T............................................ ............... ..H............text....[... ...\.................. ..`.rsrc...h............^..............@..@.reloc...............f..............@..B................Q{......H.......D>..l;...................y.......................................0..v.........(.......i.Y...i.Zs.........(.......o.....0....(.....3...0o....&..o ...&..Y.+......(......0o!...o ...&..Y.../..o"...6..r...p(#....0............(.......i.Y...i.[.X.Zs.......i.]..-......+....b......%.Y..X....Y..-....($........o.....0....(.....3...0o....&...o ...&+1.....b...Y..bX...Y.X......($.....0o!...o ...&..Y.../..o"...*...0..d.........(.......X...i.3..+.../......+......f...X....i.Y2...i.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.NameResolution.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.802466214739294
Encrypted:	false
SSDEEP:	192:tZsxgyrWYLW54nNynC5c77bgfU5izh/y2sE9jBF3A5K+o/REog/fqhIina2:76ZWYLWMNynsAw/98E9VF3AM+o/lhI67
MD5:	BE37452510DDD8D4119420F659F3AF5D
SHA1:	7A3BF5F249D0EA1690FCBDE70B93419EA8B92429
SHA-256:	49101ABDE57C1FABFC9A64F510EA4BA56D9D94073A31DF79DD63A8E4A16F122C
SHA-512:	1A8A1286C1716F3887F53ACDA1E3D4708D4646188D38AD11A0739E140BBF6E62CDBFF7FB74FF99878906664D8BB995F51DF54D537EE44F86A670E1D94C3058E0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ...............x&...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.NetworkInformation.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15992
Entropy (8bit):	6.755523281305174
Encrypted:	false
SSDEEP:	192:jk14xPxHWMQW5nNynC5c77bgfU5izh/y2sE9jBF3A5K+oZbhbSQ:w1W1WMQWhNynsAw/98E9VF3AM+oZbJSQ
MD5:	FDD1E2087121402F7982B80036ED38FA
SHA1:	8F80F243F3A39BC92C2AE58089A6C51EEBF4C6B9
SHA-256:	FE995245BC8704828742D876D70F128F28225F1F147882D1604F5EA98011664D
SHA-512:	A970B3CE47E8DC3F057ACBE07BFD2843F10EFD565A3D51127629603A18AAF33872584308F0731BC1CB033B315DA0AD794EA97E1DE7A9FAA0FD1653DF3F62FA6D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ..............................I.....@..................................,..O....@..@...............x&...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Ping.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.798134791473813
Encrypted:	false
SSDEEP:	384:jdSWSKWkNynsAw/98E9VF3AM+otIRE6Dgw8:ZOsAw/KENAMxtWPw
MD5:	0EE4034640837B5A297B7EC2FA495E7E
SHA1:	426D37FA2DC8677760ECB26CC40AD274A1FCBFCC
SHA-256:	871FD665D0777D5DE7E1074C10B94468B101073393BBF492494C7A43095862E9
SHA-512:	258E74F9EB5954DDB1D089BD84C0CAF160C340640BA0120CB63FECA5760DD41B17BE2C5D35FE37251028F24084489A5BD738097DC8FD99D32A313917C4F6F166
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................t.....@..................................(..O....@..................x&...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Primitives.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15992
Entropy (8bit):	6.709061116762274
Encrypted:	false
SSDEEP:	384:LJEYA2WkIW5eNynsAw/98E9VF3AM+om6sYSkg:LyYA87SAw/KENAMxVhg
MD5:	39585D43604151DA57948F9F72596155
SHA1:	8D50DD0DBBCC7D2AF6EDC721DA81CA3577335A0E
SHA-256:	EF0E87FF464D44BF02666B055179E8223ED0CA5F8E0C89A9B1383E0355FC808E
SHA-512:	70903CCDAF4D703372856EF99A6F7DBD73A89833364F349AB8C5C11F75A51C691C520433FD250509BA4AE8F87E65CE01A683EC0AF358BFBB6AE4ECDFE75536CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... .............................."L....@................................. ,..O....@..................x&...`...................................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h......................................BSJB............v4.0.30319......l.......#~..\|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Requests.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.841286175003726
Encrypted:	false
SSDEEP:	192:yl0qgopJ5xBcWe4W5tNynC5c77bgfU5izh/y2sE9jBF3A5K+o0Wv5uO:+JGWe4WLNynsAw/98E9VF3AM+o0CuO
MD5:	1E462D0078A7A85F524B2712CB5A492D
SHA1:	4412E0AA0C9EDC3A7F9720FC95DCAD71B5195076
SHA-256:	F53969E0F3D97F70114F09C599703C6A5BB7D99E0E3525B14949F8402D1EAE4A
SHA-512:	C4575E11555D279A25FA2DDB27A92CA77C65FBB1C5294972853C542194121122D48D6DD327E008A92098CEC966DA4785362185335A4A3E9D6F0F4496C5933119
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................F....@.................................0)..O....@..................x&...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Security.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.753760471359418
Encrypted:	false
SSDEEP:	384:idW1w3WesW4NynsAw/98E9VF3AM+oVqFUqY:n1wxyAw/KENAMxWdY
MD5:	B5D2952C9CFF1A1676BF4E481EFD781E
SHA1:	E300FF54631C2B542E43DBA360840C1930216B47
SHA-256:	C505B236C397718090AE0D809A626F81406369F5CBD1103C8D3CFEB8C7DEC312
SHA-512:	689A2C5D552FDE7055F65F1709280264C5F635CB962BE41273DC030896133F297C4FC756A7A2D3A757D98D4BCA287AF00DA95714FAE9C22AE736A619945E9C14
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~... ...@....... ..............................O.....@.................................,..O....@..................x&...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.Sockets.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24184
Entropy (8bit):	6.564868716407254
Encrypted:	false
SSDEEP:	384:tylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsWZ3NynsAw/9m:typ12Bhkg3qnV/sfdAw/KENAMxe
MD5:	81EC99C2F9A6303260969BF8C98724D7
SHA1:	72A070147DB282D851C4A296E544B262A9754DB7
SHA-256:	782A68E4EDC10CDDB890635DBE8A3EB28794E54A612871A3AA3B30604133DCCB
SHA-512:	A0CE28207C8E87FD0FB8DE005C1F995EDE2CF2D6A7B39E7CF4EA3B97FA40EBE7DDAB67DB71335DFF939E8726514B9C3DB7C147E2A5F159D04F11FE86B33AB2BD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............I... ...`....... ....................................@.................................gI..O....`...............8..x&...........H............................................... ............... ..H............text....)... ..................... ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o.......0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+.0..L.......(....~....%-.&~..........s....%.....~....%-.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.WebHeaderCollection.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.820370634766673
Encrypted:	false
SSDEEP:	192:lSHlx2PW1bW5dSNynC5c77bgfU5izh/y2sE9jBF3A5K+oe35eIt7TO:4HPAW1bW+NynsAw/98E9VF3AM+oGk6G
MD5:	052CFB056EBECAD6FBD350D61430DD9B
SHA1:	92163B48E4A3A783F768199C6EA9F08684D18ED4
SHA-256:	6B1B6B65A4166BE9527E23AED91700765F2EAE38289B37FD692D7B46B38DA245
SHA-512:	D587D61595E4A81F7842D5099AD0497BBCBEDEFEC29DCC9FE54F917FDC604B23E37EBAF87D6739575412658BCEC290073F7AFA1E65726EB61AB7789D083B521A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................K....@..................................(..O....@..P...............x&...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.WebSockets.Client.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.822941184938232
Encrypted:	false
SSDEEP:	384:2NoqWD7W9NynsAw/98E9VF3AM+ocgxsTZj+:2NofQAw/KENAMx+Tp+
MD5:	DE95F541B5A715DCFA5A0C9EC7FD4BC8
SHA1:	427729373EEBE05BB97C2CAF6C12D10DF72E493A
SHA-256:	FBDA510AAC94D5A86A8A20F5A98ECC16E8969FBB5832115B4135C31FC6CB3158
SHA-512:	3F60B61F4BBA91F73B98CA71E1A2CB4BCE12F53C3C2CA2A47BD6A8953E43970DADB8D7BF64372957762D25ADBA2D866A5C626905EB903214ECF832A4252430A7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................-....@.................................\|(..O....@..@...............x&...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Net.WebSockets.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.826754168987991
Encrypted:	false
SSDEEP:	384:PGETSAWUEWNNynsAw/98E9VF3AM+o9JmeEX:DT1ZAw/KENAMxnOX
MD5:	62C9BD343A5F5EA9BCBF70712D2CB9AB
SHA1:	712792A39021416B5FB458027F2271D2D0343130
SHA-256:	8A8E53C0B202345E1D2AD119F76A3FEE918BB0EADE953542ACC2AA7FE0FC73E9
SHA-512:	E7FE42307DEDB704AC826395BE1C426D8513817386AFEA5A266B21383A7588444FC9184E4F5F6B406758209B56DF7E35F320FCBF0DE85EF652A2134BEE2CA06F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ....................................@..................................(..O....@..................x&...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Numerics.Vectors.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	109688
Entropy (8bit):	5.497694915208744
Encrypted:	false
SSDEEP:	1536:zPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/NAwrx7:zWw0SUUKBM8aOUiiGw7qa9tK/Nh9
MD5:	B6579B67E12908B6B645473F2B18CE9F
SHA1:	9B174C1C4492736CA0C53D2C8B6BF68DFAAF7734
SHA-256:	72E45DC8F8F1B1E494ED123EC24D29C65409CB02D3DF6EC3A642770A7D85E339
SHA-512:	EF66375DA6EFD9A70E5337E2F006F90A629D9E366E81A93EF16DEFB53A12A861229F2261C4B29ABCB51116B64015839F8FD39C251DA32F21FF8999FFCAFF45FC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................Y.....@.................................f...O.......................x&.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..\|?..........$... ...D.........................................(....&.l(....k&.l(....k..l.l(....k..l.l(....k&.l(....k&.l(....k&.l(....kj~....%-.&(....s....%........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(.....~....2r...p.(....2rG..p.(....2r...p.(....*2r...p.(.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ObjectModel.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.81452383070225
Encrypted:	false
SSDEEP:	384:VcDagtDApWSKJWZNynsAw/98E9VF3AM+ozZcRC4L:VPKBGAw/KENAMxEC4L
MD5:	7A377629E56C8ED26BAB3A59FA690291
SHA1:	C686E12B5A40ECC6DEF38A43B23AB8BC2D59D520
SHA-256:	2D3A1E8C155012212C32202191EAE831B55AC594210FCB6B5DE636F5DCA1FC93
SHA-512:	759BE70A811F8E7C05F72E047E231474B360925F2DCDE5C2653753A33EFF470FD041176EE38E9573121CFDCF5F846B6AF669AA6B86F16A42F725EA4F92490E97
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ...............................^....@.................................0+..O....@..................x&...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Reflection.Extensions.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.826013555115882
Encrypted:	false
SSDEEP:	192:g6NxhqWD4W5FNynC5c77bgfU5izh/y2sE9jBF3A5K+oc363c7oynKl:NIWD4W7NynsAw/98E9VF3AM+ocqiQl
MD5:	0F4631E8BDA85F9E29006E1932D8250A
SHA1:	34DC20C59265A1873BDEE5ED58EFAB0914F2A92E
SHA-256:	B876AA722D0B7BC1AB5EB045E9589F71FD3D8CB215FA055817CC70AFEE595122
SHA-512:	859FCCE333AB007A1E6B97803D286013AB3D87037AA875B60999D9F820DD566CB9D792FA6A28D910C1AE24CEC8282313F74CB7356358D0C52226CDC12ECAA250
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..@...............x&...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Reflection.Primitives.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.749149296093035
Encrypted:	false
SSDEEP:	384:AMWzQWeNynsAw/98E9VF3AM+o6xaBDiK6M:A5sAw/KENAMxZBTd
MD5:	8F7B921034F2B402FE3C5137A0ED074B
SHA1:	CBF7FF7CDA20CE8EED3EBE3384CF51CB348AAB76
SHA-256:	2125DC617FC3C0F9ED8ABF6A81AD2C84879A2E85CF490F77D1B552BD961EF4FF
SHA-512:	7ECDF2C2F19AE7F74B5A77F1B7ECE307BB640156D9D8726AF87A541B12856EF1E4E7F02DD76795A3D5A624F6B3A2CFD91EBBB62F43D9AF607170E2B2F870CF22
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N... ...@....... ..............................(1....@..................................)..O....@..@...............x&...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Reflection.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15992
Entropy (8bit):	6.685505643612645
Encrypted:	false
SSDEEP:	384:9xDHKWAMWqNynsAw/98E9VF3AM+owMbjr:DD8oAw/KENAMxF/
MD5:	852B9F9316AF22C655C07E7799217FF2
SHA1:	68F0629B9E4423FB57186E90AAE0A454A9A14360
SHA-256:	9E2AB8464B924786292B2071277558727580CA36120BA5A06ABEA928692947C3
SHA-512:	C5B982638417DC5FAE7A4B46E1FD8E01E32E47D375C983B1866882FD74AD8B367696D8455F3BE4D34AEB915748BBB16474D63209F16BB0468D6FA212DC79DCE8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...............................)....@................................. ,..O....@..................x&...`...................................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Resources.Reader.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.798747827359011
Encrypted:	false
SSDEEP:	192:DiLNXxET0aW6pW5xNynC5c77bgfU5izh/y2sE9jBF3A5K+oNcmb/tM:GLNBEW6pW3NynsAw/98E9VF3AM+oNVM
MD5:	1443F6A8EEF9A444901E785185CB7655
SHA1:	0A2F80A7DEE8D255EA7108A2D214DEA82DE460F3
SHA-256:	49F03E6E67865016F3E737ECC3ACD3823CF8358DE82B6DE19C333ADDADB9AE04
SHA-512:	9407801FBF1C4F2749C51AD2F708FE21A8FA180BF2CF302AAAD8BD832F96A39E3576E2097758DE31D4FEC54068FFA2B9B3E7B7DDFB460B395BF0E717C034F039
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...................................@.................................D(..O....@..................x&...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...\|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Resources.ResourceManager.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.850973024972137
Encrypted:	false
SSDEEP:	192:KH4Bxs0KHKW/tW5GNynC5c77bgfU5izh/y2sE9jBF3A5K+otmzKZeK:KKkHKW/tWwNynsAw/98E9VF3AM+otBeK
MD5:	3847362E09468FD98808B7AFDF5F8C78
SHA1:	AB83827B969F0C0B7788B913345B3EB78ED2596F
SHA-256:	2F04A544099C77618C103ACD45F07A9A7413BE79D058BD63CD9D13719A306D14
SHA-512:	3C82A5EEBA3A544DC6EAF85F483E4B41945A919502721864FE99C0FC56F06BE3BF132484751D6C0AF7A782C5224DBF22A0F06779EE01E31305B8A31E3E0745AD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..`...............x&...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Resources.Writer.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.794528421431215
Encrypted:	false
SSDEEP:	384:lLnfIWqrW1NynsAw/98E9VF3AM+olAcvPht:lDf4oAw/KENAMxacRt
MD5:	9BE52331123E500B19C8ABBA10D111F7
SHA1:	CE8268641C12F8A49D93320963533152894A3BEB
SHA-256:	1037A3C24F0553478F85E932723BCE664DD81348261CC6CCD666EA364C823311
SHA-512:	D054824957596AA90D48B99A9FB510667532877F1ECD43E72A831482FDDD7444EC702D7715EEDC6517BAFDE3795E736DB1C41BD3B26AF18F4D7449DCFBE689A3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................D(..O....@..................x&...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...\|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.CompilerServices.Unsafe.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	18552
Entropy (8bit):	6.5553186262775345
Encrypted:	false
SSDEEP:	384:0ybU8ndrbbT9NWB2W6NynsAw/98E9VF3AM+oOxnpPB:0y5ndvWWAw/KENAMxiB
MD5:	86A94065F362819FBF8E301ECBE70B7C
SHA1:	266C7FF87E8BAACC03FF14B3A0C32BDAC472CEF0
SHA-256:	6BB94A63CE0CD1F099412A0AC607BBB7FDEACE29022F727137A30012BC0CCCA6
SHA-512:	374EFD9748CEA85057C5CBD9BF5B2C3C38941C70F2FD4E09D6E1E1EBFC17850D8A0F04E4AFBD146E5AB6DF2781D602BE38D5617E12C7A3A1BB4BE6273C1AEB19
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Ksa...........!.................6... ...@....@.. ..............................r.....@..................................6..K....@..............."..x&...`.......$............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................6......H.......D%..<...................P ......................................_...+.'g.......x2..}}...B.O....T...e..?.M..R"M.~pg..c..LD#..y.....y....:u.v...#.;.-.h.......0..#.....a5\|T%W...].!.%'..9.0...........q......0..............q.......0..............q.......0..................0......................0......................0............q.............0............q.............0..............0..............0..................0...............*...0..............

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.CompilerServices.VisualC.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.775298278205794
Encrypted:	false
SSDEEP:	192:vZhbRtxWl8WK1W5tNynC5c77bgfU5izh/y2sE9jBF3A5K+o1YXgp:Rna8WK1WLNynsAw/98E9VF3AM+o1Ey
MD5:	1A3C61C50CD4ABA5D52B37D3B1D074D3
SHA1:	FD042CB77CEAFDEC8A7937E2987FBD163D0D27C3
SHA-256:	D1E784D6F6963CE19B0CF08155297146DBC2DE560260DF8295326170F675C35A
SHA-512:	EC9F7BDE55E3AC4056C0CC4516828BA5020C7A544853D376EB13DE353E7828F5AD2D39F0DC0314C354253CE7C9DC6B193BA0A1185F45E54EB500690CEBAB0231
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j... ...@....... ..............................-.....@....................................O....@..................x&...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Extensions.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.7263766519742205
Encrypted:	false
SSDEEP:	192:s3ZxCaSWITW51NynC5c77bgfU5izh/y2sE9jBF3A5K+ot9gYc5yJtV:MBSWITW7NynsAw/98E9VF3AM+ot9vccd
MD5:	3582FC93BB2CEE7D7393E23FD86EF8EA
SHA1:	7EC2EA8FC10BAA014FBD7E4F031CE7EC240D201E
SHA-256:	200653420EF33220A068E7539DFA6413BDDA7E9E6E5A6B886DC33C04F197FFF8
SHA-512:	B1D24C5FEE935D5541D91DA12980BE4AED30C3056C8E25617FB8F90F7EB9492D3BD18E45A72C2E79AD4DF945B713D124B747D57E381D5B0073B669E09976E548
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0................. ...@....... ....................................@..................................)..O....@.. ...............x&...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.......................H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................\|.....\|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Handles.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.84363858504937
Encrypted:	false
SSDEEP:	384:O88cIIWNoW5NynsAw/98E9VF3AM+oJTgwzr:O9cU1Aw/KENAMxF9
MD5:	AF00C1F3716073EB096C9E6D4C2ABAEC
SHA1:	E4B67B9C990780DE0BA6B04FD8135E0AF6183086
SHA-256:	84E08F75719EA8FF039BE6426C1B45F8221434AE3940492F5BF506B1B4A7A9AC
SHA-512:	43C223A6AB454CDBDA7AB2A3139C8089DB9FC5E868452DEBC03891AC2058B014525D00185468585B7A0914CFB801F563DE2DE2D18D9CF7DAD81F5F2270C5E6F7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ..............................V'....@..................................)..O....@..................x&...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..........................................................c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.InteropServices.RuntimeInformation.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	6.587343968018021
Encrypted:	false
SSDEEP:	384:VkUwx9rm5go1fWKmmW6oqN5eWjaWpNynsAw/98E9VF3AM+ogIUus:UrmoFmWdOLAw/KENAMxRU1
MD5:	23B98869CC15308D453BD4CC3AA607D5
SHA1:	9150D38477E91C6650B82C28530C8DB7B12D6C61
SHA-256:	B28A84FCC36021C009677B4E4A2203C6251BFA77C642779CFFD885A9981FFA1C
SHA-512:	ABABC4C0CA972D5DE61BE4B05C9A912B1107E3AC9180ACCDA95C2094C3C346798604E151F5ECCDA7C6654125C74B4BAB22F8316101811DD461296C8BFF6C5502
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ..............................@.....@.................................PE..O....`..x............0..x&...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%..........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(....2r...p.(....2r/..p.(..........(....2(.....(....^~....-.(.........~.....0..........~..........(.........(....-Y..(!....{/......5..,

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.InteropServices.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	18040
Entropy (8bit):	6.641132970838493
Encrypted:	false
SSDEEP:	384:809bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVs6:9OAghbsDCyVnVc3p/i2fBVlAO/BRU+pU
MD5:	DF670A2FC026132E16FD326EA649274B
SHA1:	E1C549D38812BF214AC42D5B709D68EB53A6D08A
SHA-256:	137808252E1B09CA0D4D5AD49AA6139AE97C7ECC7B34913CC15FFC3FECA0B6D5
SHA-512:	6039DAB2B6C9F4BAD2B1F02BBB52AA1FB40389D6826C449832B1F0BD691A45B1C5C911FE05E7BA293DD46E4E71F8207B304BEE208A120BFAF44816213DED4E36
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ....................................@................................. 5..O....@..P............ ..x&...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Numerics.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.799703963091259
Encrypted:	false
SSDEEP:	192:cXYx4AW6RW5KNynC5c77bgfU5izh/y2sE9jBF3A5K+oLD4qccege:B7W6RWoNynsAw/98E9VF3AM+oLnO
MD5:	9A4C918A888428711FC14777CC3BA581
SHA1:	F78D53F77A3C761D4AAF9A2C87E9E8AC8610F907
SHA-256:	13401EE9469834BDC68443E03D21E5C6552BF8746984DBBB5B513768B4166910
SHA-512:	A9FCFAC749D9616A0BF26AC1D1CFCD6383ECB77D5A738540684E3D5092A1E717D24216249C42C6CF0815A49C33DE156FB6F5E755182497A47433528FEE48E56E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................T.....@.................................T(..O....@..................x&...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Serialization.Formatters.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.891209166584629
Encrypted:	false
SSDEEP:	384:eI5HeWFwTBsWoNynsAw/98E9VF3AM+owYqbEy:eI5HFwTBiAw/KENAMxPq9
MD5:	84844F27E8C759B552B3890152B894E9
SHA1:	75F82746F5C1B551C4F277A5CF38E89EC9AA0332
SHA-256:	EAB7BFD29CF10234C5B4121E16EE0E04ACE51122B01694EF30722F5CB3623C14
SHA-512:	AEB5C3D93A4FEF7986E54FDF97460D45AF5BABF16B951A3433B21D8E37A044E7157CA67F051A34A2125ECE050F5CDAFCE3F988224F83EF6CE58DA752FCC22F83
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................e.....@.................................\|)..O....@..................x&...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Serialization.Json.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.85693141400604
Encrypted:	false
SSDEEP:	384:QAJpVWbfkBnWPNynsAw/98E9VF3AM+oyMrP:QAJpWfkBeAw/KENAMxbr
MD5:	24BAD30A62528BDAB4C44D8C74F74B00
SHA1:	45EFEDBD08079235E567A45F122FC0DDA403FF54
SHA-256:	40D5BAC7B8C85ADDF669C64FF649B59464F22C38DD9BDAF9C60FA18C7753C3C9
SHA-512:	3AA31E08E9FAB43EC8D917A60F2ABB033208B9B79CE9B991A09A9CF7C9F0D5859CFF7B95962A158E2DD3A3DFFD4DF0FAA536F8C0F1357A4640B6FA690F1BD771
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ..............................3&....@..................................(..O....@..`...............x&...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Serialization.Primitives.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	20600
Entropy (8bit):	6.506138416265263
Encrypted:	false
SSDEEP:	384:H8R71h7yzt94dHWFgQBVWeHWFyTBVWyNynsAw/98E9VF3AM+o5NgJbSG6vAVJ:y1dyAqgQBfqyTB7Aw/KENAMx5mY1S
MD5:	611E2E9C79A75BEEAF6BBEA5C1A91265
SHA1:	5EB5CF2DC0D798D4C8C86713C1AF7B4446D9FB7C
SHA-256:	8743DECA67DDC20BD6DB0D7D48661834F8A356AFCBCD20AADF269D3EFF83B628
SHA-512:	22603B2D99DA1A09AEE34B74800484E71691004CDDB8DB3EB69AE0F7AA37723B34EE29A6B0F02B36F1CB9BD554590804CA1B0A275866CA73A0A90ECAF5A79CA8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... .............................. D....@..................................8..O....@..8..............x&...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......\|!..l............1..p...X7......................................j~....%-.&(....s....%..........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(....2r...p.(..........(......BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.Serialization.Xml.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	18552
Entropy (8bit):	6.649691637935464
Encrypted:	false
SSDEEP:	384:gpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWlNynsAw/98E9VF3AM+owKmxCT:isPMQMI8COYyi4oBNw4tBzAw/KENAMxr
MD5:	EB0C8A9A18464AC1538939147BA49B62
SHA1:	04C1194AFACAA89D2CEBE7E91F08384E113C34ED
SHA-256:	F0127BF62D9BE5350E58B1EB777991514BEBDDCC168B84AF18560797DE1B59B1
SHA-512:	B880B4C6FB39AAA30EC151450E18615881898D5AA86A6D8303779D61D42E4BF51B037DEABF0F652B40379B16C1D59D35AABB2E38C7BEC457B040D392A3378D17
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ..............................+.....@..................................3..O....@..............."..x&...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s......s......0...........o....u......,..o......0..%........s..........(....r...p.$o......o....:.(......}......{.....(....z.(....z6.{.....o....:.{......o.....(....z:.{......o.....(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Runtime.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23160
Entropy (8bit):	6.285270818337066
Encrypted:	false
SSDEEP:	384:RbhigwLAuZtM66g/Id7WVXWpNynsAw/98E9VF3AM+oVu46/uL1:RbhzkKs0Aw/KENAMx7F
MD5:	4DBAB58CB2F23F76CA399B2F138F596E
SHA1:	D22D6B66DBE1F1B3816585A5FE4506933978DC54
SHA-256:	DCAD2BF0B05A2DD7B076F66BDC7E0FB083665CDB31E4DB1DAB5EBE0755218928
SHA-512:	09CF13BE20C536074BC999941794C0B22BB4C509587252AACE9F16BC1505CA189D394C851FEADCA651A1841DF5849903FA5FD6F4DB700324BF63404F092D916A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0............"H... ...`....... ....................................@..................................G..O....`...............4..x&...........F............................................... ............... ..H............text...((... ..................... ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8....8.....8.....8.....8.....8.....8..........8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.AccessControl.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36472
Entropy (8bit):	6.02704101445968
Encrypted:	false
SSDEEP:	384:zwlIF91FhktexyvaMAdB+w3G5h9MF4YfzMfpcrqmf9wEJqIxVRvFNgfBkyN17xW1:0lM7Ke5/WBkyN1hjAw/KENAMxeHt3
MD5:	CEAD36FA906FC56AD5946BAC493BCF2D
SHA1:	20B2DE6A2CBFE4FC7F9564FC3B15F1FB0C7C7C6C
SHA-256:	D75A3DFF9633C972D02BC90114F6176E313DA324B7089885DCF65E60A5A9E4FB
SHA-512:	FDA60748E22F269240FFAB86A24D40343984F301EB5C88091F1D8D2690E5C0422AD59D720290A95A46CEEEF7B62F88FEA8AF4595EB90BD25014EF5435FA71850
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..Z...........x... ........... ...............................m....`..................................x..O....................h..x&...........w..T............................................ ............... ..H............text....X... ...Z.................. ..`.rsrc................\..............@..@.reloc...............f..............@..B.................x......H........%..p5..........P[.......w.......................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(.....(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Claims.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.83127851282601
Encrypted:	false
SSDEEP:	384:BUcX6W9aWyNynsAw/98E9VF3AM+okHcXJDdO:BUchKAw/KENAMxHXm
MD5:	3A9BBBF608319EE89F7ED85033599026
SHA1:	6BCFFF5C50240B492F2DDF54985B5E1BE4683ACE
SHA-256:	87C639DC728F28E94F34B982484FF0697E0CD8A6145C5ACC69309C24D03D39EE
SHA-512:	0AA1F9404307874C530695C84121675311DD3692EDFF17414100786B0B8E48D31CED34F1ACD3978B91ECE0E0A535EA580BE48D791BBB9FF2544ECCC26E4F638C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ..............................[.....@..................................(..O....@..................x&...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Algorithms.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40568
Entropy (8bit):	5.928667341181298
Encrypted:	false
SSDEEP:	768:ZoBj7kS+8mjvHTeaWKs0Sd4eeKAw/KENAMxTJ:kPmb9WKs0PeeKAwrxd
MD5:	878CDEB55237E7F927E03A79364C30F8
SHA1:	C2BB2C2566E92A18B2BDEE85ACD2926910AB3235
SHA-256:	1A52EFEB908EDFB488B8E2F38091868AAD3C6ABD000DF175E97FBF665A7A67D4
SHA-512:	993B5A5CF6CB292DF09C992C45AA153DA18DA059773C7BCC3E118BDBFEAD1683ADF9577E10393F414189F11C5C0E755077513E263149968A2D32D47D7EDEDADE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ....................................@.................................u...O.......8............x..x&........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%..........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(....2r...p.(....2rI..p.(....2r...p.(....2r...p.(....2r...p.(....2r...p.(....2r9..p.(....2rm..p.(....2r...p.(....2r...p.(....*2r=..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Cng.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19576
Entropy (8bit):	6.657442837796879
Encrypted:	false
SSDEEP:	384:RVdtuO/q3p4YN5XYwWCfW6KNynsAw/98E9VF3AM+o1OWtA:RVJSZBXY4PeAw/KENAMxMf
MD5:	40F67BD53DCF7B6F3CCE1969E1F6255E
SHA1:	B51F75F4E64E076C492B51FCD6D5F9BB1297D500
SHA-256:	65558AC0370B35654658FEFA24EBA5707D65A002DD1F09F652AB19B7EDCB8309
SHA-512:	1BBD94B5BA1E30461A7F3C2EE5B04DC1D8C6AE07ACE3663EF18F655F74804ECB9989E2A5B82F07F3A20D38DC2ADF90EE3E632B213A1A4309E00744D63748108E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q............." ..0.............j:... ...@....... ..............................."....`..................................:..O....@...............&..x&...`.......9..T............................................ ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B................L:......H.......\|!..............t6.. ....8......................................:.(......}......{...."..(...."..(...."..(......(......(......(......(....:.(......}......{....:.(......}......{....:.(......}......{......(....:.(......}......{....^.(...........%...}....:.(......}......{....z.(......}...........%...}....V.(......}......}......{......{....*..BSJB............v4.0.30319......l.......#~..@.......#Strings....T.......#US.X.......#GUID...h.......#Blob...

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Csp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.860155615618461
Encrypted:	false
SSDEEP:	384:pTI2pWPzW1NynsAw/98E9VF3AM+oCUK8xSB:pE3YAw/KENAMxVHEB
MD5:	F876FF71936F54A0EDD0C30A17520DB7
SHA1:	A24725FD2C369B3E274AFEA3BFFC5A8B54EC1FE1
SHA-256:	D261C59A3D1E8C705BD07B6A7315F9138B6E424CE87BA0831830FAF8B8A22777
SHA-512:	31C716473802EDFD654BCD8DDA48693D820AB1DDCE7E98149D53648ADE098B5E1C24A7DA652AE3F20E7969E9F3BF2E894E0F64FA8D356B8C98EE81E7AA2F8E84
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ..............................m.....@..................................)..O....@..`...............x&...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Encoding.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.877862486416002
Encrypted:	false
SSDEEP:	384:3wcezoy4W04W7uNynsAw/98E9VF3AM+oJzC13Gwo:3wBzoy+4Aw/KENAMxA125
MD5:	3F91797CB11A3FC27B04C953A8B7C6BB
SHA1:	D434AE98E225127B28135B3A98225730D5A86CBE
SHA-256:	DE7FB32BD621DEB5BC307E2EB6361D88078F00CEFA1F51FCA5455B70F7B0EFB0
SHA-512:	7E9F0203D337C5204D1911D3E51327A2990DE5835DF1BA4E3514F6BDF043868A71F256CE7D6319D25FF9B1FE72BFE4F1A20F7044E6DD18846DC3CE733C045A0F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ....................................@.................................,)..O....@..................x&...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Pkcs.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	20600
Entropy (8bit):	6.620024662539063
Encrypted:	false
SSDEEP:	384:hyBGXZp94Yi06W82WLNynsAw/98E9VF3AM+owI0dnN1:omZp9Zw5Aw/KENAMxGNz
MD5:	1FCC1C169760520C4C54DDA128A24242
SHA1:	93E2C48D9A08CEA0FB065CA5F656F8CF6A506057
SHA-256:	A84D8BBA3EF92307350E403D2F0A696D5E5F9AAEE97DA5E868C591453EA47C87
SHA-512:	364D7893B921A17911C41A9B9180F80E2A1E8219F1BEE81CBCB01EBD650E8B678304D677979FA9AC79C8DBED97DBF095CCE6133AD32642409602899BF7F9FA63
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....J..........." ..0.............Z=... ...@....... ..............................p.....`..................................=..O....@..X..............x&...`.......<..T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...X....@....... ..............@..@.reloc.......`.......(..............@..B................;=......H........!..............d9.. ....;......................................:.(......}......{...."..(...."..(...."..(...."..(...."..(......(......(......(......(....:.(......}......{....:.(......}......{....:.(......}......{......(....:.(......}......{....^.(...........%...}....:.(......}......{....z.(......}...........%...}....V.(......}......}......{......{....BSJB............v4.0.30319......l...h...#~......0...#Strings............#US.........#GUID...

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Primitives.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.764274222085067
Encrypted:	false
SSDEEP:	384:8H/JWKpWUNynsAw/98E9VF3AM+oWg/JvT:8H/jRAw/KENAMxj
MD5:	0AAE1C1DE4333907FAE50DDF1DB12218
SHA1:	BEC0F157AE275898125CFF372F93C263AE9C31C5
SHA-256:	016151AA31B7D9E94AF676A86D30C1E692A208BCB8296490F3F6F7FA6BAD3152
SHA-512:	D8D6C2E77C7835F34AD7C13868B69E563520D9D2AC421229DCA6697553AB2EC06AB4342093C9F0C454B478093665F19F2DCD1F2EFCB2B6C16FD816D9CAE623AE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."... ...@....... ..............................5G....@..................................)..O....@..................x&...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.......................H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.ProtectedData.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19576
Entropy (8bit):	6.69491838175693
Encrypted:	false
SSDEEP:	384:r4YlS5PWAb6jDWANynsAw/98E9VF3AM+oHBMtKmnV:rmYzAw/KENAMxhPmnV
MD5:	D89463E1E17016DE1F4FE84C0B514B27
SHA1:	C94AB6CB702A820D9FBDB2E3925015FAF290A4AF
SHA-256:	7F0F76F174B718C1D8B992979155732F9B8E07DC120DEDEE79F91A7146B15167
SHA-512:	EA385CE6D86536BBC66DC047BC213C41C3AA0F54790D597B3CAE7ECE927BD517AC1740BC11670A562B58485BE7B4BD13A15986CED6E72667CCE7A0CAE7225F6C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.W..........." ..0..............9... ...@....... ...............................>....`.................................M9..O....@...............&..x&...`......88..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................9......H........!...............5..0....7......................................:.(......}......{...."..(...."..(...."..(...."..(...."..(......(......(......(......(....:.(......}......{....:.(......}......{....:.(......}......{......(....:.(......}......{....^.(...........%...}....:.(......}......{....z.(......}...........%...}....V.(......}......}......{......{....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.X509Certificates.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16504
Entropy (8bit):	6.708575388166733
Encrypted:	false
SSDEEP:	384:qTjbocNsWMhWlNynsAw/98E9VF3AM+oCyX2CzP7:6boYyOAw/KENAMx1xP7
MD5:	0073A417F88C73407F2124CA57E4D011
SHA1:	AD625B63D74D328EBD124F4882EED297FAB73DAE
SHA-256:	6B42C68D96000032855929E59A7D5F75B73394F2303C0D464431BC7B296AB06F
SHA-512:	2B5E68AE9DD28A5072292AA35C6D960899ED8B390489C74EF0567FFBC3C6A2456CAF66230A42894187C05B5753D05B0AC0F3300ED458FCE44F694474A0865E19
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ...............................{....@..................................-..O....@..................x&...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......\|...#Strings....x.......#US.\|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Cryptography.Xml.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50296
Entropy (8bit):	5.750256222344879
Encrypted:	false
SSDEEP:	768:3szrvuWznnuJlMeEM8Hy8d4Vx50lAhDVC+nAw/KENAMxFX:3grvuqcP8RE5tQ+nAwrxh
MD5:	0D5BD24B153FBF19B5FAA25554D87D2F
SHA1:	2547079F34BADB1ED41CFB17D7BA3448DA3D8060
SHA-256:	F5F727930DC0FDE8511C4568874F614F0354886B0B66DA65B8D42D8C7E4DCC08
SHA-512:	F1066E36F9165702E9EEC4467A9C390387630DF1C5F01CAD920D1A2061C67B7BD384CE0FAFEDCFAF4AE915B10C707DA55E575E502F308F400211B047123D811E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ...............................M....`.....................................O.......4...............x&..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B.......................H........&...K...........q.. ............................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(.....(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Permissions.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28280
Entropy (8bit):	6.296144084455538
Encrypted:	false
SSDEEP:	768:247XzsCggQsW7Sl8xjP/QZxAw/KENAMxpH:97XgpRxb/kxAwrxV
MD5:	79FAB408058D41DFBDC234A2F3802B40
SHA1:	617081620EE30624B8CD0D79F643E59D014A832E
SHA-256:	4A0E6B65C47717C0D1A401D26297AA9D3EA9AB067E1278265020868F3991407A
SHA-512:	108BAECE97628B6B1940D9C09C8D556EABEFD150A2A0D71697E8F805F2EE34C37F50DF5B832704FFFADBE3635EDA7EB3F2ED2364AA46A14EC6703AB15220B06B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0............." ..0..>..........r]... ...`....... ...............................(....`..................................]..O....`...............H..x&..........(\..T............................................ ............... ..H............text...x=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B................S]......H........#...2..........0U..x....[.......................................~......0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......(.....(....,.r...p......%...%...%...(........(.....(....,"r...p......%...%...%...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Principal.Windows.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19064
Entropy (8bit):	6.676666908067431
Encrypted:	false
SSDEEP:	384:LEwo6eTs14YY4cWpOWhNynsAw/98E9VF3AM+oKmAg3hl:gwDdTfAw/KENAMxHb
MD5:	0CBF033D3E3183250963341C27217516
SHA1:	7F6E4850274F5EF5387992DB75FFF94E2B77DDB1
SHA-256:	4CEEE731F4D1C91C3CF7A1AEEEAB01C85BED5252D74DB0502FC1D9745B0ADBD1
SHA-512:	F1742D2E53FB58E8D147BA3C738F97AD11BE0394CF09754EE90097FE3E268219361F3C3831B151B80FC8FB5411850B558933BF2BC3510D2BD6E506DE187BED1D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r..........." ..0.............V8... ...@....... ..............................2t....`..................................8..O....@...............$..x&...`.......6..T............................................ ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................68......H.......\|!..............\4.. ...\|6......................................:.(......}......{...."..(...."..(...."..(......(......(......(......(....:.(......}......{....:.(......}......{....:.(......}......{......(....:.(......}......{....^.(...........%...}....:.(......}......{....z.(......}...........%...}....V.(......}......}......{......{....*..BSJB............v4.0.30319......l.......#~..@.......#Strings....8.......#US.<.......#GUID...L.......#Blob...

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.Principal.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.812772290153741
Encrypted:	false
SSDEEP:	192:cbfExAJsjWVWhW5NNynC5c77bgfU5izh/y2sE9jBF3A5K+oTnYgIW47U:QSKiWIhWvNynsAw/98E9VF3AM+oTYK4A
MD5:	97ABC1C2548B77B2E2D7ABADAFEA5661
SHA1:	9A020B6B4539AEA94242AC691F946AC8726F9AA2
SHA-256:	9F14F48B0C9AB82269EA68100B453F3E928CBE7B74B17E8AE352E2413B65AD7D
SHA-512:	B8C9CA839FD0827C8659EC45B99068734D489A4AE256285FC9210562CBCC566505F1062A93C231AA1ECDFE3F66DD36F5F26EB944EF8E480AACCDF0CF42078AC7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................4.....@.................................t(..O....@.. ...............x&...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Security.SecureString.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15992
Entropy (8bit):	6.752816380482549
Encrypted:	false
SSDEEP:	384:t0KbZWApWmWTpWMNynsAw/98E9VF3AM+oLVi4/oT:mKRyFAw/KENAMxR0T
MD5:	8F2FDDB5D8824F754561E0D51C09ADFB
SHA1:	64E6D976CA9FFFFBEDCF9CA48A977F79E2683998
SHA-256:	3C42C2CF017A67C562B02DAC9B27EB1A15179EC21A99F76E8D48420D0A3F22DE
SHA-512:	00924C5D9EF2D520587B3789444CC99A2366D92CBC35332B9D480BA97C91C2562A0788A6AE2E30C32F8CAF5D200F2C0FFDD041321853FC437C89A472AF250F59
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ...................................@.................................>)..O....@..................x&...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(......(......(......(....BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Duplex.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.830892468749879
Encrypted:	false
SSDEEP:	384:qLH9W5nOWlNynsAw/98E9VF3AM+oPwjfg:qL4zAw/KENAMxUI
MD5:	83CB1D599FD6F99CAD5F697095D865D0
SHA1:	FE3DB7AA4211FA879D4510028A1714416904F868
SHA-256:	57D1BCD4EA2A900435FED735B13E8C19C2062860D5843B6D3B5F57C296C86DFA
SHA-512:	B0280A5B00871B5B896750C454C3C8FCC3757DAD525D34589344669CE215467BD72216CA53B0AEBD8F79D3D8BDAA1EF2243596BEF2C4AF7AAB70525E412FE63C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y............" ..0..............)... ...@....... ....................................`..................................(..O....@..p...............x&...`.......'..T............................................ ............... ..H............text...$.... ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..D.......#Strings............#US.........#GUID.......$...#Blob......................3................................................*.0.....0...g.....P...........M...........c.......................J.....{.....~.......+...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....+.8...+.N...3.d...;.....C.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Http.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15992
Entropy (8bit):	6.731623631672993
Encrypted:	false
SSDEEP:	384:vlbWvX+W1NynsAw/98E9VF3AM+opp8IUaR:v2zAw/KENAMxUTQ
MD5:	43B88AD905320EDDFFDB300BFB0C7607
SHA1:	BD01F62F287C9E3AF2702C222D32B3A6A220C32D
SHA-256:	53D4596B6FA65FFCB8CEA3D14277F4EFFBD6486D62E368F9800FF267E0D80E21
SHA-512:	C084BD89871103F016F4F4DC3FBC8A9181875B4CA9C77049FCA93C15303B236CB8D5372B132336A53D3A1B38F3C7EA0CFED644F6CD7944628BEB19D4BD9D708E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............,... ...@....... ...............................Z....`.................................L,..O....@..`...............x&...`......\+..T............................................ ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...8...#~..........#Strings....T.......#US.X.......#GUID...h...$...#Blob......................3................................................}.t.....t.....a........._.......................B.................................................[.....[.....[...).[...1.[...9.[...A.[...I.[...Q.[...Y.[...a.[...i.[...q.[.......................#.....+.....+.6...+.L...3.b...;.}...C.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.NetTcp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.7435232005817705
Encrypted:	false
SSDEEP:	384:g2mtX7WWRvWWbNynsAw/98E9VF3AM+oAYRKInL:g28XdpAw/KENAMxA9IL
MD5:	66C4D55F42EBC70A6DE3207F1DA5F9E2
SHA1:	D2C4E19537BF6735B0B0756F485562F5383E2B8F
SHA-256:	5B1B468C4728F6940E79E7F4BAAB1527E910A67B8505A5D435D36C914A7C5E81
SHA-512:	8C9395BD6E0BE9C23AF9AA4D7B0102D11551D5F151D2404F000B61E666A5E141BE85B0A60554C3A596CA04B56D40E190C8303532AFF312326CCFA0AF84C8A762
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>c..........." ..0............."... ...@....... ....................................`..................................)..O....@..p...............x&...`.......(..T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.......................H.......P ......................\(......................................BSJB............v4.0.30319......l... ...#~......H...#Strings............#US.........#GUID.......$...#Blob......................3..................................................4...q.4...E.!...T...........+.....X.....'...........p.................Y.....B...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....+.8...+.N...3.d...;.....C.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Primitives.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	6.380701911914726
Encrypted:	false
SSDEEP:	384:L8h2IgODoeNlPSCqWvVEWiXNynsAw/98E9VF3AM+oV7+q:Az1zNlFBw9Aw/KENAMxFf
MD5:	B971F94A143BC5BC9A1F8523DC01BC78
SHA1:	3E9FCBE852D1F71A25B69215E997489AC6642FF4
SHA-256:	B3C4676FCDC974B4E687A3F1279C16B57ED71C8E9EBAF3446D17D3A3535D6913
SHA-512:	2A6F82CDBAF6A64024EC3463E92A03C36443C088C5BF0BC317500FB6E615C59BF8D8A76D246FFB2E19028CDF06C2ACB3E89E5DED59958BFF2C357CF4ABCA6147
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........D... ...`....... ....................................`.................................xD..O....`...............0..x&..........\|C..T............................................ ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......P ..."...................B......................................BSJB............v4.0.30319......l.......#~..,...D...#Strings....p ......#US.t ......#GUID.... ..(...#Blob......................3......................................I...............\...................t.....t...C.t.....t...\.t.....t...6.t.....t.....t.....l.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+. ...+.<...+.R...3.h...;.....C.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Security.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15992
Entropy (8bit):	6.779518248411495
Encrypted:	false
SSDEEP:	192:1LQfnRbxpxmM8RW1JgWgNynC5c77bgfU5izh/y2sE9jBF3A5K+oMAF2Gyri9:uLkW1JgWgNynsAw/98E9VF3AM+oMAIrK
MD5:	CAE322189CA3D46F761B17856ADEA9C3
SHA1:	AFD2B2AC58C87CA2A533C3AC7BEC2AEC5813D568
SHA-256:	BA05951631EB5C7A14AF11E22F7918EDB84A9D16F01B6E16CA6AF16F9C47270F
SHA-512:	295007F75B79DF727D19F741296E64193605849DEDB53EC7DA0B7C9EE8F30DC6E8CC268330A99F8045E5DE84A70F6CD296FE00555AE7CA2DD151DAB2B008935F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....1..........." ..0.............V-... ...@....... ....................................`..................................-..O....@..................x&...`.......,..T............................................ ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8-......H.......P ..<....................+......................................BSJB............v4.0.30319......l...<...#~......X...#Strings............#US.........#GUID.......(...#Blob......................3................................................:.............................w...........s.......................Z.............%.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....+.:...+.P...3.f...;.....C.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceModel.Syndication.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	18040
Entropy (8bit):	6.687632656062443
Encrypted:	false
SSDEEP:	384:SISW5NW2eWoNynsAw/98E9VF3AM+oZ9Uex:S+5b0Aw/KENAMx/
MD5:	D489B81E4B2AC53329ED5ECCC3E2BDE1
SHA1:	8E19E2E9713CA6F03902A4F1CBB23E3BE0897A20
SHA-256:	9C82C3EB24AF41FF91287044F2F8A2AED768D21E097FDD17FF8AF3BF204F630F
SHA-512:	AA3F5499DEFFF5C0123E8369270A095DD69C79156DA04579106B5A0D991B1B90F3DCEBAC0ED85807032FCF80BFF05D14F89824293D19AD5AC753B75BB34383D3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............4... ...@....... ....................................`................................./4..O....@............... ..x&...`......83..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................c4......H........ ...............0.. ....2......................................:.(......}......{...."..(...."..(...."..(...."..(...."..(....*BSJB............v4.0.30319......l.......#~..........#Strings....\.......#US.`.......#GUID...p.......#Blob...........W..........3........................................................".........................q.......................B...................q...........q...X.q...'.q.....q...K.q...h.q.....q.....q...............%.....y.......{.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ServiceProcess.ServiceController.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	20088
Entropy (8bit):	6.66925264972845
Encrypted:	false
SSDEEP:	384:FxO4YkTdk8VKWCWV1upaWrNynsAw/98E9VF3AM+o5Mt7RS0V:FxOSQvAw/KENAMx6bV
MD5:	103567D8A56216766AC0646EA486A79E
SHA1:	DF78AF4DFF1E8DD2E084CCBD3859C85D0AFF734A
SHA-256:	686361F21BBD129A90014B3E37EBE3D1F0203CEB5C869F372943C62B6C385045
SHA-512:	4EBEE7B5EEE320E5639E7BA7BE4AD8DEF9D6C340F61C7287FF407DFFDA13317C46DC2E1D4C617732ACE53BAED75DEB354F2886869CB5E953C243F44CAD786F6F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)............" ..0.............;... ...@....... ...............................[....`..................................:..O....@...............(..x&...`.......9..T............................................ ............... ..H............text...0.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................;......H........!...............7..0...H9......................................:.(......}......{...."..(...."..(...."..(...."..(...."..(......(......(......(......(....:.(......}......{....:.(......}......{....:.(......}......{......(....:.(......}......{....^.(...........%...}....:.(......}......{....z.(......}...........%...}....V.(......}......}......{......{....BSJB............v4.0.30319......l...4...#~......T...#Strings............#US.........#GUID...

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Text.Encoding.CodePages.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	762488
Entropy (8bit):	7.475769495794539
Encrypted:	false
SSDEEP:	12288:6ILs7xn7kZQ6kliVreJIHHr0tRYbKr2KtG9VKABC6rPqNW:rG9km6k/IwRYbiBeKGCzNW
MD5:	7D182117A290F9BC9A31B0F90349285D
SHA1:	6F37B038D38C8C3BAD6D1812DF73BAC573154CED
SHA-256:	75D1673032619F09DD90CCE9464A3BC83BDC548DEE5E77E89758AD4FAC36D570
SHA-512:	A5DC49B0F1B7D727AC3928DAB189D4410193BAB7052C771231BD5CAC99CE3A331275E28B3E5686C49E19E14B81F1FB8C1E45655335AD0EAB2F865E7A8F4AF7D6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....mo..........." ..0..p..........n^... ........... ..............................Ct....`..................................^..O....................\|..x&...........]..T............................................ ............... ..H............text....o... ...p.................. ..`.rsrc................r..............@..@.reloc...............z..............@..B................M^......H.......H....$..........<...`....\........................................(....^.(.......5...%...}....:.(......}....:.(......}....:.(......}.....~.....0..........(....,....(.....o.......&.................!....0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....( .....(!.....(....,.r...p......%...%...(.......("...*.(...

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Text.Encoding.Extensions.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.839867347837885
Encrypted:	false
SSDEEP:	384:0b1nWCXWKNynsAw/98E9VF3AM+orDpZ8Ey:m71Aw/KENAMxXby
MD5:	A340A10E155A27633CF33467E146F2D6
SHA1:	06AE6789B023691EB1EF717BBB2D709B294C4A42
SHA-256:	8D3CD833AA33260C2B9908B1AD8100A37F04C8720672FDB1D373D8FEF0511565
SHA-512:	13A227B6CFC589A34F3784576924841D8F1F8CB244CC175FC34E53983E392D9E802E4E24D8A0049537223F69BCD2A92EB1C4E6D91B404B546704C14F868CB7FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................{.....@..................................(..O....@..T...............x&...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Text.Encoding.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.741043401587969
Encrypted:	false
SSDEEP:	192:cuS6cYxmPlW7TW58NynC5c77bgfU5izh/y2sE9jBF3A5K+og+TgTpg2UB:5NyW7TWaNynsAw/98E9VF3AM+oRJ2U
MD5:	C0897B1F91FD391377925DDB9C57407D
SHA1:	F12E83E5708FB473485AEF510F7C759BA69308E2
SHA-256:	E2BBF9A4EA4D49AA8567F38E68E20D275C712554BA2B90644F94F69613CC9C3D
SHA-512:	6A18121D3CC718C5E8E856BF8EDF2245ADB7C92EC9857EAF16910603C35A9E771CC49310F0F542E5F70ABEF1B6CC5A6AC2F88FD4CD12C64BF3BC404E81D8DB89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2... ...@....... ..............................t.....@..................................)..O....@..................x&...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.......................H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Text.RegularExpressions.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.877685265919291
Encrypted:	false
SSDEEP:	384:w6Rb32WVzWwNynsAw/98E9VF3AM+ogBBuQ2Wl:/Rb3djAw/KENAMxgXuy
MD5:	46B0396243BAAD194F68DEA66188A11B
SHA1:	629AECD36F51BB5A8C39D5911341CB9D57C2D0CE
SHA-256:	12769E1866A8969BABC6633D512C11548F680C91C6AC232C776DB9B11508BE05
SHA-512:	34A24B1C88F8A2EC296FB4076300F19B279C7A6D8AC61A4AF270157BC34659219D99D97E5D8A6D37B222A39D20F07E3A7FA238F08FF3413CB95C3C06A0D8041F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...................................@.................................t)..O....@..P...............x&...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.AccessControl.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	30840
Entropy (8bit):	6.292384709277756
Encrypted:	false
SSDEEP:	384:dMTiavAbgFWyO5XIu+TJSl2Yd5zcNEkUr6ODA7WpOWNNynsAw/98E9VF3AM+oDVb:dMWavA+YHfsZta7Aw/KENAMxZ
MD5:	6C8F2E11334A7FB37048848983E3CBC1
SHA1:	02AA6C83ADD5F440A08E332DA47E7BE0ADCEF219
SHA-256:	A97164C81078C2CDB05FBF3289067C2444852BB5CF4964703B582FF6794580DA
SHA-512:	600499D84C46918963122C34882B682829907D7D3EE48EF8B14D65B8578936EB5D51C736A70E38EFAC381D6BED0D507B191D5B5E1E76019095457D29C1F71B4D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..D..........zb... ........... ....................................`.................................%b..O.......l............R..x&..........(a..T............................................ ............... ..H............text....B... ...D.................. ..`.rsrc...l............F..............@..@.reloc...............P..............@..B................Yb......H........%..$-...........R.......`........................................(....^.(..........%...}....:.(......}....:.(......}....:.(......}.....~.....0..........(....,....(.....o.......&......................0...........(.......(....-..,....(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(......,&(....,..r...pr...p.(....(......(......(....,.r...p......%...%...(.......( ....(...

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Overlapped.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	31352
Entropy (8bit):	6.517715270848095
Encrypted:	false
SSDEEP:	768:Cu5I+sqOylryry8qqIfUc7a56Aw/KENAMxYu:CYIVBpry8qqIfUcm56Awrxp
MD5:	BE06F93317FC4EA84644C9E8D56180A4
SHA1:	181A5B573CA0AC284C7A14EEA048253160AA1011
SHA-256:	11979E6ECAF37D668B07BD7C4BC55FC4A6BC896625CC50F534EF505EE1683677
SHA-512:	E0507CC1611428FA4035353AD3AB0D89ED84E120608770EB6F03A08719A1CC4269EF3188BB00CFB751EA39C36CD7E566B658339DA3D3CFADFFD676ADDA5DBB91
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ....................................@..................................c..O.......x............T..x&...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%..........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(....2r...p.(....2rK..p.(....2ry..p.(....2r...p.(....2r...p.(....2rc..p.(..........(......0..;........\|....(......./......(....o....s

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Tasks.Extensions.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	26744
Entropy (8bit):	6.477744990592157
Encrypted:	false
SSDEEP:	384:KR973o62/KqcAnb05J3w0I5eUGef8s72XBWdvVW2JW8ahNynsAw/98E9VF3AM+oG:KRZ4nNxnYTb6BlheAw/KENAMxp8
MD5:	07ABBB6F49CDE898CBF23EAC21359CC6
SHA1:	23220BCBF88085A154DB0BCBE60A6247CC4D5340
SHA-256:	0BE444675E7F293D3F0E94155CCE9163C568935D265D46B21135BA6AA56AD778
SHA-512:	0B9F117581B830B952D83F9663784F6CE1236045AD90E6D7377EA4776B30DE7EDF06730A5A11D0DA7B5B1DDC14F1D07615F9EA5A9010B26B3EED78F79BDC9595
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..8...........V... ...`....... ..............................70....@..................................V..O....`...............B..x&..........PU............................................... ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................V......H........0...$...................T........................................(......(....z..(....z2.(....s....2.(....s....:........o.....~....~.-..(......}......}......}....~.-..(......}......}......}....Z..}......}......}....J.{....%-.&.o....^.u....,........(.....~.{.....{....3..{.....{.......&...(....2...(...........0..'........{......,..u....%-.&..(...+(....(....n.{....,..(....s.....q......0..a.........{....o0.....,;..{....o2...(......;...3.~.......s......

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Tasks.Parallel.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.83784935112597
Encrypted:	false
SSDEEP:	384:Lvn4HREpWiQWeNynsAw/98E9VF3AM+oIatmN:sS4Aw/KENAMxc
MD5:	91ABFC366081F089CCA68DE22274FBC5
SHA1:	784622556E693ED9F0C9FC1BEE3FC7B7D175EDC5
SHA-256:	E78F0949A8264A224C4D20F2A600ACAEC3A4B15E1305867167BB5C9CAA937071
SHA-512:	C645DF0D8810F204FDB918F87BB43AE3E93F8DFD818A8FADE210C1DA530E377253E2700EC66165F161A4F5D47E9D0516ACB3D8410C7CA9A2D50C9CAC11861A8A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................ii....@..................................(..O....@..P...............x&...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....\|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Tasks.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15992
Entropy (8bit):	6.7359529470525
Encrypted:	false
SSDEEP:	384:28MjKb47T3UCcqFMkJ59WdtWHNynsAw/98E9VF3AM+oDF/D:zMjKb4vcGdOQAw/KENAMxdD
MD5:	36A2535B7893BFB040EC11EA489AF3AE
SHA1:	7A9F7E26CA0B3000090114107469C584EE672116
SHA-256:	6E4AA2C43F8375CEDA88A38BD7064EFB18AE434240DAC3DF686ECF494E43EEA6
SHA-512:	C0A7AF9438628F912CB7A931DEBE945D55522D121C8B20099DEB8336FB509A471BD1C5F94D398BB1BC5B50E627475D19DA45A504490A68B51AC9D18BDCE1270E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@.................................`,..O....@..................x&...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Thread.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.82758098384678
Encrypted:	false
SSDEEP:	384:nzyNXd4+BW6FWFNynsAw/98E9VF3AM+o0PkUpEEQ8:WzCAw/KENAMxqS8
MD5:	F4A0A9126577138FC86D0C8E1A7BB36F
SHA1:	A6829791CF77717A3D9D521EE4BF5B7A702AA6A5
SHA-256:	70D518C3D3E35088ADB1918C98999308EAD8DBAD798EC526D5783B569741220D
SHA-512:	B36380AEB05B9B4022A293A40CD86C58AF2DCF40C722D9EBEA47A80D92DD6EC7B233261167A5BD5717405546580A936319D1AECBB12D1896CD5AD8E0906F43AD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................[....@..................................(..O....@..................x&...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.ThreadPool.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.8268422866715355
Encrypted:	false
SSDEEP:	384:dvs2Q3HKJNrWWRWhNynsAw/98E9VF3AM+ogHf4:duMOAw/KENAMxMw
MD5:	B7A5D03B0D3A95D675E2673D5F4BDD8D
SHA1:	DAAC44E9A99F557EBFBEC5AC9516E7853ACC9EB0
SHA-256:	52DC737C5573E70C3C65040682E3193B5D9AAC038CE1168CBAFE85BD3AC6D0B0
SHA-512:	BA8A4916E9CE3500A152053EE22A2C770AA5637A5084D91D1AB30FCFA34CCFBF8F586BCBABC7B615100710DD7F026255B877300DCF32642064B129B922B1FE87
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................xD....@..................................(..O....@..4...............x&...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.Timer.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.798426470614825
Encrypted:	false
SSDEEP:	384:nFz0Q6gcqRhcsMWdMW2NynsAw/98E9VF3AM+oQRluKa:nFz1c6QAw/KENAMxLKa
MD5:	D312288B9AF12F8108C7301D544E9D29
SHA1:	BCA5146A140CB3D87A2CF4AF02188CBCE7949126
SHA-256:	733398F58FE97DF4D2701109C1219C4A469B8767A5719B1F971519D00D2851E2
SHA-512:	5C77903D878CBA6D93CC040310AE5E4E1A66075B314553B759AE3E2636B01EE44BE03DC50183D21E4BE5C548185D1809634F1795407D09BE11C772D324FCF333
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................\|n....@.................................L(..O....@..................x&...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Threading.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15992
Entropy (8bit):	6.683083056242192
Encrypted:	false
SSDEEP:	384:V6xWA3W4aW/NWJNynsAw/98E9VF3AM+olHSDWDa:VaBeAw/KENAMxZSDf
MD5:	6A3F1CF32372E619411DD944FE0D9F1C
SHA1:	C17875ED6CF381D1C2A891DD24BC173FB45A86D5
SHA-256:	862DADD73E81D52F8834019729BAAB5BBB038B22C45EC424B7FA62D79F64C3CB
SHA-512:	46DC98BE1BAFC34C2D81D36FEE424F3A43C7E415830B197B586F9E19740B45C5EECE4B95A53539AC3FCD6AC1FA42681818383D70D21027913BA257FC74C7A7B0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ...............................v....@..................................+..O....@..................x&...`...................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .............................................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.ValueTuple.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	72824
Entropy (8bit):	5.903079405404375
Encrypted:	false
SSDEEP:	1536:2Iumja0tbe16pSc45EfL+4vD4SuJbhjXuE3FMqF1KAy4kHo05ureseh79uAwrxDL:2IuAaGbeGq5rKASI0IChuh5
MD5:	51CFFFFCEFDE607AC147F549A8B2D3AA
SHA1:	7F929295086CEFED0302D849B5827EAE713D5F56
SHA-256:	57EEBE934492D36EFB26B70AF223F970EC32E4BD44C2A4FC8159356EDF56E5ED
SHA-512:	1D843FD5F65F3E49E7012460B0FA3C167A02E931BD348C5794F115424679CA65E2C2E26A9A6A1CDEC975D3A9FFD93E10DF718529C76325AF3135B0FA2CFEDC4C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............~.... ... ....... .......................`......9.....@.................................,...O.... ..x...............x&...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...x.... ......................@..@.reloc.......@......................@..B................`.......H.......................d.......t.......................................6..o.........f..o...........o............o...........o...........o............o...........o...........o ...........o!...........o"..........o#..........o$...........o%...........o&............0..L.........o'..........o(..........o)...........o...........o+...........o,.........0..Y.........o-..........o...........o/...........o0...........o1...........o2...........o3.... .......0..k.........o4....

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Web.Services.Description.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	17016
Entropy (8bit):	6.671631560296386
Encrypted:	false
SSDEEP:	384:p7vx21MWeLqWMNynsAw/98E9VF3AM+o/iQO:BJ2WMAw/KENAMxc
MD5:	311A900E476D53ACE3A03DAC3311EA41
SHA1:	0433FB1888E5DB73D9104CB295EF2D35F97F0AEB
SHA-256:	18C75B15D4551933B01229287F72A10315A2D7AEFFA308805BC2AC4CBA5892DA
SHA-512:	319326007EDEBC066D1D74D051E6979BD5B2AE103CC03B928A0746799C432321936903A712050F7E3475B65E640D03477F356E693BC2E05811935E69F79FE48D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s.~..........." ..0.............:1... ...@....... ....................................`..................................0..O....@..................x&...`......./..T............................................ ............... ..H............text...@.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H.......P .. ...................p/......................................BSJB............v4.0.30319......l...h...#~..........#Strings............#US.........#GUID.......4...#Blob......................3................................F...............4.c.....c...o.<...............U...........m.......................T.............2.................6.....6.....6...).6...1.6...9.6...A.6...I.6...Q.6...Y.6...a.6...i.6...q.6.......................#.....+.*...+.F...+.\...3.r...;.....C.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Windows.Interactivity.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49784
Entropy (8bit):	6.1856518607818485
Encrypted:	false
SSDEEP:	1536:53wBccZdxuB8mQen6JxKjrlMZgR0EofAwrxj:FcHmQPUkfhF
MD5:	ACDE8C9627383DF8EF6FCC7F1FB50F5D
SHA1:	1904AF6A33E95E8C554BA977D8D8A2B3771F517F
SHA-256:	A5AB8D92991B82C7F7D1B63221674BB580F84B00D1C2828A16FD9C577A20E967
SHA-512:	B11393D3A48CAEA941D737DDDCBBF56991988B0EB6EF10C196BB525155B51C298AD4CF135ADB559EE77FF5031F38EEE96F38D88A2AE9EAC55FA2A8C72B4295FC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...du.K...........!..................... ........ ;. ....................................@.................................\...O.......................x&........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......4O..X`..........xD......P ......................................{c...2......q..Z,.C.....3.n.Z..7....R.....T.{yF")i.$JMv...,a.....U...M:,...Z.Q:..c..N.{....<....h%.....:s..T...Z.gSI.....6.(.....{.......0..&........(..............s....o.....s....}.......0..K........(.....{....o........,3..+&..( .........{.....o!..............X...(....2...0..L........{.....o"...,=(#...(..................($...o%.......(&...o%.....('...s(...z*.0...........o).......E............d

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.ReaderWriter.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.817957629737893
Encrypted:	false
SSDEEP:	192:cX9HLpFxZv5WquW5pNynC5c77bgfU5izh/y2sE9jBF3A5K+obHo/p6x:+r97WquWHNynsAw/98E9VF3AM+obW6x
MD5:	59DC11273C7B03CF4AFACADBAB25EB59
SHA1:	A98AE30507E67E48CD4830A8C832230F298CF9AB
SHA-256:	A4A52E044A958C55D6C4C8725DA5B9004DC5FBF5022290B65760715FD444C84B
SHA-512:	9A1DECDD7C78E853E7E7624D9B715189F4FF3A40CD55AB317A61D064B38B5B8673E0642E71C780DD273ED4B7B55576D6ABB371FA3DEE67AA8622E343D71A82E6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ....................................@.................................\+..O....@..................x&...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XDocument.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.759226414975091
Encrypted:	false
SSDEEP:	192:cah2uxSleWLDW5aNynC5c77bgfU5izh/y2sE9jBF3A5K+o2ptHbN:D16eWLDWgNynsAw/98E9VF3AM+o2XbN
MD5:	3D703C779762D98CE4C041A161026ADC
SHA1:	EAD742DBBA21F27598B16D56AF9E31EC336BD400
SHA-256:	B9A3638DE145F9719F564F6A39450271B5FFA19BDC253693BE8CEEB2ABFB7D0E
SHA-512:	B3F8A900DF9F85032A6D7897DD5A96A7A33D4036FF63135CEB74053A2B244E7C76E1A33C5A7A8F082D49A5DC08A8E872F85852FE0DACFD7E8CEDCEEF5F56BEA0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0................. ...@....... ..............................7.....@.................................\|..O....@..................x&...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XPath.XDocument.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16504
Entropy (8bit):	6.756284003930478
Encrypted:	false
SSDEEP:	384:x8G4YC2W+wW8WpwWMNynsAw/98E9VF3AM+oQ4f3v:+GZ5mAw/KENAMxR
MD5:	3A677A1F851B48F577F6331F472D9DA5
SHA1:	72A549CA42D74364FCAD410F7767354EF213EF08
SHA-256:	8CE09B6D2BB36079696CE54518052834079BCA013DCC04186ADB1D256A19FB49
SHA-512:	641F1CBA6A4129FC2E654F0EADF736FEA6229F6A5F18BE1D48946E614A84BA515A4F31F875FF3D5CE979E72B2A667892B1D90062863883DF1A2169361535D760
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ...................................@.................................z+..O....@..x...............x&...`...................................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P........................................s....:.(......}....2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XPath.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14968
Entropy (8bit):	6.864190386225134
Encrypted:	false
SSDEEP:	384:96ziqTEkGWvRWwNynsAw/98E9VF3AM+oxLq9EKh:9YT1RAw/KENAMxKB
MD5:	AAE65957CC7D8B837A88B255281382C0
SHA1:	989EFBDC0067F8260948BEA5BDF2499809D36469
SHA-256:	FB82B15FF8F9492EE80540BB4E2D8A49BDE90AA51E930944FB651F015AFC1549
SHA-512:	FAAA6DFD34CE228AA3900DAA591A0D7EC7D6B0BF73CBAE45363BF214482484582EC05BCB030BD427B56F1AA9970A2DA025B017E18ED9CD0D9B032D70EC669761
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................x&...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.\|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XmlDocument.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.773490520043926
Encrypted:	false
SSDEEP:	384:LUv7c7iWNCWSNynsAw/98E9VF3AM+oSje6xb+b:LM7c1SAw/KENAMx2e6Ib
MD5:	4519EA3FCC15D1F9541B67D2C4BAB940
SHA1:	92D9C9887E0D71EBC9BC4A3FEAA86FE65B02E791
SHA-256:	8FA73F8FF660908C0C037F4C97D3CDF17FAAAA07EF293A6883930B32443EB7D6
SHA-512:	10C935DFB8CED95EAA5C6A220DE96854CF805BCEF16DFC36F8C569E537C81A056694EE357F19EC748112DA8A37854C489ACB27A5514E97984F3AAFD5DF4B0E4A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0................. ...@....... ....................................@....................................O....@..................x&...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\System.Xml.XmlSerializer.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15480
Entropy (8bit):	6.820914068433146
Encrypted:	false
SSDEEP:	192:T+vxmNWnRW56NynC5c77bgfU5izh/y2sE9jBF3A5K+orlMABR8iTiw:iSWnRWMNynsAw/98E9VF3AM+orlbnRT3
MD5:	AA4AC0685FFA876535AC3975C41D720F
SHA1:	3807A3A0CF1D6BEA6B3C9826C198A5258A3FB919
SHA-256:	10F2197B8A216A25AA59C33293EE3B6686F87DC2CC84C2C3ADDA76D45AE6A252
SHA-512:	8E0D88ED138CEE5FDD93C484A7636B20B069B4C34008E28992AC642052C7B508D424A89C357DA79423649E9D9C9103CCFCBBB51E94EFDCEB2DA7FDC6BE1F6C91
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ....................................@.................................L+..O....@..$...............x&...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

C:\Program Files (x86)\letsvpn\app-3.9.1\ToastNotifications.Messages.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	99960
Entropy (8bit):	4.65454355527299
Encrypted:	false
SSDEEP:	768:oHmt9tmMLbLR6330XUb9GYQ+Aw/KENAMxgmHXP:o+d6336UbIL+AwrxgcP
MD5:	C5011CC0ED65F75AF184A956EFDB5673
SHA1:	A4E80E0D9FE537FA4FC541C22AA228ACDF9E84CB
SHA-256:	0DB980DF9796D497CBAE63B2833C6E3482B80B50F68CD2C5C0061F2CBC116D89
SHA-512:	DE55750D45CDF58AC412771762C2CA79799CEBB6BD82F985A373A0CC4D0715FBB3878110B00606DD671685CFEEDD4022A8C5E022C7D234BF9DD162FA196B3503
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.........." ..0................. ........... ....................................@.....................................O...................`..x&........................................................... ............... ..H............text...0.... ...................... ..`.rsrc..............................@..@.reloc...............^..............@..B........................H........(..."...........J..p... ........................................0.. .......s7......}........8...s....o...+.0..'.......s9......}......}........:...s....o...+..0.. .......s;......} .......<...s....o...+.0..'.......s=......}!.....}".......>...s....o...+..0.. .......s?......}#.......@...s....o...+.0..'.......sA......}$.....}%.......B...s....o...+..0.. .......sC......}&.......D...s....o...+.0..'.......sE......}'.....}(.......F...s....o...+R.(.....(......(...+2.(.

C:\Program Files (x86)\letsvpn\app-3.9.1\ToastNotifications.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	119416
Entropy (8bit):	5.021887889872257
Encrypted:	false
SSDEEP:	768:dr7hqeNzclb+af/wFGfdpOOJWOQE9/TBLW/Uwm5Aw/KENAMx5bx:dr7hqeNzclR/CWpKsRBLW/E5Awrx5bx
MD5:	8CFB343AA731682EDBBB138F7D780636
SHA1:	2F886CB66223EF4F25F65283F496D1671322E1E1
SHA-256:	5891735F10740AFE1229F057EA079EC285E0AB41B38316AEDAA2F95CF5A64EED
SHA-512:	F5A366BC746F4D9E3A3D7FA486E7888231D6496590218D1F2A70C78573686E4A0B668A1476A2D4AAF54CE098E48375C0211AA20647332C8314410F6B212DDA90
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.........." ..0..$...........C... ...`....... ....................... ............@..................................C..O....`..................x&..........hB............................................... ............... ..H............text....#... ...$.................. ..`.rsrc........`.......&..............@..@.reloc..............................@..B.................C......H........N...n..................A......................................f.s....}.....(......}....v.(.....{.....o.........o.....0...........{..........(.....{....,..k.(......o....%-.&s.......}......o....}.....{.....o....o......o.....o.....o.....o.....s....}.......,..(..............s\|.......0..T.......s....%(....o....o......{.....o.....o....-.r...pr'..ps....z.o....-.re..pr'..ps....z.J.{....%-.&.o......{....*..0..M........{....-D..}.....{....%-.&+.(....%-.&+.o.....{....%-.

C:\Program Files (x86)\letsvpn\app-3.9.1\Utils.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	129656
Entropy (8bit):	5.922958705511437
Encrypted:	false
SSDEEP:	3072:DTWN+0f87fNkJfMrtab/nV2b9YjCW1NtLGi/yO5i1/Xg6iyhUkudbPha:D6l8l8VMxSha
MD5:	E6438DD9E9DAAFC2967F26C41D799760
SHA1:	9EC233ACC7DD4003B6499E80ECA447AAC66A08D5
SHA-256:	8D852B14C609A58591FA18B4A558C8A8EF5A5D90827746A89BB60CC4D1BCC597
SHA-512:	8B60C65F2E6BE67CBC71FBD742C16ADDF5ABBEC0181B99BC1B5EEBEB824CEF05E4CEEDABD638388599F767E3104BA3F72AD264699E28B3DE39EC7F5285ABB972
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H............." ..0.................. ........... .......................@...........`.....................................O.......P...............x&... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc....... ......................@..B........................H.......D....9...........................................................0..........s......(9....j........(:...&...(.......0o.........+,.....o ...o!...o"...&...2..r...po"...&...Y...../..0...r...p(#.....(1....r5..po"...&...o$...o"...&...o$.............ag.0.....0..j.......~%....rQ..prY..ps&...%.o'...%.o(...%.o)...(.....o+...o,.......,..o-........r_..p(#....(1...r...p.s....z.*........0..>..........DJ.......0..........s/....(......l...%....%....o0......+r.....(1...-b...l...%..

C:\Program Files (x86)\letsvpn\app-3.9.1\View\Assets\notification_icon.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PNG image data, 256 x 256, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	12243
Entropy (8bit):	7.820583648387655
Encrypted:	false
SSDEEP:	192:WLj1H8FzmdclL4jx3c4yrJuhRof6YQURyMGf0gDSvGrEHsf8Aw47b:QpiYccZrZRof6YQUPPgDSvGr+q8D47b
MD5:	AA3CFA4A176584F79EEE7F74032E446F
SHA1:	752B97FF9A8D28E92F6FB35EE24FF3DA2E8DEEE5
SHA-256:	34A9425F58EDB250E7FBD9217D73A5AD96D1986ACA3520AFE8CADB66E32E3F33
SHA-512:	A824DA84DEDAFCDCEACDF9D602B5F89526168E6350E7478D31A5562A8B12D496FB5205B62EDFB2DF1C3896D6B24DA761A1211CF342C1AFF8E6235C4569A54BFF
Malicious:	false
Preview:	.PNG........IHDR.............k.XT....PLTE....g.H.\...O..E..E.jj..D..E.Q..rb.S...D.tc..H.H.P..ni.T..S...H.Q...F.N..L.N...E.....D.M..Y..yS.uW.O..S..ig.q[..D..H....}P.lc..D.T..bv.en.gk.n_.Q..]...L..D.D.D.D.[...N..D.F.[..cr..D.V...E.D.D.Y...D..D.P.._}..L..D..C..D..D.D.W...D.G.I..D.`z..D..D..E.D.m...D..D..C..G.o...C..N..O.w{.t...[.j..]...R.q..c...U..Q..N..i..Y..`..S..N.zw..n..N.g...N..N.\|r..N.N.....V..N..N....^..a..d...N.g......N.N.O..N.M.O.O.d..O.......U...N....z?.LN.n>....O..w..kb...eP.`2.`D.sq.........7.....W.w^.T=...sJ....f..xj....bk..$.....&.[[..&....g$.....u...m.....B......Vj..8.I....'.mx......1.k..Oy.........j.... .:..Fb..1....\.....@u.. .....H.L...f.-.........I.t".......g..1....G...(.E..........8..w...y....9..I.....i..............k......}...b..E.....tRNS..-.L...O...QQ..........'^..,iIDATx...MH.A.....].U3.Xw....B.2..K...A..i.%F...BWA..3.K..H...u.P...C..I..K..<...w....C_........>.../...+*+..v.@m..N.X.XG.qt.i.k+...(jXQ

C:\Program Files (x86)\letsvpn\app-3.9.1\WebSocket4Net.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	71800
Entropy (8bit):	6.211583029946497
Encrypted:	false
SSDEEP:	1536:AXSaVnItYw1N0tUUTAz/kI5JIol/NkIgJ4WFAwrxd:A5VnqzNaNE4IvIolSIgJjFhb
MD5:	ED9EA2D360D3B0D101F1E2EC6466BFCF
SHA1:	F2AF04D2E765315C2F6CE2050A0584C33DCD1BDE
SHA-256:	487C38FDE778ADE5A37FD327A351508DB3B47F48BBDFDC5AA45475B0EA10C1BF
SHA-512:	157C475AC08918F8AA0C7C5929AB095B63D2F062453B17B693431BC7F720C610E10967BBD0F75BBEEB9E0A1F10C769D8C973538B00FF9A6714E37B203FB6BC8C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...FqZ.........." ..0.............V.... ... ....... .......................`......d.....`.....................................O.... ..4...............x&...@....................................................... ............... ..H............text...\.... ...................... ..`.rsrc...4.... ......................@..@.reloc.......@......................@..B................6.......H.......4k...............................................................{...."..}......{...."..}....V.(......(......(....:.(......(......{...."..}....Z...o....&.~....o....&Z...o....&.~....o....&V..o....&.~....o....&6.~....o....&...0...........~....Q..~......s.....8.....P(....,...Q8.....r...po....,..(....-&....o....-.......o....( ...o!...8......:o"........?........o#.......(....-...o..........Xo$.......(....-"..r...po....,...o%....1....o$.......(....-1.....o....

C:\Program Files (x86)\letsvpn\app-3.9.1\WindowsInput.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32376
Entropy (8bit):	6.329885075849617
Encrypted:	false
SSDEEP:	384:K0c3XP4cGqWpMgtZvtxsoOaY2ZXnFq+3xfJBRGCV3NynsAw/98E9VF3AM+ojRjTg:BsQtqwMkbvnFqqPgqdAw/KENAMxkj
MD5:	C9AFE80EB729A507E3C8468B899A83A9
SHA1:	BF54EC4071511FA544A6A6B9223C0FE70169DA0E
SHA-256:	FAF0A3EDC179AC29B397E9A5EAED445EAF0D8AFC6A5E8BBE63587B29FD9EC0DE
SHA-512:	1441EBD0DB84FD1D076DFB235D984CB3274FC5BC9B5E282E6685C8183C429A26BD94F3E81D8C2891B3C7D49B30119E783CD1F01F7434848394EF761D5BC4A753
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......R...........!.....N..........>m... ........... ..............................TJ....@..................................l..W....................X..x&...........k............................................... ............... ..H............text...DM... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B................ m......H......../...;..................P ......................................`.R...~d.5.......eQ..........EG2..D9.p....WPu.s.\|nn....1.....F..V7..W.(....od,...........!8....W..ez..e..Q.....h..:`...Qgr.(......}......}......}......(......sf...}......s....}.....s~...}......{......{......{......(.....-.r...ps....z..}.....s....}.....0..c........(.....-.r...ps....z.-=r...p.....(....o.........(....o.........(....o....(....s....z..}......}....2.{....o....6.{.....o=...*...0..

C:\Program Files (x86)\letsvpn\app-3.9.1\WpfAnimatedGif.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	52344
Entropy (8bit):	6.293171637492724
Encrypted:	false
SSDEEP:	768:ZDcl7W1UiZTo1ooEqzW3SQwiNsI8l5wwyvUPrYZBkcD4Aw/KENAMxbWvP:58QpZTsooEX3SQwr9y4UZRD4AwrxqH
MD5:	7F50E40099EFD1DD60B2DA570056EE53
SHA1:	A89F1A51B7015D66F5AFA03A1F4D60F0943776AC
SHA-256:	207F9A79BB1926F9282363CE84D0558BB4886BA1D2278408622B1CA01CE50181
SHA-512:	9A525A91DA128CE933C538F47D12D7E47792290118EE6EC899408394E34BA3932C2FA9DD85CB5684D3803626E51D772D2D2D59B9F495C4E168912144074E9A8D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.................. ........... ...............................!....@.................................J...O.......$...............x&..........h...T............................................ ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B................~.......H........H..Hq...........................................................{......{....V.(......}......}.......0..;........u......,/(.....{.....{....o....,.(.....{.....{....o...... ...' )UU.Z(.....{....o....X )UU.Z(.....{....o....X.0...........r...p......%..{.....................-.q.............-.&.+.......o ....%..{.....................-.q.............-.&.+.......o ....(!....0..2..........(....~.......o"...-.~.....s#...%.o$.....o%...&...0..A..........(....~.......o"..

C:\Program Files (x86)\letsvpn\app-3.9.1\arm64\WebView2Loader.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32+ executable (DLL) (console) Aarch64, for MS Windows
Category:	dropped
Size (bytes):	125048
Entropy (8bit):	6.059839640630606
Encrypted:	false
SSDEEP:	1536:WDdMkQCUK86ryzDWs0MxThVvTe6sWkddGDGEtg3q2LOOCN+4Awrx7FL:WDdef+yR17exwDGEtg3q2LOdN+4hTL
MD5:	337DEDF955BD92378D0C42933C577169
SHA1:	C5C98D3DD6C1646FB45CFA4CE3EF955DA9A4ED42
SHA-256:	15CD66C438782A017B9848FC57F59C2F706CE49E179EF2D8A6FFB7D5DC994068
SHA-512:	22A6D566AEB9120E4BED5CA11B75792892CF73F4787FBC9690BD63E3B44B6BD290DCB9CB61AF9385676B437F5D65F0CE399218CA8D8440B750A37C5397353CF6
Malicious:	false
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......`.........." ................ C....................................... ......0.....`A........................................_.......Q...(...............(.......x&......\|..........................@...(... !..0...................P........................text............................... ..`.rdata...... ......................@..@.data...\|...........................@....pdata..(...........................@..@.00cfg..............................@..@.tls................................@....rsrc...............................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\app-3.9.1\cs\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19064
Entropy (8bit):	6.64420993237395
Encrypted:	false
SSDEEP:	384:PEZLkwA5qKV3XWe6lWUNynsAw/98E9VF3AM+o/mjPezf:sxkwAlaJAw/KENAMxuzSf
MD5:	0649BC09E8FCBF444226936CD427140B
SHA1:	7AA4C14BA7FA5472F801A380DC480568BFDDAC7B
SHA-256:	80EEB2C23CEAF9718842DCFCEE5C28D0FD5D50625504EDAEB76BA432FC6F7174
SHA-512:	EDCBF93629A976AE25962B67CAC1FF54EA36AEF60F4DFFFFBC5F9A5095947530928B832A4699DFF7B02C73C81C00DBDA068858F1A9B70868074D4F14C3EB2F55
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............8... ...@....... ....................................@.................................D8..O....@...............$..x&...`......(8............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................x8......H.......P ...............%.......7......................................BSJB............v4.0.30319......l...D...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................,.......................r...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

C:\Program Files (x86)\letsvpn\app-3.9.1\de\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19064
Entropy (8bit):	6.640854649502029
Encrypted:	false
SSDEEP:	384:jqmGsHW08We6lW3NynsAw/98E9VF3AM+ooL6qA:jBGsH1xsAw/KENAMxEXA
MD5:	C842410EC095B4BE7FA3FABFF47C5BE1
SHA1:	764977EF07064F5F5FC2C7338AA4C453D754370B
SHA-256:	3AE5DACCC3E17AA64EBA50D4C31FC9E7B6DFF8312672F5087E3FD9D4E5A49246
SHA-512:	4A131B57C7E1AF8A2F9359CAC24C2EED423DFB7A44384C7F437C74B85542C2F436803B16944004F617F507585654DFBE4B2B13599E63ADF7547597EBC24CA967
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G),..........." ..0..............9... ...@....... ..............................1<....@..................................9..O....@...............$..x&...`.......9............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ...............%..8....9......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3....................................../.......................u...........].....].....]...D.]...a.].....]...-.].................o.....o.....o...).o...1.o...9.o...A.o...I.o...Q.o...Y.o.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

C:\Program Files (x86)\letsvpn\app-3.9.1\es\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19064
Entropy (8bit):	6.600293224341022
Encrypted:	false
SSDEEP:	384:a11LpDt4We6lWCNynsAw/98E9VF3AM+oHoJr/:CBdLAw/KENAMxa/
MD5:	AF7A82494B1873FB912C50C6CF84386E
SHA1:	C99064F2760593D57DC277C43E6F51945BB816F9
SHA-256:	82BF091DE505DBEFC45576B0C59ED76A66D6DECA12423D2E3FC2D6A460680630
SHA-512:	E878974A578409E6629819DF614E590B8EEDCAD573E23C08A015B8EE2D96C684F65F652854EECE3EB8003F7D73DB04EC990F7136D55AD571B255580C8ABFF924
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k2............" ..0.............69... ...@....... ....................................@..................................8..O....@...............$..x&...`.......8............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ...............%..x...H8......................................BSJB............v4.0.30319......l...D...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................,.......................r...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

C:\Program Files (x86)\letsvpn\app-3.9.1\fr\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19064
Entropy (8bit):	6.645700482594103
Encrypted:	false
SSDEEP:	384:gsxhehdMDxbFWe6lWkNynsAw/98E9VF3AM+oM2yTR2:xvy+DANAw/KENAMx8V2
MD5:	CF7228688FAC3506568610CE0C9D8583
SHA1:	3CCE1F3B7BAC1A5EED4360239B5D364753682406
SHA-256:	BF6B4CB731538FF2FDF5EDB2E1DB097390136C53F3F604F79F73A0164C01E5D4
SHA-512:	5A1D11786256046F6C7A7E50804F8D6D563FA782E7182BB537AE652FE1CF10856052774020E05C099ECB6417F1056D3E59EBA58252A50C018FA5A87423CFEF8F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,E..........." ..0..............9... ...@....... ...............................1....@.................................`9..O....@...............$..x&...`......D9............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ...............%.......8......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................u...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................o.....o.....o...).o...1.o...9.o...A.o...I.o...Q.o...Y.o.......................#.....+.....3.@...;.e...C.y...K.....S.@.....................l.............

C:\Program Files (x86)\letsvpn\app-3.9.1\it\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19064
Entropy (8bit):	6.607956539835236
Encrypted:	false
SSDEEP:	384:l9WLKzFWe6lWzNynsAw/98E9VF3AM+oWKdD+:XgKz+8Aw/KENAMxrdK
MD5:	20E0D854F902E1CFACF5CCFF8497E614
SHA1:	532274D0F65537183B5509AE74EFD95A3E0EB77F
SHA-256:	494FF5433354729D832B60D2B983FD8A3FEDE9DE650A66592A885757E37467F0
SHA-512:	DDE3F16712EDF94E0343CE09DB15D4AA93DEAB6C3591B76B3C099578705C86AA2D28CDCD73BF0C6506DD1952F304D0BA0E0A9DEB9E38583D2C41AB488974FBFA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(............." ..0..............9... ...@....... ....................................@.................................09..O....@...............$..x&...`.......9............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................d9......H.......P ...............%.......8......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................r...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

C:\Program Files (x86)\letsvpn\app-3.9.1\ja\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	20088
Entropy (8bit):	6.78109394842637
Encrypted:	false
SSDEEP:	384:zNeZmFLRnyGO00Ik4oF3eUntWe6lWsNynsAw/98E9VF3AM+ocKyAOOnc7:zQZmFLRnyGO00Ik4oF3eUnGhAw/KENAL
MD5:	D195EE89B368458140350C1B38AD2E97
SHA1:	E38D2A51B8714DC68DDE6A584CA2AF01328C5BDC
SHA-256:	2859A7A1A13E67AF18D1272B0F30F9CB0CDE9871B1ED8BC77816D9B576D5B487
SHA-512:	A9E8F93021261236442A3C4A53BFE529221E18CF4DEEAF661328BF94D64AF9972F34CFC29394ECE5F9BCF0EBECCC473B1F92DD5A5CF79963D626C034F448E978
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............2=... ...@....... ....................................@..................................<..O....@...............(..x&...`.......<............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................=......H.......P ...............%..p...D<......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3....................................../.......................u...........].....].....]...D.]...a.].....]...-.].................o.....o.....o...).o...1.o...9.o...A.o...I.o...Q.o...Y.o.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

C:\Program Files (x86)\letsvpn\app-3.9.1\ko\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19576
Entropy (8bit):	6.790977606420412
Encrypted:	false
SSDEEP:	384:bvP73AIGoWe6lWLNynsAw/98E9VF3AM+onVlzn:b37AIGN4Aw/KENAMxV1n
MD5:	4A663EB905F30453A611941157A0019A
SHA1:	AC5A188EF5EB43991B564874600D3AAC8BB76AF3
SHA-256:	3A3BEA5DB04008FE2DAA6BF0CBD31F78FFE6D8D5939627C745C6FEF0C1907ADB
SHA-512:	92FFCD438E07D02C01F29EFD3715AE877480509DA03051455D145C2F4F4E42F3A1D5E567EEF76B26C8B0ADEA9F18CC2B0EF74E66AEBE36FDBCEF65B2EB95595C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9..........." ..0.............2;... ...@....... ...............................i....@..................................:..O....@...............&..x&...`.......:............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................;......H.......P ...............%..p...D:......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................u...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................o.....o.....o...).o...1.o...9.o...A.o...I.o...Q.o...Y.o.......................#.....+.....3.@...;.e...C.y...K.....S.@.....................l.............

C:\Program Files (x86)\letsvpn\app-3.9.1\libwin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	10696824
Entropy (8bit):	6.350876350350505
Encrypted:	false
SSDEEP:	98304:014vSi1JlKYUP6UYKX7nrFXZ03TGT4qoxlZJPtVw5ptM6T7j:014Ki1JaOqsa5M6T7j
MD5:	D18E72922CA50451C93AC214D4230FE3
SHA1:	DFB46EACE5054A72E8BD113C1D01210FA16C8695
SHA-256:	FB7F31C8C7FC0C4F9117B9E7EDD96FABC70B9BCE5602674D39656B3EEFBDB788
SHA-512:	BBCECBB16D3A8809AF07506D666AC9C933DEEE9CF3997C92CEFB55B18ECEA2514561D6A68ACEF41CA810AD7AA232720A41EDBD1226AD96EDE6F6EA9AB944D603
Malicious:	false
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Program Files (x86)\letsvpn\app-3.9.1\libwin.dll, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...).BL......<...........`L...8b.....................................@... .............................. ..$....P..................x&...`...M..........................$......................\|!..@............................text....@L......BL.................`..`.data...L....`L......FL.............@....rdata....N...P...N...O.............@..@.bss.....;..............................edata..............................@..@.idata..$.... ......................@....CRT....,....0......................@....tls.........@......................@....rsrc........P......................@..@.reloc...M...`...N.................@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\app-3.9.1\log4net.config

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3607
Entropy (8bit):	6.27044188314989
Encrypted:	false
SSDEEP:	96:l22xKLORF1pb5YrJWox7aI94UnvQdmrZ/xEKxD5q8fANY2Z:l22XFbawo1BvecZ/xXxF3INYY
MD5:	28F9077C304D8C626554818A5B5F3B3A
SHA1:	A01F735FE348383795D61AADD6AAB0CC3A9DB190
SHA-256:	746B5675EA85C21EF4FCC05E072383A7F83C5FE06AAA391FC3046F34B9817C90
SHA-512:	485C175BC13C64601B15243DAECBF72621883C2FF294852C9BBB2681937F7EF0BEA65361E0F83131EC989432326442EF387C1CCF2A7CA537C6788B8FD5C0021E
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>..<configuration>... Level........ -->... None > Fatal > ERROR > WARN > DEBUG > INFO > ALL-->... .....level.ERROR...cs......log4net.info()..............-->...<log4net>....<logger name="logger">.....<level value="ALL" />.....<appender-ref ref="LogAppender" />....</logger>.... ........-->.... <appender name="LogAppender" type="log4net.Appender.RollingFileAppender">-->....<appender name="LogAppender" type="log4net.Appender.RollingFileAppender">.....<param name="File" value="Log\\" />.....<param name="AppendToFile" value="true" />.....<param name="MaxFileSize" value="10240" />.....<param name="MaxSizeRollBackups" value="100" />.....<param name="StaticLogFileName" value="false" />.....<param name="DatePattern" value="yyyyMMdd".log"" />.....<param name="RollingStyle" value="Date" />..... ......-->.....<layout type="lo

C:\Program Files (x86)\letsvpn\app-3.9.1\log4net.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	280184
Entropy (8bit):	5.686156795570742
Encrypted:	false
SSDEEP:	3072:GG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhCm:GJrycoB3HVeESME3pnaVTS1nh7hCafhV
MD5:	FAB3068DDD02A305597A8037DD4FD8ED
SHA1:	1E2276B74E1228C4F86197FDAE16A93B0CF99B7B
SHA-256:	EC48676D80192324DF28EDB501C7A274E9C5E2BA39FABA4B944D6831E40253F0
SHA-512:	0A74E1C17AFA2BCEEC4D97EC0EB1537038B75DDDAAA79657BE7937C70CC29F8920593DF8C236CA775C44531215BA930D64399B37B2A38E6577285A9DCA7BC8BE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`......%w....`.................................h...O.... ............... ..x&...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\app-3.9.1\microsoft.identitymodel.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1107576
Entropy (8bit):	5.828402065890858
Encrypted:	false
SSDEEP:	24576:I1WtBetKEfrsial0WV1pqfy+Jp15yKn6G/a:7tBetKEfrsial0WV7215yKn6Gi
MD5:	94C12716C9407D5EBBBC0C9D31E559E2
SHA1:	79ECD10009B431C64B6AFEBFE267CA5312F813A9
SHA-256:	47C400DA0BA387E5CC2878EAB967774D4A7B56535B1C575CE38ACA66F03634F9
SHA-512:	9382011065318B9277B1EF1699C1257D91013E1585A6CB625F174001BF133379F1FC090597BA717AB6FBF6CC7F95AD2EF0CC5B264A9DD9B08F252DD4C057E8C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..\...........!......... ......N.... ........@.. ..............................E-....@.....................................W.......0...............x&..........P................................................ ............... ..H............text...T.... ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\app-3.9.1\netstandard.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	92280
Entropy (8bit):	5.468068841395559
Encrypted:	false
SSDEEP:	1536:M2Ec05j4eAH64rh5fSt5T9nFcI94WKAwrxM:zlK4eA7mDmWKh
MD5:	3D4DD163224B12F97C4A56C1063FAD7C
SHA1:	B40CA5183B5578415FE57BA68E7ED472256EAF08
SHA-256:	76D7D2F8044CA8D6EAE9F547931CDDBE31EFAB63EBED7334799FD9EDA126A760
SHA-512:	22EBB821A0E579E6B93F6C855392839445BEDE68749B4B5513979606AC62F0AA7E1015A2736FBF180DCF2C8262CE914B33E0791D363D252B775442C1FA59ADE7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\letsvpn\app-3.9.1\netstandard.dll, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ....................................@..................................U..O....`..,............B..x&........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...\|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M....M....M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

C:\Program Files (x86)\letsvpn\app-3.9.1\pl\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19064
Entropy (8bit):	6.700127859547565
Encrypted:	false
SSDEEP:	384:cSss4wvEmF+4wpwlU+nACUOWe6lWPNynsAw/98E9VF3AM+oN2jY:cS/PArYAw/KENAMxQU
MD5:	731F8601C819A38E360F008B8184AB28
SHA1:	EB2D718BF44D00D307B104A7DEF87B45369B9B2E
SHA-256:	2669FA7D1BEF1E45037234830FFC932F99B85780115EC203F9C9F604827028F6
SHA-512:	CB1938E0DB6142CC3E4CC5F0F12D5B96A5A29DE354A3422F19A2C4EE386853A29CDA7D4413E7F58F91B93C03D8B1AE8589B9975D32EB3B22353CE7DC3946BD37
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I............." ..0..............9... ...@....... ..............................X=....@.................................x9..O....@...............$..x&...`......\9............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ...............%.......8......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................u...........].....].....]...A.]...^.].....]...*.].................o.....o.....o...).o...1.o...9.o...A.o...I.o...Q.o...Y.o.......................#.....+.....3.@...;.e...C.y...K.....S.@.....................Z.............

C:\Program Files (x86)\letsvpn\app-3.9.1\pt-BR\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19064
Entropy (8bit):	6.617793515443342
Encrypted:	false
SSDEEP:	384:vqXQfVeSN32XFZWe6lWkcNynsAw/98E9VF3AM+oqJMt:vg0Vyiv4Aw/KENAMxXt
MD5:	1B34094AB2D1E04AA1C1E0F3E06A2509
SHA1:	265BE3E6E629F7C40185261155879397B545D684
SHA-256:	F8AE19B40542F908CC4AE2DA937E5EC1255DC2E9227E67F17D79D950E027BADC
SHA-512:	F50D5DD84E294458232AC1DD4967EB0AE063FB55889AB6987122547F7691BFEEEE5A1073B6BD7FACEC5741CCF33E006882E0E3E5A78631CE8F0D4DDC5A1D93DF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m............." ..0.............V9... ...@....... ..............................s-....@..................................9..O....@...............$..x&...`.......8............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................89......H.......P ...............%......h8......................................BSJB............v4.0.30319......l...D...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................2.......................x...........`.....`.....`...G.`...d.`.....`...0.`.................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

C:\Program Files (x86)\letsvpn\app-3.9.1\ru\LetsPRO.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	75896
Entropy (8bit):	5.860114142469113
Encrypted:	false
SSDEEP:	1536:ibsu7FOxbHvhHaKUGBLRwgP8874zGgSmR40sqXz2RgUbOYAwrxm1p:YpMBVwgP8874zGgSmRwqXz2RgUbOYh0D
MD5:	AB4EE964D64A5F1B76E1EF8F1A97D626
SHA1:	97846B492E2812FAE9BD8F884E3E00E60107EDCA
SHA-256:	2648051D88C5BD7F9C5C902DA6D6AC793FC26CF1829BD1B19134C4AB95136864
SHA-512:	66A7221841A78F82834C951019C7B114BE0415E9C5CDA7EC211B7143C1BBD39159A2288D0A61E6BBF73035B3D1247B67E27EB4999457074153B559ED2DFF3763
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I.f...........!..................... ... ....... .......................`......8.....@.....................................W.... ..................x&...@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......`...$...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.S9.a.......dx.4.E.:.....u..n."..iP...T..:K..c7... ..n......Mn...~..*k;.E....5:.J.[..H.......1..&...+.@..s.............7.Tk[......ue./.N.M.i..:...v....F.b.b.S^m.........pE...k....D.../L.e..-...<r.......a...

C:\Program Files (x86)\letsvpn\app-3.9.1\ru\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	20600
Entropy (8bit):	6.660275949596188
Encrypted:	false
SSDEEP:	384:78knfHjuXOQWe6lWBNynsAw/98E9VF3AM+ohT0D:wAuXO1CAw/KENAMxi
MD5:	0939969409A6B50AA9F6A7C5F22AF4E1
SHA1:	6400D9E4C0220CDBB30A9CCE0ECC6CEF5F319F85
SHA-256:	FA839086AE5F38EDA33F8EC10994F8A44CD56923EC33F8C82DFDCC8B3C0A50C5
SHA-512:	B81B06DDF9F7700C94BF5AFDE9E6BC049354D065B35D8FBB46A4CCB8DCEE695924CBF536189E48FBE3C307A39308ABBB5AADD54F462CE59164D26F995A3A82D6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(............." ..0.. ...........>... ...@....... ..............................z"....@..................................>..O....@.................x&...`.......>............................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B.................>......H.......P ...............%..8....>......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................r...........Z.....Z.....Z...A.Z...^.Z.....Z....Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

C:\Program Files (x86)\letsvpn\app-3.9.1\runtimes\win-arm\native\e_sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) ARMv7 Thumb, for MS Windows
Category:	dropped
Size (bytes):	904312
Entropy (8bit):	7.129751549140526
Encrypted:	false
SSDEEP:	24576:4oXErM5iD28EYQg502GXoU5C0ParRvbLyu:pXriD28xj52X7arpv
MD5:	153226BBF314D9E0A8F64E1C153F05D0
SHA1:	90C9BB5968031BD6478B90B155C506A66589BED5
SHA-256:	0316232C27540EA1F2102242DFFD8DEE1B503F31A706612752BE7C3F76B6A366
SHA-512:	7FF641899DB84F485F664E167EBE115983435CDA5C6B25D787D2340B49BCA0F8AD9A405333327F45CF9500A4B80966A692E2D9E10733A5A07FF9EBA659AD3758
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`^ .$?N.$?N.$?N..WK..?N..WJ.?N..WO.'?N.$?O..?N.%RK.9?N.%RJ.)?N.%RM.?N..RJ.&?N..RN.%?N..R..%?N..RL.%?N.Rich$?N.........PE........^.........."!........................ ............................................@A............................"......(............@..hO......x&.......?..0l..T............................l............... ...............................text............................... ..`.rdata..B.... ......................@..@.data...<J.......>..................@....pdata..hO...@...P..................@..@.rsrc................d..............@..@.reloc...?.......@...f..............@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\app-3.9.1\runtimes\win-x64\native\e_sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1312888
Entropy (8bit):	6.544728263610703
Encrypted:	false
SSDEEP:	24576:cwDD7AuRNZxBNzFlbZcN16AL9hwYi20TAg7wkPoR:cIDbR1L/m9KYixcWe
MD5:	8904248E6461C2AC520A55BD00EB91BF
SHA1:	5DFF39A6581A3E98AA0C368B4F3C7EBF609D6C9B
SHA-256:	2BE14ED517075BF8027A6BA3E9477829297BA4D2F36992FDACBA84C806D05AB1
SHA-512:	5FF3B22445FF9F32D7C2F7FBAF02F2CCB6FBC5847C58B90A3A7E244F95E79A984E938DB0AF16CFE1AE49D713845B9538B14660E08C16071938B76D6D4FB3214D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.[.~.5.~.5.~.5.%.1.u.5.%.6.v.5.%.0...5.%.4.}.5.~.4...5...0.`.5...1.p.5...6.v.5..1.\|.5..5...5......5..7...5.Rich~.5.........PE..d.....^.........." ................P........................................P......+.....`A........................................ ...."..(...(.... .......@..h.......x&...0..........T............................................................................text............................... ..`.rdata..............................@..@.data....i.......T..................@....pdata..h....@......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\app-3.9.1\runtimes\win-x86\native\e_sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1028216
Entropy (8bit):	6.747230161622188
Encrypted:	false
SSDEEP:	24576:sBvdKGB6hOsMxCmy+rAnpyAqhTz3RzVNUOxKKoSVM:MvdKGBmWNAnpc3Rz1KKoSS
MD5:	A2EF85BAE02DE33DB7F21B9D4FDE646D
SHA1:	F6EE498769906971F433BC30B1D299F3B885112F
SHA-256:	4BE23FEF571D0348DBF94598B89307CC03233B4BD4DF04239ADB55B9E49DDD23
SHA-512:	B75C43711A12EF66889807F87B7ABF73C015FC38C62395525D4B2697CEB461C24F4F8DFDF477CD3FF3CB8DE70CBC3ED33156E37B9C52910B7B33CCEB07CDEA52
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........E......................#.....................2...........................z.......z.......z.......z.......Rich............................PE..L.....^...........!.....R...B..............p............................................@A........................ ...."..(...(....`..................x&...p...\......T...........................(...@............p...............................text....Q.......R.................. ..`.rdata..z....p.......V..............@..@.data....K.......>..................@....rsrc........`.......*..............@..@.reloc...\...p...^...,..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\app-3.9.1\tr\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	19064
Entropy (8bit):	6.603598486910316
Encrypted:	false
SSDEEP:	384:CfH3xC8M83We6lW5NynsAw/98E9VF3AM+otxJTUce:wc8M8YGAw/KENAMxrde
MD5:	D52E962DD3112B1F559CA2B975EBAB2F
SHA1:	C3D1A2DE8C9C995A00346759D6B5AFE9BAC6E513
SHA-256:	C9F1897A966FB43C6DEB6AE3A7ABA3819053CC93C0CE7130E17DBAD9DF521A82
SHA-512:	8F614D30A614A92EF446F3E768E7DA0BE712A6B19D6C266C3ADE032A50D1E62E2A06521CC47CEA4CD9C88944E1964C05C938C198542446A4E4B81E1095A85F9A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S............." ..0.............J8... ...@....... ....................................@..................................7..O....@...............$..x&...`.......7............................................... ............... ..H............text...P.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................,8......H.......P ...............%......\7......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................u...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@.....................r.............

C:\Program Files (x86)\letsvpn\app-3.9.1\x64\WebView2Loader.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	137336
Entropy (8bit):	6.167863714475813
Encrypted:	false
SSDEEP:	3072:ygMrTPTNy56J4JQSfB6yRkkGvaYhfls6DREtfw6aQ5Chw:y/PTQ6Ga+BtakGvVEtCPhw
MD5:	5473A1C3C009A4C6DFD8027A0DE55C8A
SHA1:	14361785F723866A0DB6E5097D548D566E8724E3
SHA-256:	F41F4849106FAADA9B114260A66B96F37BEB1DABEA8E60AD8E7BAE1A156E3DDC
SHA-512:	3459AF78FC643109B498E644BEDF43287A37485D8375F195C94C5AFE2D1FE7DC8AC415B8825E75514D4685DB0277B5415EBCB7360DD7F6CFC8C9D78CC0923C96
Malicious:	false
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......`.........." ................P9.......................................p......O.....`A........................................G.......9...(....P..................x&...`......D...........................(....1..0..................8........................text............................... ..`.rdata.......0......................@..@.data...............................@....pdata..............................@..@.00cfg..(.... ......................@..@.tls.........0......................@..._RDATA.......@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\app-3.9.1\x86\WebView2Loader.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	111224
Entropy (8bit):	6.502560195961749
Encrypted:	false
SSDEEP:	3072:ylzhJmad5M+ekPfJFVwKrSDnuP7HCt+/NyIDfEtPsn/j481yhgn:ylzqaHM+eCTrSDuP7ZbEtUnr51yh8
MD5:	A7662FFA94E258FD4CE774CFB52D3D8F
SHA1:	B38830975D3CCCB81CE219C17AAA496C19D2CCC5
SHA-256:	933B0C855EF96C0BCE66E5A6AD537793A9A7DC7DA15F1D8727AC41DED72465EF
SHA-512:	96659BB298161ADCC2238F7C9667533CA6D7A47502D508873603210EF4FF78B70BF90B980E2FCCBD214329DD8AB584EF988EFAC09E24D8B75BC17AACAA6E56C2
Malicious:	false
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......`.........."!.................4..............................................,.....@A.........................k.......l..(.......................x&......L...Ph.......................f......`...............8n..8....i.......................text...e........................... ..`.rdata...k.......l..................@..@.data................d..............@....00cfg...............n..............@..@.tls.................p..............@....voltbl.H............r...................rsrc................t..............@..@.reloc..L............z..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\app-3.9.1\zh-CN\LetsPRO.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	58488
Entropy (8bit):	6.186544695687492
Encrypted:	false
SSDEEP:	768:vlOlfuJ0GddPMDOmrxHDGt8MR05ZBnVD4ectpAw/KENAMxoV:9A8NpMimrxW8MR0fJVDgpAwrxW
MD5:	25F9F1E271E60930CE5DB15F67ED8B0F
SHA1:	0228B4045C8089A8D8BB5140A2DBE5F5DF9F9BF0
SHA-256:	634CF5C8F9303EB28C052D34A66FAC5A0FCCA77E3452F339212499491D8F2ED2
SHA-512:	FD68A947527F8DBED755261A8B52B0BD5B33D7A7B475F526AAC209099B63A237E5A721671534CEE805FE0CF90C01EFAC45C900B1A577A071C82CB99C878DC367
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I.f...........!................^.... ........... ....................... ............@.....................................O.......................x&........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H...........(...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.S9.a.......dx.4.E.:.....u..n."..iP...T..:K..c7... ..n......Mn...~..*k;.E....5:.J.[..H.......1..&...+.@..s.............7.Tk[......ue./.N.M.i..:...v....F.b.b.S^m.........pE...k....D.../L.e..-...<r.......a...

C:\Program Files (x86)\letsvpn\app-3.9.1\zh-HK\LetsPRO.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	58488
Entropy (8bit):	6.189988998812531
Encrypted:	false
SSDEEP:	768:1lOlfuqeGGdYoU+thN0/9GowLxS9+yZIQcjDDsjNpx9TAw/KENAMxI:fAWDYuF0/NwLxS9+I+DINdTAwrxI
MD5:	7F7998BF9C57359945131A568E1B27EA
SHA1:	C26C1B4022ED47C609B2ACC7F352112EDD73FB6D
SHA-256:	34680B928FB54B7194012F0B1F8A01656730979B6C6CA500E946E2CF8261D720
SHA-512:	BF6D182B4909CC8B671F8BDCB35EB5252338443C592453BD0648984A7AB1F12A1B5E4624E3A30D4C851F930891EA494356697D2219FAFE88457E1B380893A9B9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I.f...........!..................... ........... ....................... ......7.....@.................................<...O.......................x&........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H...........(...........P ............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.S9.a.......dx.4.E.:.....u..n."..iP...T..:K..c7... ..n......Mn...~..*k;.E....5:.J.[..H.......1..&...+.@..s.............7.Tk[......ue./.N.M.i..:...v....F.b.b.S^m.........pE...k....D.../L.e..-...<r.......a...

C:\Program Files (x86)\letsvpn\app-3.9.1\zh-Hans\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	18552
Entropy (8bit):	6.845246857877032
Encrypted:	false
SSDEEP:	384:0X3HhVhLu4y8VWe6lWRNynsAw/98E9VF3AM+op1ZTsG4:a3h/aSAw/KENAMxTdl4
MD5:	280675ACF375A3DDDDB7C2E6105C2721
SHA1:	22E623697260873E1EF1CC5BDA16074A8E6BB104
SHA-256:	C7DB5815AC2135384A08C97965D751FB7F30F9E429C2AFB41AE2EE51B9F252AD
SHA-512:	3B849044D099B4B309311D6A2AB3CEE52418979A428264493AADE6FF57A38B53AA2F71DE5734F9FAF7D0644F3929998221BC6330251E6175FD25423E0ABCEEF8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R]..........." ..0..............7... ...@....... ...............................x....@.................................h7..O....@..............."..x&...`......L7............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H.......P ...............%.......6......................................BSJB............v4.0.30319......l...D...#~......(...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................r...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

C:\Program Files (x86)\letsvpn\app-3.9.1\zh-Hant\System.Web.Services.Description.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	18552
Entropy (8bit):	6.847427216073777
Encrypted:	false
SSDEEP:	384:R/wkIv2FCcTWe6lWwNynsAw/98E9VF3AM+oLPzql:dgddAw/KENAMxL4
MD5:	FA2F07392708E2452180BD36A61CD868
SHA1:	EBE89FAA6EFCD25689BA60E485D7FE5247B0C075
SHA-256:	2DFCB3E75607EC1E98BC6596496959BA03F946680335EFBEF9C55C7C8FDAE2C4
SHA-512:	2212851B14D8E5382110C31E4673EEBAA76B4223D6F098D3D4CDA03A0D225AA12B9FFD9C5AC766C845DF7C7ADC9AF0A0A951E2E405C630755EAD605E0CE82609
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L............" ..0..............7... ...@....... ...............................;....@.................................`7..O....@..............."..x&...`......D7............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H.......P ...............%.......6......................................BSJB............v4.0.30319......l...D...#~......(...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................r...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

C:\Program Files (x86)\letsvpn\app-3.9.1\zh-MO\LetsPRO.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	58488
Entropy (8bit):	6.1899140439878
Encrypted:	false
SSDEEP:	768:1lOlfuqeGGdYoU+thN0/9GowLxS9+yZIQcjDDsjNpZ9YAw/KENAMxNc:fAWDYuF0/NwLxS9+I+DINZYAwrxi
MD5:	8E03313881DC666F23888D778385EF42
SHA1:	19AD490FBB490B0C5AFA0E86165E7A59C0EADE24
SHA-256:	D9E2FB2B10C47636E2E85C255FF5AEE20BBCA2BEB52665F48DBA2B82985AB00B
SHA-512:	4300C39F0694E33121B06D8905BBCE13908DD3CF6DF29F9F94F90AC3963742DAAA2B2584D96765EBAB09516357343448DF21B415282C6D05A8CEFE8659121E0D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I.f...........!..................... ........... ....................... .......E....@.................................<...O.......................x&........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H...........(...........P ............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.S9.a.......dx.4.E.:.....u..n."..iP...T..:K..c7... ..n......Mn...~..*k;.E....5:.J.[..H.......1..&...+.@..s.............7.Tk[......ue./.N.M.i..:...v....F.b.b.S^m.........pE...k....D.../L.e..-...<r.......a...

C:\Program Files (x86)\letsvpn\app-3.9.1\zh-SG\LetsPRO.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	58488
Entropy (8bit):	6.186270176096944
Encrypted:	false
SSDEEP:	768:ZlOlfuJ0GddPMDOmrxHDGt8MR05ZBnVD4e8tFAw/KENAMxfExl:DA8NpMimrxW8MR0fJVDEFAwrxs3
MD5:	E6F8BDF1463FE6AC8D67A3F9CF9C3AA7
SHA1:	26FD6632698E7FE2D0A83972708713853E64DCF5
SHA-256:	4C9F4645C00D93612E37DBA562636D36F4ED73E8F75059795C866BC4BD9364AF
SHA-512:	D8492AE616CDA5DD9447EC1B7E054DA93B9DEB28B2B07DFE5A23C13824424DC4289CCCDCB1FBA63E9652374B304491617F09BBDF65B63F1C8159952C56A69FA2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I.f...........!................^.... ........... ....................... ......."....@.....................................O.......................x&........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H...........(...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.S9.a.......dx.4.E.:.....u..n."..iP...T..:K..c7... ..n......Mn...~..*k;.E....5:.J.[..H.......1..&...+.@..s.............7.Tk[......ue./.N.M.i..:...v....F.b.b.S^m.........pE...k....D.../L.e..-...<r.......a...

C:\Program Files (x86)\letsvpn\app-3.9.1\zh-TW\LetsPRO.resources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	58488
Entropy (8bit):	6.190525314924307
Encrypted:	false
SSDEEP:	768:XlOlfuqeGGdYoU+thN0/9GowLxS9+yZIQcjDDsjNpw99Aw/KENAMxGx:VAWDYuF0/NwLxS9+I+DINE9AwrxGx
MD5:	4A8C703A5010D24356150A2E944A4BDC
SHA1:	BFA091968BF2264A0DE0F4BA9DDA37F07FE78529
SHA-256:	B369392EF5B0BBCC1DB2A4F2B13C12A66ED289A3F032EE932D22C6689D4064B6
SHA-512:	734AA8F4338529222342CA116AE398352B400D816D90BA3D044F538E22F98CF026A02948C6C637031EF0FF2A0C19492548EF456E39A98B302A31A132F122E1FA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I.f...........!..................... ........... ....................... .......j....@.................................<...O.......................x&........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H...........(...........P ............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.S9.a.......dx.4.E.:.....u..n."..iP...T..:K..c7... ..n......Mn...~..*k;.E....5:.J.[..H.......1..&...+.@..s.............7.Tk[......ue./.N.M.i..:...v....F.b.b.S^m.........pE...k....D.../L.e..-...<r.......a...

C:\Program Files (x86)\letsvpn\driver\OemVista.inf

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	7632
Entropy (8bit):	5.063558190257152
Encrypted:	false
SSDEEP:	192:wr8tW9yCTi3x4vlQd22bjR+iAUC7bMP+io3DcNSj6jvKFkPs7EQTXvt1Ld4Z:LWlGNdkkzo3DcNSj6jvKFkPs7EQTXvtk
MD5:	26009F092BA352C1A64322268B47E0E3
SHA1:	E1B2220CD8DCAEF6F7411A527705BD90A5922099
SHA-256:	150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
SHA-512:	C18111982CA233A7FC5D1E893F9BD8A3ED739756A47651E0638DEBB0704066AF6B25942C7961CDEEDF953A206EB159FE50E0E10055C40B68EB0D22F6064BB363
Malicious:	false
Preview:	; ***************************************************************************..; Copyright (C) 2002-2014 OpenVPN Technologies, Inc. ..; This program is free software; you can redistribute it and/or modify ..; it under the terms of the GNU General Public License version 2 ..; as published by the Free Software Foundation. ..; *************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*******************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

C:\Program Files (x86)\letsvpn\driver\tap0901.cat

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	data
Category:	dropped
Size (bytes):	10739
Entropy (8bit):	7.214364446291792
Encrypted:	false
SSDEEP:	192:JDVLGVDFfap5UEwQl/WGhYCt17vJ4qnaj6jQc:7GCpzlnh3t1x4l2jn
MD5:	F73AC62E8DF97FAF3FC8D83E7F71BF3F
SHA1:	619A6E8F7A9803A4C71F73060649903606BEAF4E
SHA-256:	CC74CDB88C198EB00AEF4CAA20BF1FDA9256917713A916E6B94435CD4DCB7F7B
SHA-512:	F81F5757E0E449AD66A632299BCBE268ED02DF61333A304DCCAFB76B2AD26BAF1A09E7F837762EE4780AFB47D90A09BF07CB5B8B519C6FB231B54FA4FBE17FFE
Malicious:	false
Preview:	0.)....H........).0.)....1.0...`.H.e......0..i..+.....7.....Z0..V0...+.....7.......r?.X.M.....F.A..201008141946Z0...+.....7.....0..T0.... .....S!F.3....#.a.2`..e...#e...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .....S!F.3....#.a.2`..e...#e...0...."~..m..8C. i$.4.l..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... ..j(.M<.cR..XrT....F..R.]....?1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..j(.M<.cR..XrT....F..R.]....?0.....".....A.Rw..... .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f.......0...0....+.

C:\Program Files (x86)\letsvpn\driver\tap0901.sys

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39920
Entropy (8bit):	6.338128217115975
Encrypted:	false
SSDEEP:	768:XtCuL1O/+AphG3F9NlXt5oZhDzbV104mmuiExsFwQvYp33U35:XdCoTxk1lmmjExsFNvYtk
MD5:	C10CCDEC5D7AF458E726A51BB3CDC732
SHA1:	0553AAB8C2106ABB4120353360D747B0A2B4C94F
SHA-256:	589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
SHA-512:	7437C12AE5B31E389DE3053A55996E7A0D30689C6E0D10BDE28F1FBF55CEE42E65AA441B7B82448334E725C0899384DEE2645CE5C311F3A3CFC68E42AD046981
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......_.........."......Z.....................@....................................=w....`A....................................................<.......X....p..T....x...#...........R..8............................S...............P...............................text..._>.......@.................. ..h.rdata.......P.......D..............@..H.data........`.......P..............@....pdata..T....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101536
Entropy (8bit):	5.597950959538587
Encrypted:	false
SSDEEP:	1536:ImYSYxGfIZnRnD6M7EFOUakPhtUn6KXF4O7WfvZt9c:HYFZnRDGdvPXU6K1RW
MD5:	1E3CF83B17891AEE98C3E30012F0B034
SHA1:	824F299E8EFD95BECA7DD531A1067BFD5F03B646
SHA-256:	9F45A39015774EEAA2A6218793EDC8E6273EB9F764F3AEDEE5CF9E9CCACDB53F
SHA-512:	FA5CF687EEFD7A85B60C32542F5CB3186E1E835C01063681204B195542105E8718DA2F42F3E1F84DF6B0D49D7EEBAD6CB9855666301E9A1C5573455E25138A8B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V........-.....;......<.......+....%......S....%......2....~......,.....)...Rich..........PE..d...<..W..........".................Tv............................................... ....@.......... ..................................................h.......l....D...H...p..........................................................X............................text............................... ..`.data...............................@....pdata..l...........................@..@.rsrc...h...........................@..@.reloc..z....p.......B..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\ndp462-web.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1429344
Entropy (8bit):	7.9320530592846135
Encrypted:	false
SSDEEP:	24576:8XWYAlLlqSmtLvUDSRbm4Jah1rVxzY8Ja1xbLAAAOurzXuV1F+eAXvUS1vlPA:8mYAlLfeTUDBzrVxzYTOTOu3Xu5AX/l4
MD5:	B5A67867CDCE86E09E2625A6FA4D5FEA
SHA1:	C42E6ED280290648BBD59F664008852F4CFE4548
SHA-256:	5E21C85034311C51D8B0367A773D475AF2392B3DDCD90676C61697C6B5FD2E6A
SHA-512:	31D7081BFFEEB5F32457096E51A29236306E5D971DE7EDB80A51188BCCDA9B9F17F0C3593D30828FC140B7A023F5B6842BC922F2023C7B8EA3786C2DBEC40472
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......So....x...x...x.......x.0.....x......x.xx..<.x.xx....x.xx..~.x......x...y...x.....Q.x.......x.......x.......x.Rich..x.........................PE..L.....\V.........."......l...t...................@..........................@.......)....@...... ..................`z...................................>..........@................................V..@............................................text....j.......l.................. ..`.data...@7...........p..............@....idata..H...........................@..@.boxld01............................@..@.rsrc............ ..................@..@.reloc...(.......*..................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\letsvpn\packages\RELEASES

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.994628072743221
Encrypted:	false
SSDEEP:	3:dgOkUkc6FQSRUjuBj8F2CHsJ1E0/rGoTY:eL+6FQS8uV8F21LDGgY
MD5:	DDCD42A19D51210C706E7F4685AA2954
SHA1:	E91577F1C973C20C396C4193C2E83AB4F1C4829C
SHA-256:	C6CF06F3AF0DE21FCF6545DBEA8999F5A936DFD999350D6B0BDD389FD0673E09
SHA-512:	85F6742EA27095A1607C52F72DC87715B865A5A1D73FC7FB2253E59B2A6E99A8A42EAE97EC8DEB37454B9A87B6A757024B8006C7294DDB5DBB2CE83DF8320DF3
Malicious:	false
Preview:	.6DD83A38B70AA1A90549EF574A8F9DEA24FAD9F3 SquirrelLetsVPN-3.9.1-full.nupkg 12423161

C:\Program Files (x86)\letsvpn\uninst.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	108559
Entropy (8bit):	7.185830627410716
Encrypted:	false
SSDEEP:	3072:OTJ4TJdRVDZ6Lt+uweLlt3cgATZ+eWeH+BCJ273qw0+:OVGdx6x/xJcgGZ+2273qT+
MD5:	73C7E72AEDA0082885A445F51AA1F64A
SHA1:	96C1627FE2A24F9353626989C56A30EEDF979876
SHA-256:	F26CCB71572C101508B766D16EC188A2660C5F1B54FE618901E1E0D18AB84CB3
SHA-512:	F261677458D00058914310713D167569A49E153C8937677C34D434F62CA6A39F9789563F1656B26864D298D6917F86750731816A24521BF91AD318C1076DF90B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...<.oZ.................h...........3............@..........................@............@..........................................p.................x&...........................................................................................text...'f.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata... ...P...........................rsrc........p......................@..@................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073617668075905
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrp:KooCEYhgYEL0In
MD5:	DBD9819F9531C05ADAAC7C0746EF3615
SHA1:	DCA039CBA4A23CFCB0397186BAA2A7610DD46651
SHA-256:	27A308DAAA01D40513F5444EB824CE44BC5F9E308F3BF33B88CFF64EC58928CA
SHA-512:	6B2CB753FC16B90DE5D47312E4900089C27D413AF0796C134C16569F6F52345FC1DA4404E753252C2B25E8CB041A64A5198029DBADA25018212B1B4C727C1519
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x32940087, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42214394275123646
Encrypted:	false
SSDEEP:	1536:RSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Raza/vMUM2Uvz7DO
MD5:	9500E6A60F6CBF2658319FA5A77C93DD
SHA1:	6AC5353DD62E742B795E229C82228DC65D1ABA6C
SHA-256:	1A5235D4AD0D2A6669F4D2086C6237C5E497C366B31B5EAFD6BC105C67D816D6
SHA-512:	EE83771839BB58C8ECA29AA3BAFDDFE714A143407A12B00F130A637E92D3D7AC929FF3025EE1D6340AB8A7CC1363AD443839FF425FFC93CB2A070AD09331B276
Malicious:	false
Preview:	2...... .......A.......X\...;...{......................0.!..........{A.#2...\|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{....................................E#2...\|......................#2...\|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07732635835240234
Encrypted:	false
SSDEEP:	3:IJS6Yex/4oHCjn13a/XLollcVO/lnlZMxZNQl:IJdzx/4L53qMOewk
MD5:	66F58415867AC30481D37E3A94D3DCBF
SHA1:	D26633A71FC86DFE949CCA48EDC75D0FD97E22FD
SHA-256:	9CE39BB5C76E95EA2517357D78192C2A374CE3CBE7809945C7E20AB1E5EA1806
SHA-512:	B0FD0D790E255D68F4770FD3197FCEA75834789681D957AFCAB281E5CBA0A92F28B0DAE56295FE5C650A8750631537A0567E9AEC40EDBB21045E981734150330
Malicious:	false
Preview:	.........................................;...{..#2...\|.......{A..............{A......{A..........{A]....................#2...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	254464
Entropy (8bit):	6.344679508153885
Encrypted:	false
SSDEEP:	6144:zPotONhclp61VE9ucRSPPzK2DIypT+kHberN052:jotahcfgeucRWHarN052
MD5:	2D3702B366F4BEB050CC55108496B8AF
SHA1:	04116170A8596BF68698C2BD89330D0B6AE7C6B1
SHA-256:	1012EAE65987061726C6209F1E3962051B90AAC1F8BDF731E512F68940A76F29
SHA-512:	A254E043B1BFFBFFDB7198905A1F85F006787326AA9034CC676DCF89FB5EFB0F4A9F93CAEC78A8B7A166BD627AA4146B084B103842FEB3216111DBD4D81C0969
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................K...........<.......<.......<.............l....<.....<.....<.....<Z....<....Rich..................PE..L......f...........!...&.............A....................................... ............@................................p...P................................,...h..8....................i.......g..@...............`............................text............................... ..`.rdata..............................@..@.data...T&..........................@....rsrc...............................@..@.reloc...,..........................@..B........................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcp120.dll

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	462392
Entropy (8bit):	6.723012474887983
Encrypted:	false
SSDEEP:	12288:EZ/8wcqw2oe+Z3VrfwfNOOoWhUgiW6QR7t5ss3Ooc8DHkC2e77l:M/8wVwHZFTwFOOos3Ooc8DHkC2e77l
MD5:	A34AED811909AAE9262DE05400A8F2A4
SHA1:	43E91F7FEDB04EF94B7D8B571408EA240CA5FD62
SHA-256:	4B0C0671495A3EA7EDEDB43EA4330B4B3E932BE01EDA42E58C20B1B6BF26E5E9
SHA-512:	590BD85CF61C682EBFCC52C598AFB2C8D1050CFA9A2B912ECE3ACD6F2760B7799F26837AEDE88190B10CD9127C68AF08A1C481EDD8770845404AAA128422B9C9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N.Nm.gN.Nm.bN*.NRich+.N........................PE..L....\|OR.........."!.........................0......................................W.....@..........................W..L...<...<.......................8Z.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcr120.dll

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	977976
Entropy (8bit):	6.974714106566183
Encrypted:	false
SSDEEP:	12288:5BmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJFd:HmFyjLF847eiWWcoGZVOIxh/WxIAIb3d
MD5:	4BA8032E50A8782497F056266A10564C
SHA1:	79385E5982EDA895CDE937DA82FC98314A49B915
SHA-256:	093E022FD358E39D5DB8BFA793B9E41C1EF2CC031CB8A90DEBF4898D5D9B2B91
SHA-512:	49BFA1D5D1057ACDA73923C5E2858B36A2462997AB0F353CECAA91CDEBE9BF1305DBC201266215412160FA657C08A6153485F482FE410CCD0FF5E463960844CE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....\|OR.........."!................D................................................'....@.........................`........R..(....p..................8Z......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32584
Entropy (8bit):	6.899768077055986
Encrypted:	false
SSDEEP:	768:5pCrkeS9Wx6JIeWHbt5PON0ykT8s18Y7:5pCYeJ6WeWHvPM0CE8
MD5:	2BA1B334190DC1FE43B1D9FC330EA384
SHA1:	699BFC6D6AEDFD77A25EE4F2A58A428BEFD8395E
SHA-256:	0AFFDA7968743ECBB729942E09B707D25E5D8A320E30D1F72BDBDFF8417AB13C
SHA-512:	C285B5235ECE5BA3962EAFB390A5873B0668E014A863536D60CC3EF17C835905169DDC107E1BF39EDB09BA8574082CF7BEB6B94977ED8482873B27CC4C76DD3B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.4Wc.Z.c.Z.c.Z.n...a.Z.%...b.Z.%...p.Z.%...e.Z.%...g.Z.j...h.Z.c.[...Z.n...`.Z.n...b.Z.n...b.Z.Richc.Z.................PE..L.....WV.................2...........:.......P....@..................................k....@..................................Y..x....p...............N..H1..........PQ..8............................T..@............P...............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data........`.......F..............@....rsrc........p.......H..............@..@.reloc...............J..............@..B................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Regsvr32.exe_b3eb3cb29e2f53535e6ef7c43dfc16c9b238_c5f5e6c5_7f8848ed-687a-478a-b43c-d821fda33871\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0670598643392033
Encrypted:	false
SSDEEP:	192:TvhclkjyY0C4s33xjezLYNOzuiFTZ24IO8vu:Fc2jyzC4sRjeYOzuiFTY4IO8v
MD5:	DED4CFF723655C47B076765F17DA7805
SHA1:	CEEDAC3A35972367CDEE0016C9D2AE4BF45E1AB4
SHA-256:	10C8D08AFAC9A4F65960E8CDB0732266BD9AD8F5FA4A28A17B637EE1AFEBD30E
SHA-512:	DAB44D5328ACE81FDEABCC741DC182EA891C31F27DE6DF37EC433FF0DFD27ED1834A7D6D28723A51A89FD734B6C4FFB1EDD9C6D8E32B8BC1B69E462EFA3458C3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.0.2.1.5.3.4.0.6.4.7.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.0.2.1.5.3.9.3.7.7.2.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.8.8.4.8.e.d.-.6.8.7.a.-.4.7.8.a.-.b.4.3.c.-.d.8.2.1.f.d.a.3.3.8.7.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.f.2.e.a.e.8.-.9.8.7.4.-.4.1.4.4.-.b.8.0.5.-.4.7.c.2.0.c.9.d.5.b.a.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.5.4.-.0.0.0.1.-.0.0.1.4.-.7.9.a.3.-.7.1.1.4.0.1.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.c.b.3.7.7.e.2.b.a.7.8.e.1.3.1.d.7.a.1.8.8.7.c.5.8.c.0.7.3.e.2.3.d.0.0.3.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA18.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 29 10:49:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	79866
Entropy (8bit):	1.8776814456349091
Encrypted:	false
SSDEEP:	384:IIKhEHKJnZ/xuu5HAuFavWg85mnDhzIMo:I9JFh5Aue5fto
MD5:	7A667306AE3BE4B4486D8577F682F81F
SHA1:	FDB359ED80472C2D2EA515FCE3A0886593B9DA96
SHA-256:	95D766C4086333A1C738FF051C49E1A2A655355CDDD0CD044C530784C169DFC5
SHA-512:	2FFBD842A966B9CE6EA1F3A3DDD1D565015A4E6FB5F5FEA430AB0A9560C96FF23B3E653C1ABCDE59818540F62BE35EF72AD31F4B7367AD768BAF7E542059C73D
Malicious:	false
Preview:	MDMP..a..... .......)R.f............T...............h.......$....#..........ZC..........`.......8...........T............:..*...........$#...........%..............................................................................eJ.......%......GenuineIntel............T.......T...&R.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB42.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6346
Entropy (8bit):	3.729884406421248
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetb9fjl6HleSYiQFMQEvrt5aMQUB89bjisfJhm:R6l7wVeJNjl6FeSYpqxpDB89bjisfJhm
MD5:	486E784EA55D56F15719D18AB5390066
SHA1:	B442D89E169114BD4CA5B44FF7D4139317D0AE17
SHA-256:	100DE043A8A670ABCC83CA97AD44DEF9C30CA262C5F3ACD691CD9BC5240A3E1F
SHA-512:	4428E932F810EFAACBE222AA54AADC737E47B51C160E5229BD57884DAC8C4802B82E49119938DDFF8084805E917C6B7040176C1D4D93AE6A68E8BBA32C554BDF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB70.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	82938
Entropy (8bit):	3.0899158954270685
Encrypted:	false
SSDEEP:	768:cixoAALWd0rbgt5AGUan8MP1RxdLrsBPIKXZuivBTxNaHn8elXp:rOAACIbgtdN8e77Lrs5IKXgijMn8elZ
MD5:	32EBA7279C0628989628DF4639F6E402
SHA1:	952965C03EFF0877842FDF69B95D088E39F0A5D5
SHA-256:	20866E10F9563F27A4F8FD2F353A5C50E44B2DF366CBB33B6C09E355A7D5A146
SHA-512:	ECECBAFB0A50956BFD46595CAD7088D26C18276C7453775B51734381073FC21BA114E8CB6D4DCC571D5C81220FAA370F5F082990760590F6C8FB7BB6F311D7DF
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB72.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4689
Entropy (8bit):	4.489074486063728
Encrypted:	false
SSDEEP:	48:cvIwWl8zsYNJg77aI90cgzWpW8VYsYm8M4JFZwdOqFyeW+q8gBwOWs+Ggd:uIjfYnI7OcgC7V8JFZgueW16Ns+Ggd
MD5:	5B3C607B6CA6ECBE46EEA753C7F4F891
SHA1:	2538231B3E0A87651606DD0ABC746BA4C1F37AE5
SHA-256:	3F5811E24668CC2295C972DC771A489D129FC22757CF162936860A8E7DA45908
SHA-512:	1B82D753B771B33DA7F98013E6135827D78AC02E3EE6917926C850A8F8AACD8D25974B9CEFE6E96CE7B735232DBAB8DCECE796548480E2A7E4773487598692A9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="476751" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBBF.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6859809526501093
Encrypted:	false
SSDEEP:	96:TiZYWob0sXX7Y0YFWXMHLYEZpRtEiJ4Tmmw2cqaitRMO1ijIb03:2ZDoTLDwKbaitRM6isb03
MD5:	9B19B6CFF466A5DC45F188274EF1479F
SHA1:	9453E508D60A4D499F9826A0E22B4EE895D18932
SHA-256:	AD2DC9FA49497D93F6979E3F60F642134F48299FB756C21FA1024F7387F51C42
SHA-512:	2BF1635FC5A65D24F163872F71B815D88B31DCFC4F83161D32E770C76076F25BAC1AC0778A2AC2F52AC95AFC32640364DC728671C421491930A1214F83443E0C
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\Local\LetsVPN\LetsPRO.exe_Url_p3b1qocdh1oiz03ydqdjgabo0udusl02\1syx2wap.newcfg

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	199
Entropy (8bit):	5.040832609250562
Encrypted:	false
SSDEEP:	6:TMVBd1IGpOSAMBluqTSS3Xd0VqPi/lKOG3QIT:TMHdGGpOKDNndoXG3xT
MD5:	32F1DDC544981B780AF61DCFC5A406CB
SHA1:	B3412031776D8745DC2615A02AA2E3219A4C8C22
SHA-256:	EC52E5DEB52B70C97CEDF1EB957BD4AF3696E9EDE1224A65FB0A43E13519BE19
SHA-512:	4F0F1E038EC84ECEE7B269B62EA897433C8207A659175440AF02BD6166D197284C91B6F62CD61F5DFCBE7D297FFF3DEB582A7A9E8DF810CEAF8302CCD515E954
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="AppCenterInstallId" value="67744287-eac7-4af4-940c-78dba9c08cee" />.. </appSettings>..</configuration>

C:\Users\user\AppData\Local\LetsVPN\LetsPRO.exe_Url_p3b1qocdh1oiz03ydqdjgabo0udusl02\AppCenter.config (copy)

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	199
Entropy (8bit):	5.040832609250562
Encrypted:	false
SSDEEP:	6:TMVBd1IGpOSAMBluqTSS3Xd0VqPi/lKOG3QIT:TMHdGGpOKDNndoXG3xT
MD5:	32F1DDC544981B780AF61DCFC5A406CB
SHA1:	B3412031776D8745DC2615A02AA2E3219A4C8C22
SHA-256:	EC52E5DEB52B70C97CEDF1EB957BD4AF3696E9EDE1224A65FB0A43E13519BE19
SHA-512:	4F0F1E038EC84ECEE7B269B62EA897433C8207A659175440AF02BD6166D197284C91B6F62CD61F5DFCBE7D297FFF3DEB582A7A9E8DF810CEAF8302CCD515E954
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="AppCenterInstallId" value="67744287-eac7-4af4-940c-78dba9c08cee" />.. </appSettings>..</configuration>

C:\Users\user\AppData\Local\Microsoft\AppCenter\67744287-eac7-4af4-940c-78dba9c08cee\Logs.db

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3031001, file counter 2, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.7365828905999076
Encrypted:	false
SSDEEP:	24:TLJTr2R3C7tijyXH4jUv1YlYBB1MwX971WUUW/hvokq:TNTr2ZC7tvPdIYBTT9R7/hQl
MD5:	11A88FA37F5F2336A71949DEDB67D1F5
SHA1:	3E6641A167F7E3B591F855CD897946ED1451F5D6
SHA-256:	6A72E6CFC4AD855BDFDE3D1490D825F6FBF14C483A2455C7EF5747B1CF97AD12
SHA-512:	17171DBA90240864A811CB30F9AE9F10847180620F0D658FFC8C8643DBA5CF3189E50A75484E677F0C55ECC3C3801104F9FDE0C0905E165940A5EA09CACA022F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................?.........\|.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\AppCenter\67744287-eac7-4af4-940c-78dba9c08cee\Logs.db-journal

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	0.2797877288842874
Encrypted:	false
SSDEEP:	12:7+t0HHML4qLiuWkJrTSFlyiGQFj9K8mEQ+Oa:7+twsL4qLiuWWr2R3Cw
MD5:	BA725B68152F77BA82367355B04EBC51
SHA1:	446D04B140939C6FC568E15FBEAFDE100B998536
SHA-256:	448245AD24795D0B1526F25B65E155C71671602E0929112414F46F129077961F
SHA-512:	E10C1375816CEB34C61A10CB86E23242604D304E42C9DE01EAC6F17AE979EB2E7CC511E7DD888F049810FE04BB3E8BAC54C34F3BC29B549BFE549148A67DF0C9
Malicious:	false
Preview:	.... .c.......o.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	34383
Entropy (8bit):	5.053402703870376
Encrypted:	false
SSDEEP:	768:QPV3IpNBQkj2Ph4iUxsfrRJv5FqvXhARlardFRgrOdBPtAHkDNZbNKeCMiYo6:QPV3CNBQkj2Ph4iUxsflJnqv6qdPgrOf
MD5:	D63CB5E171D7FCFE28C9E904F6855F08
SHA1:	8C6B004EC20FF61EF4CA9EAFA6F0254364A960AB
SHA-256:	F081E30CF5BB68206C7A59B83BC914B9BD2ED59FBEE26843075D2D0CD7393354
SHA-512:	E9F534C0087182A51D5BE60E14FA992B2B933F444D32C2A2DBA3C7D4FCD6A1F418CF7A6A8B37165A61ED4D5B096716308035E117199A5B94FA796B58C041DB74
Malicious:	false
Preview:	PSMODULECACHE.......CB.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem.........{HB.z..S...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1........Get-NetSwitchTeam........Add-NetSwitchTeamMember........Get-NetSwitchTeamMember........Remove-NetSwitchTeamMember........New-NetSwitchTeam........Rename-NetSwitchTeam........Remove-NetSwitchTeam..........zB.z..E...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1........Get-NetQosPolicy........Remove-Ne

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2240
Entropy (8bit):	5.363279844300156
Encrypted:	false
SSDEEP:	48:bWSU4y4RQmFoULF+gZ9tK8NPP8xL7u1iMuge//ZmUyuE:bLHyIFKEDZ2KHuLOuggE
MD5:	54AA64E69392B1E92E334B6028138E36
SHA1:	2F8C2D2D3C04158A87DC088AF8D2CE2A372333B8
SHA-256:	A426BB4128143A2BF8EA45D66361B32D7AC6289B789DDDF99E466332A6A3FD1D
SHA-512:	C2FBEC78DEAD57354EC8A6B1DBC7F7CCE553F258ED27EF59C841E660536EB41FE9BE8F2BCB84C22D5734900BFCE4D274DF3F4076ACDDC7916228EB50A7663B52
Malicious:	false
Preview:	@...e...........................................................P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...\|...........System.Configuration4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files.cab

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Microsoft Cabinet archive data, many, 16939552 bytes, 6 files, at 0x2c +A "desk_compositor_x86.dll" +A "FileVPN.exe", ID 2661, number 1, 517 datablocks, 0 compression
Category:	dropped
Size (bytes):	16939552
Entropy (8bit):	7.9671732750702775
Encrypted:	false
SSDEEP:	393216:fM4hc5h2cX5jP9bEVNLx/c9+ru+9vD7c2pIE51it7JOJkZF9:qZz9wXtc9+q+dvpIE51M7J
MD5:	95CFB87597836ABC5A9E4FD3B5293702
SHA1:	C68B82AB577F79207DC2469521C7D41D37159AA1
SHA-256:	D824D2F35FEFE93E5BE0AA715199E5CAAF8CAD9E58E10A02331542C0BFA6C025
SHA-512:	0533E6347AC515654E757C84670BE96D1CE0C1AF27F264050F6B64A2ADAEAD3190ACEF94C5D52F243608B73E57C140960067197B93912F5A102BF640686F6876
Malicious:	false
Preview:	MSCF.... z......,...............e.....................)Lbv .desk_compositor_x86.dll.P..........YL. .FileVPN.exe..0..P......Yx. .FileVPN3.8.1.exe.8...P.....)Liv .msvcp120.dll.8..........K<Q .msvcr120.dll.H.........)Lhv .runshelldraw_x86.exe.X.......MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................K...........<.......<.......<.............l....<.....<.....<.....<Z....<....Rich..................PE..L......f...........!...&.............A....................................... ............@................................p...P................................,...h..8....................i.......g..@...............`............................text............................... ..`.rdata..............................@..@.data...T&..........................@....rsrc...............................@..@.reloc...,..........................@..B................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	15195472
Entropy (8bit):	7.9970045407728945
Encrypted:	true
SSDEEP:	393216:SDloASZdK8lSn5ZZF9w6nTnajccaP9BrqgePjKZn:SW/KscNF9wETCKP9BrqdPjc
MD5:	A59B68EA2372F9C9F6A0603FD5013174
SHA1:	47977148D62EC5463E2E030B9D2889D59FE1244D
SHA-256:	4B960011DCD10929CD768BB069F275AC1E1150C7710E835481C35152920E09C9
SHA-512:	2A333492EA3F94F960858BFB01A16086EA1645F4787DD1BA3D25DE0AB9ADBEAE3250D9E780741F94B5E98CD18059C0D42D26A6A5316BA0BDF10458BBEEC144ED
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...<.oZ.................h...........3............@..........................@............@..........................................p.................x&...........................................................................................text...'f.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata... ...P...........................rsrc........p......................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.838702162360183
Encrypted:	false
SSDEEP:	192:P+GQWExgCS+Ooxyf0zxsbqmU5XPP3Q5tfBDR:mGQWE4oxyVUpH3w
MD5:	92114D5C56FD14D35E98E60ED2943477
SHA1:	80A7897A122EF99BC1EDA9945A3848283AF2BDBF
SHA-256:	993BE2A7439A18C3E8FAF9898C42168DF60C5438D2B5203745C6760B2C9E1987
SHA-512:	EC9411A8D2BAEF5D0A9CC8136ED93008BB568E64A74B91F7931595E39244E0227A6FCD0223F0CA5BFCCF6BF31F79B3C29B7DCFC689CE0C33EE2C5C0282D1166D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.JJ..JJ..JJ..C2!.@J...?..HJ...?..XJ...?..@J...?..IJ..^!..OJ..JJ..rJ..?..KJ..?M.KJ..?..KJ..RichJJ..........PE..d...R..f.........."..........".................@..........................................`.................................................T+.......`.......P...............p..,....%..p............................%..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\0a44da956e4f4348b70f90f5a63f8a19.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	462392
Entropy (8bit):	6.723012474887983
Encrypted:	false
SSDEEP:	12288:EZ/8wcqw2oe+Z3VrfwfNOOoWhUgiW6QR7t5ss3Ooc8DHkC2e77l:M/8wVwHZFTwFOOos3Ooc8DHkC2e77l
MD5:	A34AED811909AAE9262DE05400A8F2A4
SHA1:	43E91F7FEDB04EF94B7D8B571408EA240CA5FD62
SHA-256:	4B0C0671495A3EA7EDEDB43EA4330B4B3E932BE01EDA42E58C20B1B6BF26E5E9
SHA-512:	590BD85CF61C682EBFCC52C598AFB2C8D1050CFA9A2B912ECE3ACD6F2760B7799F26837AEDE88190B10CD9127C68AF08A1C481EDD8770845404AAA128422B9C9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N.Nm.gN.Nm.bN*.NRich+.N........................PE..L....\|OR.........."!.........................0......................................W.....@..........................W..L...<...<.......................8Z.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\2b5b114ccdb3e048bd6a932b2bf29f69.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	15195472
Entropy (8bit):	7.9970045407728945
Encrypted:	true
SSDEEP:	393216:SDloASZdK8lSn5ZZF9w6nTnajccaP9BrqgePjKZn:SW/KscNF9wETCKP9BrqdPjc
MD5:	A59B68EA2372F9C9F6A0603FD5013174
SHA1:	47977148D62EC5463E2E030B9D2889D59FE1244D
SHA-256:	4B960011DCD10929CD768BB069F275AC1E1150C7710E835481C35152920E09C9
SHA-512:	2A333492EA3F94F960858BFB01A16086EA1645F4787DD1BA3D25DE0AB9ADBEAE3250D9E780741F94B5E98CD18059C0D42D26A6A5316BA0BDF10458BBEEC144ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...<.oZ.................h...........3............@..........................@............@..........................................p.................x&...........................................................................................text...'f.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata... ...P...........................rsrc........p......................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\5985ccaab8164b40a1c1ca44621e6eb9.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	254464
Entropy (8bit):	6.344679508153885
Encrypted:	false
SSDEEP:	6144:zPotONhclp61VE9ucRSPPzK2DIypT+kHberN052:jotahcfgeucRWHarN052
MD5:	2D3702B366F4BEB050CC55108496B8AF
SHA1:	04116170A8596BF68698C2BD89330D0B6AE7C6B1
SHA-256:	1012EAE65987061726C6209F1E3962051B90AAC1F8BDF731E512F68940A76F29
SHA-512:	A254E043B1BFFBFFDB7198905A1F85F006787326AA9034CC676DCF89FB5EFB0F4A9F93CAEC78A8B7A166BD627AA4146B084B103842FEB3216111DBD4D81C0969
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................K...........<.......<.......<.............l....<.....<.....<.....<Z....<....Rich..................PE..L......f...........!...&.............A....................................... ............@................................p...P................................,...h..8....................i.......g..@...............`............................text............................... ..`.rdata..............................@..@.data...T&..........................@....rsrc...............................@..@.reloc...,..........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\81edc0915ea6864aac385e5a3ec27eaa.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	977976
Entropy (8bit):	6.974714106566183
Encrypted:	false
SSDEEP:	12288:5BmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJFd:HmFyjLF847eiWWcoGZVOIxh/WxIAIb3d
MD5:	4BA8032E50A8782497F056266A10564C
SHA1:	79385E5982EDA895CDE937DA82FC98314A49B915
SHA-256:	093E022FD358E39D5DB8BFA793B9E41C1EF2CC031CB8A90DEBF4898D5D9B2B91
SHA-512:	49BFA1D5D1057ACDA73923C5E2858B36A2462997AB0F353CECAA91CDEBE9BF1305DBC201266215412160FA657C08A6153485F482FE410CCD0FF5E463960844CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....\|OR.........."!................D................................................'....@.........................`........R..(....p..................8Z......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\9bac9942738246429eadfaf2ebba18a1.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.838702162360183
Encrypted:	false
SSDEEP:	192:P+GQWExgCS+Ooxyf0zxsbqmU5XPP3Q5tfBDR:mGQWE4oxyVUpH3w
MD5:	92114D5C56FD14D35E98E60ED2943477
SHA1:	80A7897A122EF99BC1EDA9945A3848283AF2BDBF
SHA-256:	993BE2A7439A18C3E8FAF9898C42168DF60C5438D2B5203745C6760B2C9E1987
SHA-512:	EC9411A8D2BAEF5D0A9CC8136ED93008BB568E64A74B91F7931595E39244E0227A6FCD0223F0CA5BFCCF6BF31F79B3C29B7DCFC689CE0C33EE2C5C0282D1166D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.JJ..JJ..JJ..C2!.@J...?..HJ...?..XJ...?..@J...?..IJ..^!..OJ..JJ..rJ..?..KJ..?M.KJ..?..KJ..RichJJ..........PE..d...R..f.........."..........".................@..........................................`.................................................T+.......`.......P...............p..,....%..p............................%..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\b8a46b537f16427fbeb41bd3281c9f2b$dpx$.tmp\e8d300304718b54d9e84334fbab4ba69.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32584
Entropy (8bit):	6.899768077055986
Encrypted:	false
SSDEEP:	768:5pCrkeS9Wx6JIeWHbt5PON0ykT8s18Y7:5pCYeJ6WeWHvPM0CE8
MD5:	2BA1B334190DC1FE43B1D9FC330EA384
SHA1:	699BFC6D6AEDFD77A25EE4F2A58A428BEFD8395E
SHA-256:	0AFFDA7968743ECBB729942E09B707D25E5D8A320E30D1F72BDBDFF8417AB13C
SHA-512:	C285B5235ECE5BA3962EAFB390A5873B0668E014A863536D60CC3EF17C835905169DDC107E1BF39EDB09BA8574082CF7BEB6B94977ED8482873B27CC4C76DD3B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.4Wc.Z.c.Z.c.Z.n...a.Z.%...b.Z.%...p.Z.%...e.Z.%...g.Z.j...h.Z.c.[...Z.n...`.Z.n...b.Z.n...b.Z.Richc.Z.................PE..L.....WV.................2...........:.......P....@..................................k....@..................................Y..x....p...............N..H1..........PQ..8............................T..@............P...............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data........`.......F..............@....rsrc........p.......H..............@..@.reloc...............J..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\desk_compositor_x86.dll (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	254464
Entropy (8bit):	6.344679508153885
Encrypted:	false
SSDEEP:	6144:zPotONhclp61VE9ucRSPPzK2DIypT+kHberN052:jotahcfgeucRWHarN052
MD5:	2D3702B366F4BEB050CC55108496B8AF
SHA1:	04116170A8596BF68698C2BD89330D0B6AE7C6B1
SHA-256:	1012EAE65987061726C6209F1E3962051B90AAC1F8BDF731E512F68940A76F29
SHA-512:	A254E043B1BFFBFFDB7198905A1F85F006787326AA9034CC676DCF89FB5EFB0F4A9F93CAEC78A8B7A166BD627AA4146B084B103842FEB3216111DBD4D81C0969
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................K...........<.......<.......<.............l....<.....<.....<.....<Z....<....Rich..................PE..L......f...........!...&.............A....................................... ............@................................p...P................................,...h..8....................i.......g..@...............`............................text............................... ..`.rdata..............................@..@.data...T&..........................@....rsrc...............................@..@.reloc...,..........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\msvcp120.dll (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	462392
Entropy (8bit):	6.723012474887983
Encrypted:	false
SSDEEP:	12288:EZ/8wcqw2oe+Z3VrfwfNOOoWhUgiW6QR7t5ss3Ooc8DHkC2e77l:M/8wVwHZFTwFOOos3Ooc8DHkC2e77l
MD5:	A34AED811909AAE9262DE05400A8F2A4
SHA1:	43E91F7FEDB04EF94B7D8B571408EA240CA5FD62
SHA-256:	4B0C0671495A3EA7EDEDB43EA4330B4B3E932BE01EDA42E58C20B1B6BF26E5E9
SHA-512:	590BD85CF61C682EBFCC52C598AFB2C8D1050CFA9A2B912ECE3ACD6F2760B7799F26837AEDE88190B10CD9127C68AF08A1C481EDD8770845404AAA128422B9C9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N.Nm.gN.Nm.bN*.NRich+.N........................PE..L....\|OR.........."!.........................0......................................W.....@..........................W..L...<...<.......................8Z.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\msvcr120.dll (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	977976
Entropy (8bit):	6.974714106566183
Encrypted:	false
SSDEEP:	12288:5BmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJFd:HmFyjLF847eiWWcoGZVOIxh/WxIAIb3d
MD5:	4BA8032E50A8782497F056266A10564C
SHA1:	79385E5982EDA895CDE937DA82FC98314A49B915
SHA-256:	093E022FD358E39D5DB8BFA793B9E41C1EF2CC031CB8A90DEBF4898D5D9B2B91
SHA-512:	49BFA1D5D1057ACDA73923C5E2858B36A2462997AB0F353CECAA91CDEBE9BF1305DBC201266215412160FA657C08A6153485F482FE410CCD0FF5E463960844CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....\|OR.........."!................D................................................'....@.........................`........R..(....p..................8Z......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\runshelldraw_x86.exe (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32584
Entropy (8bit):	6.899768077055986
Encrypted:	false
SSDEEP:	768:5pCrkeS9Wx6JIeWHbt5PON0ykT8s18Y7:5pCYeJ6WeWHvPM0CE8
MD5:	2BA1B334190DC1FE43B1D9FC330EA384
SHA1:	699BFC6D6AEDFD77A25EE4F2A58A428BEFD8395E
SHA-256:	0AFFDA7968743ECBB729942E09B707D25E5D8A320E30D1F72BDBDFF8417AB13C
SHA-512:	C285B5235ECE5BA3962EAFB390A5873B0668E014A863536D60CC3EF17C835905169DDC107E1BF39EDB09BA8574082CF7BEB6B94977ED8482873B27CC4C76DD3B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.4Wc.Z.c.Z.c.Z.n...a.Z.%...b.Z.%...p.Z.%...e.Z.%...g.Z.j...h.Z.c.[...Z.n...`.Z.n...b.Z.n...b.Z.Richc.Z.................PE..L.....WV.................2...........:.......P....@..................................k....@..................................Y..x....p...............N..H1..........PQ..8............................T..@............P...............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data........`.......F..............@....rsrc........p.......H..............@..@.reloc...............J..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\msiwrapper.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1442
Entropy (8bit):	3.6599623367313736
Encrypted:	false
SSDEEP:	24:zAdX8DW8dcj3/Lnv5DjgukdrF39/KH99/KHzMy29/KHzj/X0XQwlp:zABXxngukhF39/y99/yQl9/yXrwb
MD5:	BD90B2B0B255DF68A14F3747807D2EED
SHA1:	7164E44DCC22D03CE04174E0F34A285915CAFAF3
SHA-256:	D8D89844935750B1B261A9827D1CB7E9E3151F2CA6BDC33B6CB6D84E1C621B19
SHA-512:	5EE30CC6336614D25348E14A34F4AEF2BB038EBF77F33B353FA405D7D08830596C3B469ECF1E5784E00C22C9891172933AA2F94444A065E7E3390E19B34C0CD7
Malicious:	false
Preview:	W.r.a.p.p.e.d.A.p.p.l.i.c.a.t.i.o.n.I.d.=.7.-.Z.i.p...W.r.a.p.p.e.d.R.e.g.i.s.t.r.a.t.i.o.n.=.H.i.d.d.e.n...I.n.s.t.a.l.l.S.u.c.c.e.s.s.C.o.d.e.s.=.0...E.l.e.v.a.t.i.o.n.M.o.d.e.=.a.l.w.a.y.s...B.a.s.e.N.a.m.e.=.F.i.l.e.V.P.N.3...8...1...e.x.e...C.a.b.H.a.s.h.=.d.8.2.4.d.2.f.3.5.f.e.f.e.9.3.e.5.b.e.0.a.a.7.1.5.1.9.9.e.5.c.a.a.f.8.c.a.d.9.e.5.8.e.1.0.a.0.2.3.3.1.5.4.2.c.0.b.f.a.6.c.0.2.5...S.e.t.u.p.P.a.r.a.m.e.t.e.r.s.=...W.o.r.k.i.n.g.D.i.r.=...C.u.r.r.e.n.t.D.i.r.=..F.I.L.E.S.D.I.R....U.I.L.e.v.e.l.=.5...F.o.c.u.s.=.y.e.s...S.e.s.s.i.o.n.D.i.r.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.5.d.d.9.2.4.9.0.-.6.7.e.1.-.4.a.c.5.-.a.d.7.6.-.1.5.0.e.a.a.0.f.9.d.9.9.\...F.i.l.e.s.D.i.r.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.5.d.d.9.2.4.9.0.-.6.7.e.1.-.4.a.c.5.-.a.d.7.6.-.1.5.0.e.a.a.0.f.9.d.9.9.\.f.i.l.e.s.\...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.F.i.l.e.=...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.P.a.r.a.m.e.t.e.r.s.=...R.u.n.A.f.t.e.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pnwljeh.ej4.ps1

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ckngqwr.2al.psm1

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5jx3nzv.4uj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ebfkmvzd.a3l.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1ur4lif.rxs.psm1

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hild04or.t2b.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwm2cdmi.34w.ps1

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iszz5h0n.xos.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnvyddpm.0cb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrtikq51.bqw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsoEB83.tmp\System.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.890541747176257
Encrypted:	false
SSDEEP:	192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
MD5:	75ED96254FBF894E42058062B4B4F0D1
SHA1:	996503F1383B49021EB3427BC28D13B5BBD11977
SHA-256:	A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
SHA-512:	58174896DB81D481947B8745DAFE3A02C150F3938BB4543256E8CCE1145154E016D481DF9FE68DAC6D48407C62CBE20753320EBD5FE5E84806D07CE78E0EB0C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....oZ...........!..... ...........).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...x....@.......(..............@....reloc..~....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsoEB83.tmp\modern-header.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PC bitmap, Windows 3.x format, 150 x 57 x 8, image size 8666, resolution 2834 x 2834 px/m, 255 important colors, cbSize 9740, bits offset 1074
Category:	dropped
Size (bytes):	9740
Entropy (8bit):	6.554125039233327
Encrypted:	false
SSDEEP:	192:bDIK82wKywC116+rwdTKMRjwgKhww4R1jwlIHvNbmwQo8TTJG4:bv82wKywC7DrwdTKMRjwgKhwwY1jwlQq
MD5:	5ACF495828FEAE7F85E006B7774AF497
SHA1:	5D2EEF3EEBB9A72678DCCD404475341116508306
SHA-256:	6CFEBB59F0BA1B9F1E8D7AA6387F223A468EB2FF74A9ED3C3F4BB688C2B6455E
SHA-512:	D1D40C88E2167315A309005B831ACBEAB0919D5A3B1FF5AAA273DB945C8818FC2118EFDB503E4BDA055F309306E72224F54DEF0B1F0AB6F61FE4DBA66784ED68
Malicious:	false
Preview:	BM.&......2...(.......9............!..................,...788.WXX.................................................................h...;m..i...f...O...l...)J[. :G.n...p...o...%AO.....y...W.......o...........8O[.C^l...........#.....................................p...........................................................?AB.....;....+;.>...+y..4....BY.V...f...H...5bz.%DU.j...j...h...d...b...W...N...]....0<.m...Dy..3Zo.c...U...q....Pb.s...v...v...M...y...{...q...}...}.......y............+3.............g...................................Nn..Hfv.................&5=.................................................................................................................................^s~.............................................................................................................................8....Tt.G....!+..........%..................................................\gn.............................................#$%.oqs.....zz{...................................

C:\Users\user\AppData\Local\Temp\nsoEB83.tmp\modern-wizard.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 8, image size 51498, resolution 2834 x 2834 px/m, 255 important colors, cbSize 52572, bits offset 1074
Category:	dropped
Size (bytes):	52572
Entropy (8bit):	7.144132089574
Encrypted:	false
SSDEEP:	192:mfR2FYRtCc9X1uikvgqm+LPTTw9Bu8Skn+x23acmHjZXuxZpCAe9Crxpn319UDSQ:mf0YRt/km+b3wG0nt2UC6rOf
MD5:	7F8E1969B0874C8FB9AB44FC36575380
SHA1:	3057C9CE90A23D29F7D0854472F9F44E87B0F09A
SHA-256:	076221B4527FF13C3E1557ABBBD48B0CB8E5F7D724C6B9171C6AADADB80561DD
SHA-512:	7AA65CFADC2738C0186EF459D0F5F7F770BA0F6DA4CCD55A2CECA23627B7F13BA258136BAB88F4EEE5D9BB70ED0E8EB8BA8E1874B0280D2B08B69FC9BDD81555
Malicious:	false
Preview:	BM\.......2...(.......:...........*.......................Y[[.....z}~.................................................5by.k...6by.m...o...p...q...9dz.s...t...w...x...`...=f{.{.......}...................~...Q...........b.......-FS.~...m...v............%+.................................................................-;B.................................................................................................................................prs.;....AY.4...(m..E...P...\...f...l...n...o...8cz.l...r...q...q...r...s...t...l...v...u...;dz.v...y...w...w...z...i...y...z...{...~...}.......W...Jw..@g\|.....................]...@ey.................Go..............Ch\|.<]o.............................\|...@bt.9Wg.........5P_.....................................................`...c...t...q...............................................[q}.........................Rcl.....................................:....~...Ts.m........... 1;.......................................!.............+,-...........

C:\Users\user\AppData\Local\Temp\nsoEB83.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.101872593207892
Encrypted:	false
SSDEEP:	192:oF8cSzvTyl4tgi8pPjQM0PuAg0YNy8IFtSP:EBSzm+t18pZ0WAg0R8IFg
MD5:	CA95C9DA8CEF7062813B989AB9486201
SHA1:	C555AF25DF3DE51AA18D487D47408D5245DBA2D1
SHA-256:	FEB6364375D0AB081E9CDF11271C40CB966AF295C600903383B0730F0821C0BE
SHA-512:	A30D94910204D1419C803DC12D90A9D22F63117E4709B1A131D8C4D5EAD7E4121150E2C8B004A546B33C40C294DF0A74567013001F55F37147D86BB847D7BBC9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L.....oZ...........!.........0...............0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..v............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsoEB83.tmp\nsExec.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.156301589898623
Encrypted:	false
SSDEEP:	96:cjHFiKaoggCtJzTlKXb0tbo68qD853Ns7GgmkNG3m+s:9bogRtJzTlNR8qD85uGgmkNP
MD5:	3D366250FCF8B755FCE575C75F8C79E4
SHA1:	2EBAC7DF78154738D41AAC8E27D7A0E482845C57
SHA-256:	8BDD996AE4778C6F829E2BCB651C55EFC9EC37EEEA17D259E013B39528DDDBB6
SHA-512:	67D2D88DE625227CCD2CB406B4AC3A215D1770D385C985A44E2285490F49B45F23CE64745B24444E2A0F581335FDA02E913B92781043E8DFD287844435BA9094
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L.....oZ...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn\LetsVPN.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Jul 29 06:57:36 2024, mtime=Thu Aug 29 09:50:12 2024, atime=Mon Jul 29 06:57:36 2024, length=245880, window=hide
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	4.627806611002376
Encrypted:	false
SSDEEP:	24:8m8a/EKdOE4l73iAsxa1dyOd/UUDp608yfm:8m8acKdOz73BsU1dyOds6L
MD5:	8B996A8B7A70F6B4B1651C439D478942
SHA1:	9DE4A800EB0AAE3E21B613A26353D1AE36B44069
SHA-256:	124DF90D40F0CE62DC86A0718255174FDE907EC62AF2CAC0484A84FED7D84281
SHA-512:	409FE0B6E7547E4FA3CAF5E86FC1FADFA03704B435383E004504BF1E4E891C10AAC587C12CB99F5F81FB0813B6EA1E17E35CBC1DFDD9499A5C23BA968D091330
Malicious:	false
Preview:	L..................F.... ..........;.09...........x............................P.O. .:i.....+00.../C:\.....................1......YGV..PROGRA~2.........O.I.YGV....................V.......&.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1......YGV..letsvpn.@.......YGV.YGV.........................h...l.e.t.s.v.p.n.....b.2.x....X2? .LetsPRO.exe.H.......X2?.YGV..............................L.e.t.s.P.R.O...e.x.e.......Y...............-.......X.............C......C:\Program Files (x86)\letsvpn\LetsPRO.exe..B.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.l.e.t.s.v.p.n.\.L.e.t.s.P.R.O...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.l.e.t.s.v.p.n.........*................@Z\|...K.J.........`.......X.......897506...........hT..CrF.f4... .{..l.e...,.......hT..CrF.f4... .{..l.e...,..............A...1SPS.XF.L8C....&.m.%................S.-.1.-.5.-.1.8.........9...1SPS..mD..pH.H@..=x.....h....H.....K.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn\Uninstall.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	748
Entropy (8bit):	3.2737228350597944
Encrypted:	false
SSDEEP:	12:8wl0Va/ledp8A/LK4YRMbdpYgRtbdpYqQ/CNU7wILY:8BdOAW4Y+djXdYOU7wy
MD5:	11984F64C473AE1943513606AEDFCBD7
SHA1:	18384C4C4E5543CAC6CA66E215A2A83079C6EC6A
SHA-256:	0F2DDA5213400826EFB6D35712687CEF3D671ABD597CC1BC9B3F49057C6410D0
SHA-512:	8216AAEF5FCAD76219328476FEB2ACE4CC41BA9CE6C870CAA8CD9835D0537DC57ECEF8E6FD8C22F73C2D49900C1C74B01862E235924818703A3ECA978F6D77C6
Malicious:	false
Preview:	L..................F........................................................_....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".V.1...........letsvpn.@............................................l.e.t.s.v.p.n.....`.2...........uninst.exe..F............................................u.n.i.n.s.t...e.x.e.......A.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.l.e.t.s.v.p.n.\.u.n.i.n.s.t...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.l.e.t.s.v.p.n.........*................@Z\|...K.J.........M.......A...1SPS.XF.L8C....&.m.%................S.-.1.-.5.-.1.8.................

C:\Users\user\Desktop\LetsVPN.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Jul 29 06:57:36 2024, mtime=Thu Aug 29 09:50:15 2024, atime=Mon Jul 29 06:57:36 2024, length=245880, window=hide
Category:	dropped
Size (bytes):	988
Entropy (8bit):	4.6620879682903
Encrypted:	false
SSDEEP:	24:8mUa/EKdOE4q3iAsxaXdyOd/UUDp608yfm:8mUacKdOw3BsUXdyOds6L
MD5:	5A226F73A51B10631BD8AA126ADC66D4
SHA1:	0F45F2709DDEBF72FAF51BF5D953A68E79A38FEE
SHA-256:	98AC171560188A4C916FF60F98BF9307503F9ED24D26680DF2112BA0004FAE73
SHA-512:	1B3F66A0D401F976353A7056C278708ED643FDB41C44A63B6D1F4541B457D00AFC4DACBC10AD1DC269D609F10E47858F55B59879A64A4BEE6FEC77A7C7EB0FC0
Malicious:	false
Preview:	L..................F.... ............;...........x............................P.O. .:i.....+00.../C:\.....................1......YGV..PROGRA~2.........O.I.YGV....................V.......&.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1......YHV..letsvpn.@.......YGV.YHV...........................o.l.e.t.s.v.p.n.....b.2.x....X2? .LetsPRO.exe.H.......X2?.YGV..............................L.e.t.s.P.R.O...e.x.e.......Y...............-.......X.............C......C:\Program Files (x86)\letsvpn\LetsPRO.exe..0.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.l.e.t.s.v.p.n.\.L.e.t.s.P.R.O...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.l.e.t.s.v.p.n.........*................@Z\|...K.J.........`.......X.......897506...........hT..CrF.f4... .{..l.e...,.......hT..CrF.f4... .{..l.e...,..............A...1SPS.XF.L8C....&.m.%................S.-.1.-.5.-.1.8.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Windows\INF\oem4.inf

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	7632
Entropy (8bit):	5.063558190257152
Encrypted:	false
SSDEEP:	192:wr8tW9yCTi3x4vlQd22bjR+iAUC7bMP+io3DcNSj6jvKFkPs7EQTXvt1Ld4Z:LWlGNdkkzo3DcNSj6jvKFkPs7EQTXvtk
MD5:	26009F092BA352C1A64322268B47E0E3
SHA1:	E1B2220CD8DCAEF6F7411A527705BD90A5922099
SHA-256:	150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
SHA-512:	C18111982CA233A7FC5D1E893F9BD8A3ED739756A47651E0638DEBB0704066AF6B25942C7961CDEEDF953A206EB159FE50E0E10055C40B68EB0D22F6064BB363
Malicious:	false
Preview:	; ***************************************************************************..; Copyright (C) 2002-2014 OpenVPN Technologies, Inc. ..; This program is free software; you can redistribute it and/or modify ..; it under the terms of the GNU General Public License version 2 ..; as published by the Free Software Foundation. ..; *************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*******************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

C:\Windows\INF\setupapi.dev.log

Download File

Process:	C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
File Type:	Generic INItialization configuration [BeginLog]
Category:	dropped
Size (bytes):	43925
Entropy (8bit):	5.045001500247997
Encrypted:	false
SSDEEP:	384:OGdni80C/8g0atRf7yr14ujuNY9AZi3Z/oUtwr05haudZeodCU7i/vja:Own95cdyYloiwQ+nodave
MD5:	646581A2E5F5453D5B24BD1E0B96786E
SHA1:	1C16284A6417D995D6289ADE755EA3CEDD53D7FC
SHA-256:	879CCDFA1647EBF479F10D7D989CDEC63BEF08CBFB1B0519AAA025EC743DCA53
SHA-512:	C6D8872645ABC473498B81E7035FF390ED910F2BDE5D44E070ECE8FADE757952FAA43B72C043E4392DFEA809C6BF2B990B66A5F8DDA5EC84D116B4AD823685D6
Malicious:	false
Preview:	[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

C:\Windows\Installer\6ed162.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: 7-Zip 23.01 (x64) - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 23.1.0.0, Subject: 7-Zip 23.01 (x64) - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Igor Pavlov, Keywords: Installer, Template: x64;1033, Revision Number: {2C440493-81B6-4F08-8BAF-7B29575A145C}, Create Time/Date: Thu Jan 11 14:59:38 2024, Last Saved Time/Date: Thu Jan 11 14:59:38 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (11.0.53.0), Security: 2
Category:	dropped
Size (bytes):	17215488
Entropy (8bit):	7.956099970741459
Encrypted:	false
SSDEEP:	393216:OM4hc5h2cX5jP9bEVNLx/c9+ru+9vD7c2pIE51it7JOJkZF9:lZz9wXtc9+q+dvpIE51M7J
MD5:	CA1D0BCC5FB18B2B312C2981A9FDA576
SHA1:	A2FED73441B207EDEE0F355B6468854A63E8CE25
SHA-256:	66BFCA2C51B6B49C0900B8B401DBA81E638FF97885418A5FDCFC95FD1D21A8E6
SHA-512:	249AEFDEE277ADB729102504AED15FDC61E42753D649EC6030830BFA584CE4D9DFCDD10DBDCC74413EA2BEF5A102501D51C40D28F90FFC24A181F89159D49C4B
Malicious:	false
Preview:	......................>.......................................................>...?...@...A...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\6ed164.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: 7-Zip 23.01 (x64) - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 23.1.0.0, Subject: 7-Zip 23.01 (x64) - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Igor Pavlov, Keywords: Installer, Template: x64;1033, Revision Number: {2C440493-81B6-4F08-8BAF-7B29575A145C}, Create Time/Date: Thu Jan 11 14:59:38 2024, Last Saved Time/Date: Thu Jan 11 14:59:38 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (11.0.53.0), Security: 2
Category:	dropped
Size (bytes):	17215488
Entropy (8bit):	7.956099970741459
Encrypted:	false
SSDEEP:	393216:OM4hc5h2cX5jP9bEVNLx/c9+ru+9vD7c2pIE51it7JOJkZF9:lZz9wXtc9+q+dvpIE51M7J
MD5:	CA1D0BCC5FB18B2B312C2981A9FDA576
SHA1:	A2FED73441B207EDEE0F355B6468854A63E8CE25
SHA-256:	66BFCA2C51B6B49C0900B8B401DBA81E638FF97885418A5FDCFC95FD1D21A8E6
SHA-512:	249AEFDEE277ADB729102504AED15FDC61E42753D649EC6030830BFA584CE4D9DFCDD10DBDCC74413EA2BEF5A102501D51C40D28F90FFC24A181F89159D49C4B
Malicious:	false
Preview:	......................>.......................................................>...?...@...A...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSID3F2.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	432924
Entropy (8bit):	6.486709191857393
Encrypted:	false
SSDEEP:	12288:AtJRQ+gjpjegDro8itJRQ+gjpjegDro8o:AtBcpVDhitBcpVDho
MD5:	C22B9F38FB9A2DD3184ECB7D1DD4F2FA
SHA1:	E6512536618D4B9587A58594F3CDB788659D317A
SHA-256:	CD4E7902A0CD65B73257D7697FFDF6D3CAFD4FF65C098C5113A2F2501702EA4E
SHA-512:	FE74AB316AD1CB0A0B7198D8DB965C13837FE2E17D75FF204F9EAFBED61466180B067426E662BC99B46DDE5D9314D8B35A36D5F8491162B09C868658DAE5E099
Malicious:	false
Preview:	...@IXOS.@.....@"6.Y.@.....@.....@.....@.....@.....@......&.{FC07A022-E0BF-4B1C-97CC-BF53E9AA5724}P.7-Zip 23.01 (x64) - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com..SBSLMD5qhm.msi.@.....@.....@.....@......ProductIcon..&.{2C440493-81B6-4F08-8BAF-7B29575A145C}.....@.....@.....@.....@.......@.....@.....@.......@....P.7-Zip 23.01 (x64) - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}=.22:\SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\7-Zip\LogonUser.@.......@.....@.....@........bz.LateInstallFinish1....J...bz.LateInstallFinish1.@.......@..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....

C:\Windows\Installer\MSID403.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	212992
Entropy (8bit):	6.513409725320959
Encrypted:	false
SSDEEP:	3072:xspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCL42loHUvU0yGxr5GqM2a8:jtOdiRQYpgjpjew5DHyGxcqo8
MD5:	0C8921BBCC37C6EFD34FAF44CF3B0CB5
SHA1:	DCFA71246157EDCD09EECAF9D4C5E360B24B3E49
SHA-256:	FD622CF73EA951A6DE631063ABA856487D77745DD1500ADCA61902B8DDE56FE1
SHA-512:	ED55443E20D40CCA90596F0A0542FA5AB83FE0270399ADFAAFD172987FB813DFD44EC0DA0A58C096AF3641003F830341FE259AD5BCE9823F238AE63B7E11E108
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L...Y..e...........!.....h..........K................................................]....@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIDC22.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	212992
Entropy (8bit):	6.513409725320959
Encrypted:	false
SSDEEP:	3072:xspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCL42loHUvU0yGxr5GqM2a8:jtOdiRQYpgjpjew5DHyGxcqo8
MD5:	0C8921BBCC37C6EFD34FAF44CF3B0CB5
SHA1:	DCFA71246157EDCD09EECAF9D4C5E360B24B3E49
SHA-256:	FD622CF73EA951A6DE631063ABA856487D77745DD1500ADCA61902B8DDE56FE1
SHA-512:	ED55443E20D40CCA90596F0A0542FA5AB83FE0270399ADFAAFD172987FB813DFD44EC0DA0A58C096AF3641003F830341FE259AD5BCE9823F238AE63B7E11E108
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L...Y..e...........!.....h..........K................................................]....@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIEEFF.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	212992
Entropy (8bit):	6.513409725320959
Encrypted:	false
SSDEEP:	3072:xspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCL42loHUvU0yGxr5GqM2a8:jtOdiRQYpgjpjew5DHyGxcqo8
MD5:	0C8921BBCC37C6EFD34FAF44CF3B0CB5
SHA1:	DCFA71246157EDCD09EECAF9D4C5E360B24B3E49
SHA-256:	FD622CF73EA951A6DE631063ABA856487D77745DD1500ADCA61902B8DDE56FE1
SHA-512:	ED55443E20D40CCA90596F0A0542FA5AB83FE0270399ADFAAFD172987FB813DFD44EC0DA0A58C096AF3641003F830341FE259AD5BCE9823F238AE63B7E11E108
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L...Y..e...........!.....h..........K................................................]....@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIF28A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	212992
Entropy (8bit):	6.513409725320959
Encrypted:	false
SSDEEP:	3072:xspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCL42loHUvU0yGxr5GqM2a8:jtOdiRQYpgjpjew5DHyGxcqo8
MD5:	0C8921BBCC37C6EFD34FAF44CF3B0CB5
SHA1:	DCFA71246157EDCD09EECAF9D4C5E360B24B3E49
SHA-256:	FD622CF73EA951A6DE631063ABA856487D77745DD1500ADCA61902B8DDE56FE1
SHA-512:	ED55443E20D40CCA90596F0A0542FA5AB83FE0270399ADFAAFD172987FB813DFD44EC0DA0A58C096AF3641003F830341FE259AD5BCE9823F238AE63B7E11E108
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L...Y..e...........!.....h..........K................................................]....@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{FC07A022-E0BF-4B1C-97CC-BF53E9AA5724}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.164056043534306
Encrypted:	false
SSDEEP:	12:JSbX72FjG/iAGiLIlHVRpZh/7777777777777777777777777vDHFnvOiqlHhMh6:Jg6QI5tJvyXiF
MD5:	1E72CE511AF8207E744768F459E6760F
SHA1:	0EDF7488F4922E186A008E2CE3B5D31D218C4A56
SHA-256:	012C779717B6018AF5DFFDD83123D30AE9727154886C3606DB6D8C80EA92BBF9
SHA-512:	F659AA765DB9E1B67501CA1BBA70B713503C5BCC9D1ABD3510C5109336054B5B24CAA901950ABD8EFF9C2421A9714C65A9EAF1FBF88EC482DA6D18DE67713A19
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.533028489448828
Encrypted:	false
SSDEEP:	48:r28PhYuRc06WXJ0nT5tejeJhdASPo4rXvdASB21rJMoBV:NhY13nTT0eJkvqpOV
MD5:	B6DC91A40BADBA70C3474F5FA48380D2
SHA1:	084136CE1D296E60BFAD3470110C483917EBFDD0
SHA-256:	BCE84EC01F931665B217F1D977C8AB2CB64950A0DF845AC1ADE861C410CB1E8B
SHA-512:	5DFDC0C2503FF0ADF8DB1EA9867C8BB7514627AB850BA01885F20FB591102FE4FA9C204965DE2DACBDF41FCA800DA3CDDACF7D506EAF92A333BFD9F940B552C5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{FC07A022-E0BF-4B1C-97CC-BF53E9AA5724}\ProductIcon

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 3 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	4846
Entropy (8bit):	1.9993703201708988
Encrypted:	false
SSDEEP:	24:pzEibcMVUilxfOtfcHi18SG7EG+WZ4WN83+/pDv6j6dtimCixribD:hcMVhlOta08t7E/gbN1pv6uE
MD5:	E08D8679C551D138020C9FDE128C2382
SHA1:	AA57F0618934587621A8082B9B5460165014F341
SHA-256:	649C3C8780A116E625EE8124338642C2088B5153B4280BDF7A42B544FECF0730
SHA-512:	165CA1FE510CD99BCCF6676215A868ECAB3E11FFB98A9C551CB56E7256A278E3F714C2CBDDCD6C8DCC88A8A04EE6A3898DC435499C1C98F04CB8255374392BDB
Malicious:	false
Preview:	...... ..........6...........(.......00..........F...(... ...@...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................(....... .................................................................................................................................................................................................

C:\Windows\Logs\DPX\setupact.log

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	345054
Entropy (8bit):	4.386763332040807
Encrypted:	false
SSDEEP:	192:0K9KmK9KIK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7i:R
MD5:	67964ADC577CB2B9B0B09264C612BC23
SHA1:	6C0233BA57A65799012BBF7060C62C4AF0CFF44D
SHA-256:	12B0143953017E97DE23F14C4804F95494E8E9F0B4E0FE672122C448037E29C6
SHA-512:	E87A15DD54C831C2A78AB6A7B84470597256D20EF9A310773A99E07D5EB6086A5510920D716EDF988FC76C7E9DD837CD10AD23684898C38ADAAF239FB0E67BED
Malicious:	false
Preview:	.2023-10-03 11:48:47, Info DPX Started DPX phase: Resume and Download Job..2023-10-03 11:48:47, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX CJob::Resume completed with status: 0x0..2023-10-03 11:48:47, Info DPX Ended DPX phase: Resume and Download Job..2023-10-03 11:48:49, Info DPX Started DPX phase: Resume and Download Job..2023-10-03 11:48:49, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:49, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:49, Info

C:\Windows\Logs\NetSetup\service.0.etl

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	458752
Entropy (8bit):	0.4719575195142665
Encrypted:	false
SSDEEP:	192:+LZm8DmT1xMS92sICkjd0x5AUko5HOLboAcKYzFlgbmn7YZAwnVl2t:+LvM7mjhRoZO/oAPGym
MD5:	A2C3D0CD04EF67B05914A20C60CA909F
SHA1:	DB063022C0140FB9E520EE0E00D0A79EA012C925
SHA-256:	E20F14980561CF95B68F50B2E95278864FD9AAA353AB3496E678C60E2FBE83F3
SHA-512:	34D89D126DAD05E25D047CB5D6B5BEBD442584C69264404DDFE7E7B34D1D29CFC6A79A1A1F4F87A7850E23DADB4439BF69B762CCE6C0852F6B6F70F7038EC910
Malicious:	false
Preview:	....8...8.......................................P...!....................................?......................eJ..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.6.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.6.1...........................................................@K5..............?..............N.e.t.C.f.g.T.r.a.c.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.N.e.t.S.e.t.u.p.\.s.e.r.v.i.c.e...0...e.t.l.........P.P..........?..................................................................8.B..?......19041.1.amd64fre.vb_release.191206-1406.....4.@..?......].;..y.q...2......NetSetupApi.pdb..b......7.@..?.......I.[.8+m.!N8$......NetSetupEngine.pdb......4.@..?.........>.....Nr8..a....NetSetupApi.pdb.........4.@..?.........E_iC...F........NetSetupSvc.pdb.............................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.3751730180947455
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau4:zTtbmkExhMJCIpErR
MD5:	5229510C04DCF54E9A8D972B39887C2B
SHA1:	8295BC15A34835A266CB8119C986456643FB480D
SHA-256:	DD01497C2AFAD43E06A142B2BEA51ACD551F0B6D702A217BD22558CF79F277AF
SHA-512:	9648D42C6F3308A8CC39B6895E026C5BEE6D908E1ECC5166CB4C4E31A0ACFE8734C752D313CF311030B8A5B75CAC907EE4125848C965474B0872A2B8ADF8093D
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_71A3756DBB32C004799210B766A7AFA4

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	2236
Entropy (8bit):	7.761628766582577
Encrypted:	false
SSDEEP:	48:eVRvVMr9yYR7Fyefh540TnFzoE9WCRFkhqDKREnIXGb:eVQUYRYYhoAWCRFkEDr8Gb
MD5:	D9D09CD2E030FA5814EFBA013043F8BA
SHA1:	8D5BD7D5020B1E56BDE2429FEF002B5A666824AC
SHA-256:	05261D3093ACFA3403684F2D55730A613D118B0210DE222AE15D2774EA797374
SHA-512:	FC28BE8E11CA35A471A26B2E4BFD83681252BCAA7E3925D78E07475C2909AD503E4C356D9E48684166FFD1754EE3DEAAC7E465502CA9272489E3E98ADDFE9631
Malicious:	false
Preview:	0..........0.....+.....0......0...0......g.L...?_...../.W...>..20240827153454Z0s0q0I0...+.........0.L4:....p....v)....Sy.Z.+J.T.......f....\|9...Z.:...T......20240827153454Z....20240903153453Z0....H...............s..h....-^A.....K..W.f..n....).{2}.E...i......G...m.....ax.R8.y....E...L\_;J.....2.)...1Q.~....x.\|B B.x....u... d[S.F.H0C..=,....)!.A.....mlQ.H`P..[0.v.....s...%..!...a...m.(.A....Dn.s.YFV\|.{..4G....z...4t....kz....j.~...e....:'.8.=....<.p.p.Pr..-...D.....T..........9<1;...x.k\..v...DyP..Ub.\+q.=.e.cj..:%..8.WR......@...-l..t...A.....K[S ....P+8...$.q..h..:X..T.......V..20_#U/......}+2Y..YN...4....{/d.W.w.,wSd...^...B.X.J.....yg...g....]..2Fa.z(97..k.......f>..")_.....0...0...0............~......M..~'RN0...*.H........0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0...220325000000Z..380118235959Z0=1.0...U....GB1.0...U....Sectigo Limited1.0...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	765
Entropy (8bit):	7.537571432333621
Encrypted:	false
SSDEEP:	12:WvktlNmtvFg6Z97EMxQKYpu8AKN31A0m3wdad/0ZG8jqyxnxn6uuWmPPl00Z4+/v:oktaR97jxou8AsFAEM0bjrnx6uuWKt0Y
MD5:	C3FF0450BC254AA735250451FB3FF3A7
SHA1:	28FEB4DC61DDC951FA3D4D12DB11CD1965F20122
SHA-256:	4EC9C98EE93C3763A637E040A32D8E8DB6997FF06E4A5318842525E23CEA0AEA
SHA-512:	B31EA0D15493CA9B39F3C528F420707EBBDC6FB6C0A0C1D91EF48186BF4CB75E799BA748D0ECEFCBE969CA87AD32C084B099A5CDB560B76D2F405A279A566B85
Malicious:	false
Preview:	0..........0.....+.....0......0...0.....2..5.H/(@Bp 6.\.....20240828085944Z0..0..0I0...+..........x..U......E.o.&.y...2..5.H/(@Bp 6.\.....b.m.R..;.y. .!......20240828085944Z....20240904085943Z."0 0...+.....0......20210322000000Z0....H............./7..1....C.#l..T...V"...F...6.G.[......l."....."+.r...\|"......I.4...z.gI....0.Jf..X...N$jdH.q6-..l...H.(.xDj.......`%/1......?.....X..............D.b"...V.,n...0...z...#.!&H..2.'..&K<S.zaQsK.&c..m......5.....h...a......U../!........!.&.g../...v......W.g...a..u.C-.`.......3.5.7.....%s.f..K....z.e\|... ......,..df.s.TH...]eh...\|F=..K5.`.......S..-..5.u?f.N..d...a..uS.1x...\|.].gB.......N+.....c...k.m.M&!f`..h.>'.LL....d.r.Z..]i'-......?.d..q.\.f>s.W....R.A/.7..]S......^.;,..

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3538626A1FCCCA43C7E18F220BDD9B02

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	1275
Entropy (8bit):	7.179736856204349
Encrypted:	false
SSDEEP:	24:97Ij38DWhZR9zcmRO9F/Gg3OI1JYIItUFHv0UGt43RHZwmmm:94A2TzcTF+sYtr43RHZUm
MD5:	0987D12A3F221C3C8588F7EE1E7778FD
SHA1:	BBBF7FAC86308C500F99B25BF66CFF20BDD88245
SHA-256:	105DAF542ADE5D976AC973BC96B0AFD3CD9C2099CCC4DEDD45DBA9FE2240FBDD
SHA-512:	D733AE46FA5393169DF2F23F2F5DCD3E2653BCA78BAF6644C33499C28B94D512D07BE5702B6F6B0FB589F0A618A525301446C418FDE916E6CAC7366DA8862D59
Malicious:	false
Preview:	0...0......0....H........0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority..240829060835Z..240905060835Z0...00.......0..=#..%d...180316122154Z0.0...U.......0/..2..v7[p...2$'..4..180316122154Z0.0...U.......00.....W..f..u....+..180316122154Z0.0...U.......0/..#,..!%.FQI#....M..230801000000Z0.0...U.......00....n.....U...X.=...230801000000Z0.0...U.......0/..X.=....&....4....230801000000Z0.0...U.......00....).SB.+'>.......230801000000Z0.0...U.......0/....K...wA....o....230801000000Z0.0...U.......0/..yw....T....+X....230801000000Z0.0...U.......0/..Ta]....l...Q.@L..231024213259Z0.0...U........00.0...U.#..0...Sy.Z.+J.T.......f.0...U........0....H.............C}...!T........V.....}.....B..LK...Y[h......2..u(.r.~<...AZwk.+.('..I..&.......r.....d.1...1x.c.z#.NA.P@HY..5f..=.3.K.....:z..w.>...m..M.<.n5R...R.\N..i...{.5J.m.........z..:o.e..;RY.Z.... #e ...@....\.:...j.h..@.1.k.[U..9..

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\43B41D246473AA455DCC6019A9AF9545

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	81296
Entropy (8bit):	6.311939268988851
Encrypted:	false
SSDEEP:	768:kHrf0vMDTPD+RVCvpLiQmSQOGo+oMa8aN30PV5IrSi+/5q32x1zVZ7Y0BOawuys4:p0vA1qD8aSN5uSpx7lOVuIPbIIyFC
MD5:	59C36A2A6AD9FD143A7931CC1F3784B3
SHA1:	8D4D153F28C1A93F347591C8456118604FDE0DA0
SHA-256:	0AF841E2F68A17B4AA8448021174B1488C121399B6B762F439FAF42C4475A314
SHA-512:	1050C1226D1A78136E07F3867363D5E9EBDC24FD221439DA83DBF1B72384C3FA5C98D8CEF086618DC6E639CF66076B7D608A112EB41A2A686B0E5385E4EB9CDC
Malicious:	false
Preview:	0..=.0..;....0....H........0T1.0...U....GB1.0...U....Sectigo Limited1+0)..U..."Sectigo Public Code Signing CA R36..240828203623Z..240904203623Z0..;.0!..wS='...?.......,..210602000000Z0!..^......[........210603000000Z0"...."..@3[...>..5.b..210603000000Z0".....!.@;c...Z..#..210610062822Z0!..Rh}..fx.."I...I..210608000000Z0".....OP.c...epp.'..210610000000Z0!...'...{..!..!.,....210609000000Z0"....V.j.x.^...g.hq...210608000000Z0"....{=.-[W1....h....210602000000Z0!..k...3'd.e'....D..210610000000Z0!.......3.nz..W9.g..210611000000Z0!..f.ps..}{!.$.W..N..210610000000Z0"....(}.5G9!....Q.c..210611000000Z0"......R4.OQ..0.[.....210608000000Z0"....o..1..N?F.......210610000000Z0!..{:.._.c..GHj.l.\..210611000000Z0".......-...>...&L30..210615000000Z0".....<.D.h...&q..?..210614000000Z0!..Di..x.. ...`.K.U..210615000000Z0".......F......M@....210611000000Z0"......ku..O.1x.....210602000000Z0!....5.H..._<......210608000000Z0!..M.N..u".......,...210607000000Z0".....e...r.>....)l..21062101590

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	607
Entropy (8bit):	7.087490514954013
Encrypted:	false
SSDEEP:	12:RiJmSvwUrSfB6UA8Z7WrZPSv6mOEi0QuOAm0VRt1HO2DKjZ/ecqH7u+:UJm3BoSCRD0R3hjdDKjZvqHd
MD5:	CB596FDE193E63C2B235768017CDFFB6
SHA1:	F2EB258F59B1BC0CA3A68FCC79EFB75880E2F366
SHA-256:	E5C9FCA8D45B6CB058292994943AF2C92631D0ABA930B5FF070A553486FEED46
SHA-512:	43FAB54CDCE498CCB0AC6906B1584462BA67131C51185DD9777BD526FA2C1A97C14CAEE7D2A10E8F40663D0570025CB669A20FD9AC941935D66B90AE0EEB4435
Malicious:	false
Preview:	0..[0..C...0....H........0{1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Comodo CA Limited1!0...U....AAA Certificate Services..240829055750Z..240905055750Z0b0/..q...._.M..tq4.....240416144108Z0.0...U.......0/..\|\|].....s...'.....240416144108Z0.0...U........00.0...U.#..0......#>.....)...0..0...U........0....H..............MM.a.uA.r.8..f.x..X...qd..k.>....a.s".^.4.hM5.a.I...l.;9.!$p...O3...%G.:7cE3zWS.y....d....G.9.?..b..69....y.A...&......r.......[.....Zy.5......a.1..'b>9N...e.NX5?.......m..sgh."5.j!....>).3.5h....G....<2B....k,2.....6..{..K2......H.......'...x.

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_46C2CD5D0F070B6D918CC9BAEC875CC3

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	638
Entropy (8bit):	7.339837162356674
Encrypted:	false
SSDEEP:	12:6Eg1WubIXwOOZubYsLXVeWMxQQuQKsfTOz+LGGZ5HkJip7xazRf62qzRTHzI0mZ:6zpsXoYE0XVYxCDsL4gHgipNazp4dTUz
MD5:	344F801A41D22365E0C355B810A51017
SHA1:	CA57597BBF3C6A8B19D18FC1602D732730CE0392
SHA-256:	8A4D3859A57AB7F830B7BD5D1E742AD0840461EF08B625BE4A18FAB6A62D4926
SHA-512:	4993C2FC7CC35E6673B687113988FBCD538A9098D0DB2CF667539EC4CD9D8F4B286401EA7CB5BFF3A6E08DD35E82BB34DD9B8BF3FED55B87AB473D32B2469F28
Malicious:	false
Preview:	0..z......s0..o..+.....0.....`0..\0....... .(..oH.+T.).......20240828170247Z0..0..0J0...+..............G..o.hr..U....... .(..oH.+T.).........%..;...z......>....20240828170247Z....20240904170246Z."0 0...+.....0......20210322000000Z0....H...............kF.3....?_\|LG.<K.\({.+..@.>.X.<........U.,;"....i3....hz.b..V....JN.m_...c.- ...%yr.Q.".....N..;..4.$..Bk:.h.a.. .~Tn.0....73j.U..v"c.%U.N.AQb...`....6~....2.g.%uf.R....!..0a..zL......;.{..K..Q.v.7Z..4Gv.G.W./".w\ZHV...@..#..X`t.r-...)..w....".nG.C..`.qN.."?........6...C.4...g.o...n..=.zyg.m..<...Z}Kl..z.p......4{.....WS......Ye.Fr.J....m.gF.....h...J$z..

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEED7C5D2183A1352C6D421D65F131F0

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	4515
Entropy (8bit):	7.621047039569311
Encrypted:	false
SSDEEP:	96:Vxvh3PIKfCEjsBxvh3PIKA1+4gtIvZCvh3PIKfhigYP:7pPIK6EjsDpPIKA1+D5pPIKfhigQ
MD5:	FC4B99091DAFC19A739C073554D02DAC
SHA1:	B59459BCA6FAF643D92D6B66584F335CD5606229
SHA-256:	73233F5D24A81D97E37F94F67D3A3AD70DD76379CDEF1918B6FF3069A958B829
SHA-512:	2358E146A890A37857814B3254095F9BC8F23C07A86C1958AC65B003CE0C04C35C478DC4F7FF7D0038389EC60561956EC3CC2D4EC74C1D2E78CEA2892C909315
Malicious:	false
Preview:	0......H..........0......1.0....H.........t0..x0..`.......K,;......{[>.W0....H........0V1.0...U....GB1.0...U....Sectigo Limited1-0+..U...$Sectigo Public Code Signing Root R460...210322000000Z..460321235959Z0V1.0...U....GB1.0...U....Sectigo Limited1-0+..U...$Sectigo Public Code Signing Root R460.."0....H.............0...........".$t...#.....6..G.#.+>.}.1.Qo....R.....c$......;}.......'.ke..i..I9..mn..'..+P.K[..d6.~J=.q.a.s.<....3W.47..]...=..v..?f.1i.m.4..zx.P.d.-...j../...n....!.@..............v.' .........).p........6..O2.tFkG5.w.3Oc..-.e..k..q....m......>,......ug.m.cc.6.i...E>nZ_..[.0.0...@...8.g.S...0e.o.....ti>..h;..g3......H@...dF..s....le..U[..W..xF\|p............@...).\..+.E...gO(^..Lz.......>2F. 6....F...:.f.X\)....08<.F65\|.......v.~..@.5..z................n..ob..P..{...?. .u."Z............_........B0@0...U......2..5.H/(@Bp 6.\...0...U...........0...U.......0....0....H.............ve..."J...^.i^...Ms...(.7..!.._...l...\.....9..Aq..<.{..#

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	1453
Entropy (8bit):	7.525337394726592
Encrypted:	false
SSDEEP:	24:PA6cCeFYM/nEkFssJm3v/0K7No0MZNCO3yUJSQchg6Uy59h:PABjEkFpTCEZNBzchgs59h
MD5:	93D660CB5EDF8360DA73B3CA187E82C2
SHA1:	9998E51810B2F253E82AB7B309240CDAE166944E
SHA-256:	DA41601BD53FF85D7BFE149273F57CAD8B85A31DE4F9C8C48EF00C3C818D07F3
SHA-512:	BB7705BC1256BFBC3F39A846E1F7FABFCEFB74BE21706E93E14C1CD4CF20F948742939E641AD06262B96FCF0F61FAFD48B0BBDDDB49F1BCD801E0671F4516EF1
Malicious:	false
Preview:	0..........0.....+.....0......0...0......m....z9.$..;........20240828091341Z0s0q0I0...+........S.On....xI.vrX#W.Ty......#>.....)...0....H...`U..6.........20240828091341Z....20240904091340Z0....H.............4w.....e@4T...Q...2.M.5:......m.I.ae.d.\T...,e./A..."..ybb!o.Q!..<...m..u~.....E-mS.{Ny~..c..\|..yG.0S..l0..=...u.1..\|.M=g..x....w........E..AT.q.......Q...k..(A.....&.s...u.....Mu.2?.'z~.t....q.Q7......].6X~..HV.h..J.....I.P....8..}....&.........0...0...0..........?..B........n..0....H........0{1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Comodo CA Limited1!0...U....AAA Certificate Services0...220325000000Z..281231235959Z0=1.0...U....GB1.0...U....Sectigo Limited1.0...U....OCSP Signer0.."0...*.H.............0.............0.(..t......O.([.Zf..Uy...K.....t...]$.op.9n....:4.P...zX.k%..a..r_..,./.r.6..@...\.H.....P.....n...N(....E.U..a..W...e..'.q2K...3RD.5"..\|....M.... ..'A.a..m...~......?g.D.H;7k.U.+...E..KJ.WI4.{gF....

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_71A3756DBB32C004799210B766A7AFA4

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	492
Entropy (8bit):	3.638841887982317
Encrypted:	false
SSDEEP:	12:BWQgXJMMiv8sF2BllA0KSHDwvy5LtV5uW4MAJn:sdXJMxvIBHXJVv5Z4n
MD5:	678D68B9685DBA7017F35133876EFBA2
SHA1:	D71E6B0AFE51668F9C138234D9627CB6C1D7DEBF
SHA-256:	E4B0DF87EB62FB3BAD3A82191EBFBCEF5B908FC883154C65822B2235B7F7AE2C
SHA-512:	24D17ECA04A9F324A14FC8D9BFBDA462DE33333E843566BAD19794B1FBF0FE4B8D5F090220D3FE486941AE1F7333935E354395DB562C9FCD02DF3147C41012A3
Malicious:	false
Preview:	p...... ...."...d.$k....(....................................................... ........#.....6..V...............h.t.t.p.:././.o.c.s.p...u.s.e.r.t.r.u.s.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.N.M.N.J.M.N.D.q.C.q.x.8.F.c.B.W.K.1.6.E.H.d.i.m.S.6.Q.Q.U.U.3.m.%.2.F.W.q.o.r.S.s.9.U.g.O.H.Y.m.8.C.d.8.r.I.D.Z.s.s.C.E.A.J.8.O.Q.E.M.p.1.r.D.O.r.X.u.D.V.Q.O.%.2.B.e.U.%.3.D...".8.d.5.b.d.7.d.5.0.2.0.b.1.e.5.6.b.d.e.2.4.2.9.f.e.f.0.0.2.b.5.a.6.6.6.8.2.4.a.c."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	484
Entropy (8bit):	3.9802646513319107
Encrypted:	false
SSDEEP:	6:kKBlPl62/7giFOtSLRacKFpivhClroFHBsvjaMlRcs32xZ3KJWyZ90NiAmbGEqW9:LPj/7gwLcjpiv8sFonDN9omyUoKh
MD5:	C0836374C882874B15FF4A69564597BC
SHA1:	5C0CC3D57F911DB7B09BAB3E954D09733A19C445
SHA-256:	E3A6C83811AE95F54FC904CA8C18AE78E0112E5453797F547342D44463D4D0E2
SHA-512:	B594C87278AF68E99B3C1261AC0F3073ABD809AA2218C739045AF0A6B8DFBAC52F120047C480F5750F9092BB2FE04167307AC0E704D406A11B9844556A72EFB1
Malicious:	false
Preview:	p...... ...........X....(...................(.....W......................W.... ...........(....2..V...............h.t.t.p.:././.o.c.s.p...s.e.c.t.i.g.o...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.d.E.3.g.f.4.1.W.A.i.c.8.U.h.9.l.F.9.2.%.2.B.I.J.q.h.5.q.w.Q.U.M.u.u.S.m.v.8.1.l.k.g.v.K.E.B.C.c.C.A.2.k.V.w.X.h.e.Y.C.E.G.I.d.b.Q.x.S.A.Z.4.7.k.H.k.V.I.I.k.h.H.A.o.%.3.D...".2.8.f.e.b.4.d.c.6.1.d.d.c.9.5.1.f.a.3.d.4.d.1.2.d.b.1.1.c.d.1.9.6.5.f.2.0.1.2.2."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.282225773358379
Encrypted:	false
SSDEEP:	3:kkFkl1lowVXfllXlE/WW8Owz/llQXlRD8rlANjpU+plgh3VEk7OILiEohREl7BKh:kK2o8OwrlG6aMulgok7OIZWMmtlK38Nn
MD5:	ACBFEAC094F3BECB561110B2500A385D
SHA1:	FC78661153014EAF2A3B47901AECFD15504B2664
SHA-256:	260B71AD10524C35ED84D84112D5BDEBF1266C49C78C6286C7EFEE1B05D07540
SHA-512:	55B445F1B11B93150877BCE942CF7AE08AAE34925A169471DE8E27FBB28B4A25F90C6E8D7856C01B43D706ECB2BFC47FEAAEC86BD2E1F3D4464696951592F53D
Malicious:	false
Preview:	p...... ........gh"k....(....................................................... ................1..V...............h.t.t.p.:././.c.r.l...u.s.e.r.t.r.u.s.t...c.o.m./.U.S.E.R.T.r.u.s.t.R.S.A.C.e.r.t.i.f.i.c.a.t.i.o.n.A.u.t.h.o.r.i.t.y...c.r.l...".b.b.b.f.7.f.a.c.8.6.3.0.8.c.5.0.0.f.9.9.b.2.5.b.f.6.6.c.f.f.2.0.b.d.d.8.8.2.4.5."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\43B41D246473AA455DCC6019A9AF9545

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	316
Entropy (8bit):	3.2745235793952214
Encrypted:	false
SSDEEP:	3:kkFklMOj/XfllXlE/Y1Uslztlpl18Ae9DZl2i99wJM4bli2WelSvpW7FYKoHlGfg:kKt4ZxnlJKFlkM4UPeeWOKzfFl7Ql7/
MD5:	B549E4C8F6472374CC0C7789DD3D889C
SHA1:	CE0511A3E74FE8B9777F033B32804185FE5BF44F
SHA-256:	4E09ADA65702301F0FB54C88E9FA3329FC2C2A8EE5598557CAEB021E31AFEEEA
SHA-512:	E522035BD12DDFEE98432D7E0A52BEE6C6239F4E748D0D3CE11116EBA906F0A8C54510D5205888A1DCA2C00E8887E790E11E38F849D937D8CAE0EAAE4FD941AD
Malicious:	false
Preview:	p...... ....r.....Gk....(....................................................... ........=1.....1..V............=..h.t.t.p.:././.c.r.l...s.e.c.t.i.g.o...c.o.m./.S.e.c.t.i.g.o.P.u.b.l.i.c.C.o.d.e.S.i.g.n.i.n.g.C.A.R.3.6...c.r.l...".8.d.4.d.1.5.3.f.2.8.c.1.a.9.3.f.3.4.7.5.9.1.c.8.4.5.6.1.1.8.6.0.4.f.d.e.0.d.a.0."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	304
Entropy (8bit):	3.1149156335187747
Encrypted:	false
SSDEEP:	6:kKqkfM8Nl/kgFeFfuOIQg3GAkmlJETlCF3+:frNlreFfgQWGA/+
MD5:	15DAF86850CBD636EEA66AC927D1B3E6
SHA1:	51EE5CBE51BC8EFD5525820BE25E2BC9ED2F7BCE
SHA-256:	EBC4F7A814B76E554329262CB958E748E97AACDA534F1B73FEBFAA0380ABA770
SHA-512:	6AF956D7AE6B06579655A080A43921C58595ADBF86490CC7DDB367AA1D743CD603885779F908A4CC814268928430B6E05E8F4833259F4AFFE704BFA33CE2B9E9
Malicious:	false
Preview:	p...... ....f....'dk....(....................................................... .........5a.....0..V..........._...h.t.t.p.:././.c.r.l...c.o.m.o.d.o.c.a...c.o.m./.A.A.A.C.e.r.t.i.f.i.c.a.t.e.S.e.r.v.i.c.e.s...c.r.l...".f.2.e.b.2.5.8.f.5.9.b.1.b.c.0.c.a.3.a.6.8.f.c.c.7.9.e.f.b.7.5.8.8.0.e.2.f.3.6.6."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_46C2CD5D0F070B6D918CC9BAEC875CC3

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	484
Entropy (8bit):	3.70428820033144
Encrypted:	false
SSDEEP:	12:QB+lgcjoqL2isFF++a8e7P3RTlD+xcI0gXBC3vKeloR/:QB+lgcjoqLQPha8ez3FBORC3Lq
MD5:	C373B80EA54B55645297092872D7A335
SHA1:	438E403976E1D041FF08111014DDDFD0E171A27E
SHA-256:	4E7974BF40C2DEF3243858DB311C4EEFB4A829320B3BC75B4AA8781F61B03939
SHA-512:	0E3FE3653CAA123BB40EF221DA2ABCD805F8654B2CA871F3BDA3F0592179E8504A39299E8A0FBF088B374DB63B95E2B4F5AAD13A4ADDC9329E60FA5FB96E42E7
Malicious:	false
Preview:	p...... ........{..k....(....................................................... .........B.l....6..V...........~...h.t.t.p.:././.o.c.s.p...s.e.c.t.i.g.o...c.o.m./.M.F.I.w.U.D.B.O.M.E.w.w.S.j.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.V.D.%.2.B.n.G.f.7.9.H.p.e.d.v.3.m.h.y.6.u.K.M.V.Z.k.P.C.Q.Q.U.D.y.r.L.I.I.c.o.u.O.x.v.S.K.4.r.V.K.Y.p.q.h.e.k.z.Q.w.C.E.Q.C.m.J.Z.m.3.O.4.4.Z.j.X.q.6.m.R.q.h.q.b.8.%.2.B...".c.a.5.7.5.9.7.b.b.f.3.c.6.a.8.b.1.9.d.1.8.f.c.1.6.0.2.d.7.3.2.7.3.0.c.e.0.3.9.2."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEED7C5D2183A1352C6D421D65F131F0

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	320
Entropy (8bit):	3.1819691522296902
Encrypted:	false
SSDEEP:	6:kK7I3/AnrlrRLjKFlkM4UPeXZe4X1saKTUMWKcll/:MclREX4UPeXZeQsaKwMzcll
MD5:	9412F16EAC7CBCBD6F465D2A33B6040A
SHA1:	37D1E66A131FA19899E7F90EF45CF83019AE3E8A
SHA-256:	5A6EE0670430235E2B56DDAAED7FE8897372A318CC3818C84AF39710B733C6B1
SHA-512:	140062287B9CF9E5092F7234912B6632698A0F97DAB894ABF8DF34E94EB735B16B3255956DE93C74392605EE1E18C66FC152F014AD16D2CADD750174E53814A6
Malicious:	false
Preview:	p...... ....v.....F....(....................................................... ............s...Q..V...............h.t.t.p.:././.c.r.t...s.e.c.t.i.g.o...c.o.m./.S.e.c.t.i.g.o.P.u.b.l.i.c.C.o.d.e.S.i.g.n.i.n.g.R.o.o.t.R.4.6...p.7.c...".b.5.9.4.5.9.b.c.a.6.f.a.f.6.4.3.d.9.2.d.6.b.6.6.5.8.4.f.3.3.5.c.d.5.6.0.6.2.2.9."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Download File

Process:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
File Type:	data
Category:	dropped
Size (bytes):	482
Entropy (8bit):	3.7088866243512375
Encrypted:	false
SSDEEP:	12:G4WHOdhMeFpiv8sFZc+qYbghJlIdVp4Vpi9wAaah:G4WkhNsvY+dGrYp429wAaY
MD5:	974A38820FB35ABDB675FC398C6DE3C3
SHA1:	A488FB2476293E1B88F0A9B4F34E76FB9A8A4551
SHA-256:	45FD530E621AB1F441D24C3D14C83E2BA4B1F1EC2AF225AF57749D38C2381576
SHA-512:	D85F8EF11F10442352AABDECC665627ACBEAC80F3EABC3BC971AC94CF7463D2A4DD6256C8F58F640F450529283046D9F333D96CAB979F42FF022E676B2BE5622
Malicious:	false
Preview:	p...... .........'dk....(....................................................... ..........*...u3..V...............h.t.t.p.:././.o.c.s.p...c.o.m.o.d.o.c.a...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.R.T.t.U.9.u.F.q.g.V.G.H.h.J.w.X.Z.y.W.C.N.X.m.V.R.5.n.g.Q.U.o.B.E.K.I.z.6.W.8.Q.f.s.4.q.8.p.7.4.K.l.f.9.A.w.p.L.Q.C.E.E.j.8.k.7.R.g.V.Z.S.N.N.q.f.J.i.o.n.W.l.B.Y.%.3.D...".9.9.9.8.e.5.1.8.1.0.b.2.f.2.5.3.e.8.2.a.b.7.b.3.0.9.2.4.0.c.d.a.e.1.6.6.9.4.4.e."...

C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF

Download File

Process:	C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
File Type:	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x16b0 "Signature", at 0x68 WinDirPath, LanguageID 809
Category:	dropped
Size (bytes):	9068
Entropy (8bit):	3.417070579006835
Encrypted:	false
SSDEEP:	96:NQGengWRr0wWnpsrjylY7h86T+JUs6hqge7aSpgvk0CMYo1+yFJdWyVgn:NCYpsrelYm6T+JUs6EL7Zg4p
MD5:	358E84778F04E06DE895B70EC38F5CC3
SHA1:	A1142527C8F03034894D8EC9CFDD10D457D4AAE5
SHA-256:	AA7BE6D57434DDA5F64C07900588F885A49CB009D317AC23A728221EFDA7AA92
SHA-512:	2FC3B7F136722BB442F49F8876DAF7D1C5671DF5EEC54D4F0F98403F003590197CA63513E58A8740456916AF6FA2A903C2BE043D5B6398FBA701A828EC97F341
Malicious:	false
Preview:	................@..........................,...........,... ...................h...............h#......C.:.\.W.i.n.d.o.w.s.............................................................................L...........................X...............................................................................................$...0... .......@...............................`.......................................................................................................................4...............,...........................................................................................X...........................................p...........................................................................................................................................................4...........T.......................................................................................t...................................`.......\|...............................................\.......

C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\SETB0B.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	7632
Entropy (8bit):	5.063558190257152
Encrypted:	false
SSDEEP:	192:wr8tW9yCTi3x4vlQd22bjR+iAUC7bMP+io3DcNSj6jvKFkPs7EQTXvt1Ld4Z:LWlGNdkkzo3DcNSj6jvKFkPs7EQTXvtk
MD5:	26009F092BA352C1A64322268B47E0E3
SHA1:	E1B2220CD8DCAEF6F7411A527705BD90A5922099
SHA-256:	150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
SHA-512:	C18111982CA233A7FC5D1E893F9BD8A3ED739756A47651E0638DEBB0704066AF6B25942C7961CDEEDF953A206EB159FE50E0E10055C40B68EB0D22F6064BB363
Malicious:	false
Preview:	; ***************************************************************************..; Copyright (C) 2002-2014 OpenVPN Technologies, Inc. ..; This program is free software; you can redistribute it and/or modify ..; it under the terms of the GNU General Public License version 2 ..; as published by the Free Software Foundation. ..; *************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*******************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\SETB1C.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	10739
Entropy (8bit):	7.214364446291792
Encrypted:	false
SSDEEP:	192:JDVLGVDFfap5UEwQl/WGhYCt17vJ4qnaj6jQc:7GCpzlnh3t1x4l2jn
MD5:	F73AC62E8DF97FAF3FC8D83E7F71BF3F
SHA1:	619A6E8F7A9803A4C71F73060649903606BEAF4E
SHA-256:	CC74CDB88C198EB00AEF4CAA20BF1FDA9256917713A916E6B94435CD4DCB7F7B
SHA-512:	F81F5757E0E449AD66A632299BCBE268ED02DF61333A304DCCAFB76B2AD26BAF1A09E7F837762EE4780AFB47D90A09BF07CB5B8B519C6FB231B54FA4FBE17FFE
Malicious:	false
Preview:	0.)....H........).0.)....1.0...`.H.e......0..i..+.....7.....Z0..V0...+.....7.......r?.X.M.....F.A..201008141946Z0...+.....7.....0..T0.... .....S!F.3....#.a.2`..e...#e...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .....S!F.3....#.a.2`..e...#e...0...."~..m..8C. i$.4.l..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... ..j(.M<.cR..XrT....F..R.]....?1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..j(.M<.cR..XrT....F..R.]....?0.....".....A.Rw..... .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f.......0...0....+.

C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\SETB3C.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39920
Entropy (8bit):	6.338128217115975
Encrypted:	false
SSDEEP:	768:XtCuL1O/+AphG3F9NlXt5oZhDzbV104mmuiExsFwQvYp33U35:XdCoTxk1lmmjExsFNvYtk
MD5:	C10CCDEC5D7AF458E726A51BB3CDC732
SHA1:	0553AAB8C2106ABB4120353360D747B0A2B4C94F
SHA-256:	589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
SHA-512:	7437C12AE5B31E389DE3053A55996E7A0D30689C6E0D10BDE28F1FBF55CEE42E65AA441B7B82448334E725C0899384DEE2645CE5C311F3A3CFC68E42AD046981
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......_.........."......Z.....................@....................................=w....`A....................................................<.......X....p..T....x...#...........R..8............................S...............P...............................text..._>.......@.................. ..h.rdata.......P.......D..............@..H.data........`.......P..............@....pdata..T....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\oemvista.inf (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	7632
Entropy (8bit):	5.063558190257152
Encrypted:	false
SSDEEP:	192:wr8tW9yCTi3x4vlQd22bjR+iAUC7bMP+io3DcNSj6jvKFkPs7EQTXvt1Ld4Z:LWlGNdkkzo3DcNSj6jvKFkPs7EQTXvtk
MD5:	26009F092BA352C1A64322268B47E0E3
SHA1:	E1B2220CD8DCAEF6F7411A527705BD90A5922099
SHA-256:	150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
SHA-512:	C18111982CA233A7FC5D1E893F9BD8A3ED739756A47651E0638DEBB0704066AF6B25942C7961CDEEDF953A206EB159FE50E0E10055C40B68EB0D22F6064BB363
Malicious:	false
Preview:	; ***************************************************************************..; Copyright (C) 2002-2014 OpenVPN Technologies, Inc. ..; This program is free software; you can redistribute it and/or modify ..; it under the terms of the GNU General Public License version 2 ..; as published by the Free Software Foundation. ..; *************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*******************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\tap0901.cat (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	10739
Entropy (8bit):	7.214364446291792
Encrypted:	false
SSDEEP:	192:JDVLGVDFfap5UEwQl/WGhYCt17vJ4qnaj6jQc:7GCpzlnh3t1x4l2jn
MD5:	F73AC62E8DF97FAF3FC8D83E7F71BF3F
SHA1:	619A6E8F7A9803A4C71F73060649903606BEAF4E
SHA-256:	CC74CDB88C198EB00AEF4CAA20BF1FDA9256917713A916E6B94435CD4DCB7F7B
SHA-512:	F81F5757E0E449AD66A632299BCBE268ED02DF61333A304DCCAFB76B2AD26BAF1A09E7F837762EE4780AFB47D90A09BF07CB5B8B519C6FB231B54FA4FBE17FFE
Malicious:	false
Preview:	0.)....H........).0.)....1.0...`.H.e......0..i..+.....7.....Z0..V0...+.....7.......r?.X.M.....F.A..201008141946Z0...+.....7.....0..T0.... .....S!F.3....#.a.2`..e...#e...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .....S!F.3....#.a.2`..e...#e...0...."~..m..8C. i$.4.l..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... ..j(.M<.cR..XrT....F..R.]....?1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..j(.M<.cR..XrT....F..R.]....?0.....".....A.Rw..... .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f.......0...0....+.

C:\Windows\System32\DriverStore\Temp\{d8262e6f-e8cd-884d-ad85-a53fddb6e328}\tap0901.sys (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39920
Entropy (8bit):	6.338128217115975
Encrypted:	false
SSDEEP:	768:XtCuL1O/+AphG3F9NlXt5oZhDzbV104mmuiExsFwQvYp33U35:XdCoTxk1lmmjExsFNvYtk
MD5:	C10CCDEC5D7AF458E726A51BB3CDC732
SHA1:	0553AAB8C2106ABB4120353360D747B0A2B4C94F
SHA-256:	589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
SHA-512:	7437C12AE5B31E389DE3053A55996E7A0D30689C6E0D10BDE28F1FBF55CEE42E65AA441B7B82448334E725C0899384DEE2645CE5C311F3A3CFC68E42AD046981
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......_.........."......Z.....................@....................................=w....`A....................................................<.......X....p..T....x...#...........R..8............................S...............P...............................text..._>.......@.................. ..h.rdata.......P.......D..............@..H.data........`.......P..............@....pdata..T....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

C:\Windows\System32\catroot2\dberr.txt

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	4404
Entropy (8bit):	5.390212215647896
Encrypted:	false
SSDEEP:	96:QO00eO00erMwUgWUg0B1kE3ZhpJp8ZpkRepk3hpTpbCpEpDk+psNVpsL5:QO00eO00erMwmkB1kAIrN4F
MD5:	40CA501B1DC093C0655BA34B9246CA1A
SHA1:	6713B8087A391C0F52B2381C8226642D08A51882
SHA-256:	84FE52F52F6FF5BDC15DC98068D0F934889A47B9B6E3036648B0AEC0D022B4D8
SHA-512:	23289CE246ACCECC2651D30CAC1E6F5F96157B70B77AF457DC0F6410A7FEEDD8912D4E1DCF1DBBC4FB09B61FBE9E2683953E3273E075B6D6E6DCD89125D117AA
Malicious:	false
Preview:	CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

C:\Windows\System32\drivers\SET1348.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39920
Entropy (8bit):	6.338128217115975
Encrypted:	false
SSDEEP:	768:XtCuL1O/+AphG3F9NlXt5oZhDzbV104mmuiExsFwQvYp33U35:XdCoTxk1lmmjExsFNvYtk
MD5:	C10CCDEC5D7AF458E726A51BB3CDC732
SHA1:	0553AAB8C2106ABB4120353360D747B0A2B4C94F
SHA-256:	589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
SHA-512:	7437C12AE5B31E389DE3053A55996E7A0D30689C6E0D10BDE28F1FBF55CEE42E65AA441B7B82448334E725C0899384DEE2645CE5C311F3A3CFC68E42AD046981
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......_.........."......Z.....................@....................................=w....`A....................................................<.......X....p..T....x...#...........R..8............................S...............P...............................text..._>.......@.................. ..h.rdata.......P.......D..............@..H.data........`.......P..............@....pdata..T....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

C:\Windows\System32\drivers\tap0901.sys (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39920
Entropy (8bit):	6.338128217115975
Encrypted:	false
SSDEEP:	768:XtCuL1O/+AphG3F9NlXt5oZhDzbV104mmuiExsFwQvYp33U35:XdCoTxk1lmmjExsFNvYtk
MD5:	C10CCDEC5D7AF458E726A51BB3CDC732
SHA1:	0553AAB8C2106ABB4120353360D747B0A2B4C94F
SHA-256:	589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
SHA-512:	7437C12AE5B31E389DE3053A55996E7A0D30689C6E0D10BDE28F1FBF55CEE42E65AA441B7B82448334E725C0899384DEE2645CE5C311F3A3CFC68E42AD046981
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......_.........."......Z.....................@....................................=w....`A....................................................<.......X....p..T....x...#...........R..8............................S...............P...............................text..._>.......@.................. ..h.rdata.......P.......D..............@..H.data........`.......P..............@....pdata..T....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

C:\Windows\Temp\~DF2D3BA0A6BD640EFD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.13035661598098236
Encrypted:	false
SSDEEP:	24:4oBVK1GAAwY+QJfAebfdAipV72XdAipVdV2BwG2lrkg9SkDie+wgqrUD:4oBVOcrfdASB2XdASPo4rXDje+U
MD5:	BADD25E21F624549563F1360AA4D3AEE
SHA1:	DF57E231402E9768C00E420F0578E134DE959DFE
SHA-256:	6B8221A52DE979E54E18946BDF4E6D656D76AF03BF1AC614C8447F47A01CEBA8
SHA-512:	C41CA8F44794F26D806A9C33D9607448498FA72FD6AA409F48C3E082B117F4742BFFC49921676A3053676BE2C51E8C34F60587BABC318A0C17D7BCD3B79CCCBF
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2D9E51BD617151C4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2294501688976947
Encrypted:	false
SSDEEP:	48:yYjQuyNveFXJLT5WejeJhdASPo4rXvdASB21rJMoBV:nQ4zTc0eJkvqpOV
MD5:	1A5ED96DDC46103585C296C383BB87B0
SHA1:	FC07A0C20F997E0A1D1DEFB61CD1FDC5DE0CCEB8
SHA-256:	D7CD52B63DC8C5A9E42B8A541C93441B004BFBFF38A85EEBD5C517373358CEB1
SHA-512:	A989F8A67682AD59B6CD56DE174F7236309337D3136C5875B3B7FCD9258475DAD0240C332BCC2B15675111592F9BB37DC5DEA7BF8593421DF292270CD3D606C5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF328588ADC73005BE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5C7A94FF614A9EB5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF64CE8530DE145E27.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8F099BE20EBACAD9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA52F1B4ADBE8128F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA9CEEA7DD633D4C9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.533028489448828
Encrypted:	false
SSDEEP:	48:r28PhYuRc06WXJ0nT5tejeJhdASPo4rXvdASB21rJMoBV:NhY13nTT0eJkvqpOV
MD5:	B6DC91A40BADBA70C3474F5FA48380D2
SHA1:	084136CE1D296E60BFAD3470110C483917EBFDD0
SHA-256:	BCE84EC01F931665B217F1D977C8AB2CB64950A0DF845AC1ADE861C410CB1E8B
SHA-512:	5DFDC0C2503FF0ADF8DB1EA9867C8BB7514627AB850BA01885F20FB591102FE4FA9C204965DE2DACBDF41FCA800DA3CDDACF7D506EAF92A333BFD9F940B552C5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC52D39C2AE145962.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07166241963171
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKONNvOmzZUlOohMMtgVky6lit/:2F0i8n0itFzDHFnvOiqlHhMOit/
MD5:	B45AF0CBBB15C46630717EBE8B52F86E
SHA1:	87C87698B8C0081BA2471C9B5019B935ED16734A
SHA-256:	598AB9454DA212E90BD817D1885A3D97A42B8B065D1DD60AC9C6796D773481ED
SHA-512:	D81364C3B9C4C3DEFDB6C5080BAB8DE3A525077E6932464A6A13803708BA79C0BD7A486C076739A3F20091BD369230629C7586E3FE53810467E2F8FD61993119
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC9E40D135243D398.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.533028489448828
Encrypted:	false
SSDEEP:	48:r28PhYuRc06WXJ0nT5tejeJhdASPo4rXvdASB21rJMoBV:NhY13nTT0eJkvqpOV
MD5:	B6DC91A40BADBA70C3474F5FA48380D2
SHA1:	084136CE1D296E60BFAD3470110C483917EBFDD0
SHA-256:	BCE84EC01F931665B217F1D977C8AB2CB64950A0DF845AC1ADE861C410CB1E8B
SHA-512:	5DFDC0C2503FF0ADF8DB1EA9867C8BB7514627AB850BA01885F20FB591102FE4FA9C204965DE2DACBDF41FCA800DA3CDDACF7D506EAF92A333BFD9F940B552C5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCD86B76ABFA720FB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2294501688976947
Encrypted:	false
SSDEEP:	48:yYjQuyNveFXJLT5WejeJhdASPo4rXvdASB21rJMoBV:nQ4zTc0eJkvqpOV
MD5:	1A5ED96DDC46103585C296C383BB87B0
SHA1:	FC07A0C20F997E0A1D1DEFB61CD1FDC5DE0CCEB8
SHA-256:	D7CD52B63DC8C5A9E42B8A541C93441B004BFBFF38A85EEBD5C517373358CEB1
SHA-512:	A989F8A67682AD59B6CD56DE174F7236309337D3136C5875B3B7FCD9258475DAD0240C332BCC2B15675111592F9BB37DC5DEA7BF8593421DF292270CD3D606C5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEF0873A065365445.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2294501688976947
Encrypted:	false
SSDEEP:	48:yYjQuyNveFXJLT5WejeJhdASPo4rXvdASB21rJMoBV:nQ4zTc0eJkvqpOV
MD5:	1A5ED96DDC46103585C296C383BB87B0
SHA1:	FC07A0C20F997E0A1D1DEFB61CD1FDC5DE0CCEB8
SHA-256:	D7CD52B63DC8C5A9E42B8A541C93441B004BFBFF38A85EEBD5C517373358CEB1
SHA-512:	A989F8A67682AD59B6CD56DE174F7236309337D3136C5875B3B7FCD9258475DAD0240C332BCC2B15675111592F9BB37DC5DEA7BF8593421DF292270CD3D606C5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466252289031558
Encrypted:	false
SSDEEP:	6144:CIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNGdwBCswSbH:nXD94zWlLZMM6YFHI+H
MD5:	21F21CFA32AFC94337EB09CA06F334BF
SHA1:	720140512A1771F6F28C58DD7A3FD2BFAB4585AE
SHA-256:	A84E76A61094D6EDFE92004ADD9BF786EE37848F19C9C3FFABE28F8A33089B05
SHA-512:	40F168276285D5CB2BEB7FAA9A8B1961AB47A4C0EA8FD50EED604C773F3F6FA3D80DDCABF66737A632CD534F16F66928D9D1DE781C876D40EE5BFA10C3AA0AA1
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm^i.....................................................................................................................................................................................................................................................................................................................................................!........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	ASCII text, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.881835941754514
Encrypted:	false
SSDEEP:	6:zx3MmSLQHtBXVNsRzFW6HcaHpO0CaHlHrHdG0HwD0DIZJQN80n:zK/0HtBFNEUIg0CaK0QD0DYJQl
MD5:	C884DD8AA8ED4FA1B1DAE101861B38C4
SHA1:	FE3C5D46E0A18E897F0C28AA853BC78F97B7F10C
SHA-256:	86EB13EC15D07F7FC083E912E45E528081D30C2791CA78D5E5610DF7C087917B
SHA-512:	69AEB5ED711F7FB804005EA1206525C6949D5BD1079A008604B95869B9F42A1B60032FD546325D62AC6A073454E53AA403CBDEA909EEBF66956E16BF8639E309
Malicious:	false
Preview:	Microsoft (R) File Expansion Utility..Copyright (c) Microsoft Corporation. All rights reserved.....Adding files\desk_compositor_x86.dll to Extraction Queue..Adding files\FileVPN.exe to Extraction Queue..Adding files\FileVPN3.8.1.exe to Extraction Queue..Adding files\msvcp120.dll to Extraction Queue..Adding files\msvcr120.dll to Extraction Queue..Adding files\runshelldraw_x86.exe to Extraction Queue....Expanding Files ........Expanding Files Complete .....6 files total...

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: 7-Zip 23.01 (x64) - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 23.1.0.0, Subject: 7-Zip 23.01 (x64) - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Igor Pavlov, Keywords: Installer, Template: x64;1033, Revision Number: {2C440493-81B6-4F08-8BAF-7B29575A145C}, Create Time/Date: Thu Jan 11 14:59:38 2024, Last Saved Time/Date: Thu Jan 11 14:59:38 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (11.0.53.0), Security: 2
Entropy (8bit):	7.956099970741459
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	SBSLMD5qhm.msi
File size:	17'215'488 bytes
MD5:	ca1d0bcc5fb18b2b312c2981a9fda576
SHA1:	a2fed73441b207edee0f355b6468854a63e8ce25
SHA256:	66bfca2c51b6b49c0900b8b401dba81e638ff97885418a5fdcfc95fd1d21a8e6
SHA512:	249aefdee277adb729102504aed15fdc61e42753d649ec6030830bfa584ce4d9dfcdd10dbdcc74413ea2bef5a102501d51c40d28f90ffc24a181f89159d49c4b
SSDEEP:	393216:OM4hc5h2cX5jP9bEVNLx/c9+ru+9vD7c2pIE51it7JOJkZF9:lZz9wXtc9+q+dvpIE51M7J
TLSH:	570723137581C8B2D16A0371659AD36A47BABC304270D697BBD5FF2E1FB16C0F623A12
File Content Preview:	........................>.......................................................>...?...@...A..................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:49:11.681905031 CEST	49730	8443	192.168.2.4	188.114.96.3
Aug 29, 2024 12:49:11.686845064 CEST	8443	49730	188.114.96.3	192.168.2.4
Aug 29, 2024 12:49:11.686963081 CEST	49730	8443	192.168.2.4	188.114.96.3
Aug 29, 2024 12:49:11.708506107 CEST	49730	8443	192.168.2.4	188.114.96.3
Aug 29, 2024 12:49:11.713360071 CEST	8443	49730	188.114.96.3	192.168.2.4
Aug 29, 2024 12:49:12.143312931 CEST	8443	49730	188.114.96.3	192.168.2.4
Aug 29, 2024 12:49:12.143335104 CEST	8443	49730	188.114.96.3	192.168.2.4
Aug 29, 2024 12:49:12.143347979 CEST	8443	49730	188.114.96.3	192.168.2.4
Aug 29, 2024 12:49:12.143395901 CEST	49730	8443	192.168.2.4	188.114.96.3
Aug 29, 2024 12:49:12.143435001 CEST	49730	8443	192.168.2.4	188.114.96.3
Aug 29, 2024 12:49:12.167958021 CEST	49730	8443	192.168.2.4	188.114.96.3
Aug 29, 2024 12:49:12.172980070 CEST	8443	49730	188.114.96.3	192.168.2.4
Aug 29, 2024 12:49:12.263016939 CEST	8443	49730	188.114.96.3	192.168.2.4
Aug 29, 2024 12:49:12.263096094 CEST	49730	8443	192.168.2.4	188.114.96.3
Aug 29, 2024 12:49:12.271487951 CEST	49730	8443	192.168.2.4	188.114.96.3
Aug 29, 2024 12:49:12.276305914 CEST	8443	49730	188.114.96.3	192.168.2.4
Aug 29, 2024 12:49:13.285108089 CEST	8443	49730	188.114.96.3	192.168.2.4
Aug 29, 2024 12:49:13.285896063 CEST	49730	8443	192.168.2.4	188.114.96.3
Aug 29, 2024 12:49:22.477652073 CEST	49730	8443	192.168.2.4	188.114.96.3
Aug 29, 2024 12:50:39.932627916 CEST	49753	53	192.168.2.4	8.8.8.8
Aug 29, 2024 12:50:39.936534882 CEST	49754	443	192.168.2.4	103.235.47.188
Aug 29, 2024 12:50:39.936563969 CEST	443	49754	103.235.47.188	192.168.2.4
Aug 29, 2024 12:50:39.936744928 CEST	49754	443	192.168.2.4	103.235.47.188
Aug 29, 2024 12:50:39.937072992 CEST	49754	443	192.168.2.4	103.235.47.188
Aug 29, 2024 12:50:39.937108994 CEST	443	49754	103.235.47.188	192.168.2.4
Aug 29, 2024 12:50:39.937175989 CEST	49754	443	192.168.2.4	103.235.47.188
Aug 29, 2024 12:50:39.937472105 CEST	53	49753	8.8.8.8	192.168.2.4
Aug 29, 2024 12:50:39.937582016 CEST	49753	53	192.168.2.4	8.8.8.8
Aug 29, 2024 12:50:39.939304113 CEST	49753	53	192.168.2.4	8.8.8.8
Aug 29, 2024 12:50:39.944080114 CEST	53	49753	8.8.8.8	192.168.2.4
Aug 29, 2024 12:50:39.944184065 CEST	53	49753	8.8.8.8	192.168.2.4
Aug 29, 2024 12:50:39.944236040 CEST	49753	53	192.168.2.4	8.8.8.8
Aug 29, 2024 12:50:39.953280926 CEST	49755	443	192.168.2.4	5.255.255.77
Aug 29, 2024 12:50:39.953329086 CEST	443	49755	5.255.255.77	192.168.2.4
Aug 29, 2024 12:50:39.953463078 CEST	49755	443	192.168.2.4	5.255.255.77
Aug 29, 2024 12:50:39.953712940 CEST	49757	443	192.168.2.4	142.250.185.132
Aug 29, 2024 12:50:39.953720093 CEST	443	49757	142.250.185.132	192.168.2.4
Aug 29, 2024 12:50:39.953782082 CEST	49757	443	192.168.2.4	142.250.185.132
Aug 29, 2024 12:50:39.960712910 CEST	49755	443	192.168.2.4	5.255.255.77
Aug 29, 2024 12:50:39.960747957 CEST	443	49755	5.255.255.77	192.168.2.4
Aug 29, 2024 12:50:39.960974932 CEST	49755	443	192.168.2.4	5.255.255.77
Aug 29, 2024 12:50:39.962306976 CEST	49757	443	192.168.2.4	142.250.185.132
Aug 29, 2024 12:50:39.962347984 CEST	443	49757	142.250.185.132	192.168.2.4
Aug 29, 2024 12:50:39.962568998 CEST	49757	443	192.168.2.4	142.250.185.132
Aug 29, 2024 12:50:40.309137106 CEST	49758	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:40.309174061 CEST	443	49758	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:40.309235096 CEST	49758	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:40.309644938 CEST	49759	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:40.309689999 CEST	443	49759	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:40.309745073 CEST	49759	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:40.309932947 CEST	49760	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:40.309983015 CEST	443	49760	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:40.310029984 CEST	49760	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:40.321026087 CEST	49760	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:40.321047068 CEST	443	49760	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:40.321556091 CEST	49759	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:40.321585894 CEST	443	49759	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:40.321976900 CEST	49758	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:40.321991920 CEST	443	49758	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:40.406948090 CEST	49761	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:40.406986952 CEST	443	49761	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:40.407126904 CEST	49761	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:40.409245014 CEST	49761	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:40.409256935 CEST	443	49761	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:41.047657967 CEST	443	49759	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.047738075 CEST	49759	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.052989006 CEST	443	49758	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.053054094 CEST	49758	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.053822041 CEST	49759	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.053841114 CEST	443	49759	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.053935051 CEST	443	49759	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.054085016 CEST	49759	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.056382895 CEST	49758	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.056392908 CEST	443	49758	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.056497097 CEST	443	49758	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.056579113 CEST	49758	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.070760012 CEST	443	49760	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.070847988 CEST	49760	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.074163914 CEST	49760	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.074178934 CEST	443	49760	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.074270964 CEST	443	49760	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.074327946 CEST	49760	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.074337006 CEST	443	49760	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.093802929 CEST	49759	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.093832016 CEST	443	49759	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.100503922 CEST	443	49758	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.124677896 CEST	49760	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.139703035 CEST	49759	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.242347002 CEST	49758	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.242368937 CEST	443	49758	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.346086979 CEST	49758	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.398971081 CEST	443	49761	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:41.399065971 CEST	49761	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:41.400727987 CEST	49761	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:41.400736094 CEST	443	49761	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:41.400934935 CEST	443	49761	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:41.401002884 CEST	49761	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:41.401912928 CEST	49763	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:41.401957035 CEST	443	49763	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:41.402116060 CEST	49763	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:41.402839899 CEST	49763	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:41.402856112 CEST	443	49763	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:41.667512894 CEST	443	49759	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.667624950 CEST	443	49759	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.667714119 CEST	49759	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.679992914 CEST	443	49760	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.680111885 CEST	443	49760	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.680208921 CEST	49760	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.711774111 CEST	49760	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.711806059 CEST	443	49760	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.713396072 CEST	49759	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.713418961 CEST	443	49759	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.713587999 CEST	443	49758	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.713675022 CEST	49759	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.713681936 CEST	443	49759	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.713695049 CEST	443	49758	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.713781118 CEST	49758	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.715008020 CEST	49758	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.715027094 CEST	443	49758	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:41.715051889 CEST	49758	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:41.715059042 CEST	443	49758	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:42.523139954 CEST	49765	80	192.168.2.4	18.139.76.7
Aug 29, 2024 12:50:42.527986050 CEST	80	49765	18.139.76.7	192.168.2.4
Aug 29, 2024 12:50:42.528057098 CEST	49765	80	192.168.2.4	18.139.76.7
Aug 29, 2024 12:50:42.548223019 CEST	49765	80	192.168.2.4	18.139.76.7
Aug 29, 2024 12:50:42.553044081 CEST	80	49765	18.139.76.7	192.168.2.4
Aug 29, 2024 12:50:42.642364025 CEST	443	49763	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:42.642442942 CEST	49763	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:42.644212008 CEST	49763	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:42.644221067 CEST	443	49763	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:42.644371986 CEST	443	49763	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:42.644422054 CEST	49763	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:42.645201921 CEST	49766	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:42.645242929 CEST	443	49766	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:42.645313978 CEST	49766	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:42.646708965 CEST	49766	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:42.646723986 CEST	443	49766	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:43.477696896 CEST	80	49765	18.139.76.7	192.168.2.4
Aug 29, 2024 12:50:43.531725883 CEST	49765	80	192.168.2.4	18.139.76.7
Aug 29, 2024 12:50:43.919492960 CEST	443	49766	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:43.919701099 CEST	49766	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:43.929198980 CEST	49766	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:43.929220915 CEST	443	49766	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:43.929378033 CEST	443	49766	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:43.929426908 CEST	49767	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:43.929461956 CEST	443	49767	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:43.929490089 CEST	49766	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:43.930625916 CEST	49767	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:43.930625916 CEST	49767	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:43.930655956 CEST	443	49767	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:44.588911057 CEST	49765	80	192.168.2.4	18.139.76.7
Aug 29, 2024 12:50:44.593785048 CEST	80	49765	18.139.76.7	192.168.2.4
Aug 29, 2024 12:50:44.639729977 CEST	80	49765	18.139.76.7	192.168.2.4
Aug 29, 2024 12:50:44.683242083 CEST	49765	80	192.168.2.4	18.139.76.7
Aug 29, 2024 12:50:44.919436932 CEST	443	49767	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:44.919521093 CEST	49767	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:45.029556036 CEST	49767	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:45.029572964 CEST	443	49767	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:45.029761076 CEST	443	49767	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:45.029820919 CEST	49767	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:45.031017065 CEST	49768	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:45.031044006 CEST	443	49768	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:45.031141996 CEST	49768	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:45.033937931 CEST	49768	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:45.033951044 CEST	443	49768	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:45.183603048 CEST	49765	80	192.168.2.4	18.139.76.7
Aug 29, 2024 12:50:45.188788891 CEST	80	49765	18.139.76.7	192.168.2.4
Aug 29, 2024 12:50:45.521004915 CEST	80	49765	18.139.76.7	192.168.2.4
Aug 29, 2024 12:50:45.522037029 CEST	49765	80	192.168.2.4	18.139.76.7
Aug 29, 2024 12:50:46.032071114 CEST	443	49768	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:46.032191038 CEST	49768	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:46.033870935 CEST	49768	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:46.033886909 CEST	443	49768	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:46.034064054 CEST	443	49768	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:46.034111977 CEST	49768	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:46.034594059 CEST	49769	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:46.034630060 CEST	443	49769	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:46.034687042 CEST	49769	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:46.035903931 CEST	49769	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:46.035917044 CEST	443	49769	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:47.049925089 CEST	443	49769	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:47.050045967 CEST	49769	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:47.054253101 CEST	49769	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:47.054267883 CEST	443	49769	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:47.054483891 CEST	443	49769	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:47.054542065 CEST	49769	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:47.076997042 CEST	49770	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:47.077043056 CEST	443	49770	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:47.077291965 CEST	49770	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:47.189721107 CEST	49770	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:47.189766884 CEST	443	49770	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:48.172344923 CEST	443	49770	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:48.172421932 CEST	49770	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:48.174021006 CEST	49770	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:48.174032927 CEST	443	49770	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:48.174182892 CEST	443	49770	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:48.174226046 CEST	49770	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:48.176501989 CEST	49771	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:48.176532984 CEST	443	49771	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:48.176644087 CEST	49771	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:48.177290916 CEST	49771	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:48.177301884 CEST	443	49771	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:49.392713070 CEST	443	49771	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:49.392792940 CEST	49771	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:49.395658970 CEST	49771	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:49.395668983 CEST	443	49771	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:49.395824909 CEST	443	49771	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:49.395893097 CEST	49771	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:49.398092031 CEST	49773	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:49.398123026 CEST	443	49773	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:49.398300886 CEST	49773	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:49.399241924 CEST	49773	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:49.399246931 CEST	443	49773	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:50.338004112 CEST	49765	80	192.168.2.4	18.139.76.7
Aug 29, 2024 12:50:50.342892885 CEST	80	49765	18.139.76.7	192.168.2.4
Aug 29, 2024 12:50:50.625508070 CEST	443	49773	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:50.625591993 CEST	49773	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:50.627420902 CEST	49773	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:50.627432108 CEST	443	49773	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:50.627583027 CEST	443	49773	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:50.627635002 CEST	49773	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:50.628662109 CEST	49774	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:50.628685951 CEST	443	49774	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:50.628822088 CEST	49774	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:50.629765987 CEST	49774	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:50.629776001 CEST	443	49774	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:51.874494076 CEST	443	49774	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:51.874614954 CEST	49774	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:51.876880884 CEST	49774	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:51.876885891 CEST	443	49774	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:51.877031088 CEST	443	49774	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:51.877131939 CEST	49775	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:51.877156019 CEST	443	49775	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:51.877191067 CEST	49774	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:51.877430916 CEST	49775	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:51.877887964 CEST	49775	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:51.877893925 CEST	443	49775	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:53.115745068 CEST	443	49775	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:53.115830898 CEST	49775	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:53.117505074 CEST	49775	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:53.117513895 CEST	443	49775	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:53.117665052 CEST	443	49775	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:53.117722988 CEST	49775	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:53.119349003 CEST	49776	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:53.119389057 CEST	443	49776	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:53.119735956 CEST	49776	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:53.120184898 CEST	49776	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:53.120199919 CEST	443	49776	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:54.425281048 CEST	443	49776	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:54.425396919 CEST	49776	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:54.427311897 CEST	49776	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:54.427324057 CEST	443	49776	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:54.427465916 CEST	443	49776	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:54.427630901 CEST	49776	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:54.428554058 CEST	49777	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:54.428597927 CEST	443	49777	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:54.428857088 CEST	49777	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:54.449253082 CEST	49777	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:54.449274063 CEST	443	49777	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:55.683944941 CEST	443	49777	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:55.684019089 CEST	49777	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:55.686266899 CEST	49777	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:55.686275959 CEST	443	49777	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:55.686430931 CEST	443	49777	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:55.686477900 CEST	49777	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:55.689336061 CEST	49771	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:55.689354897 CEST	443	49771	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:55.689378977 CEST	49770	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:55.689398050 CEST	443	49770	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:55.689423084 CEST	49769	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:55.689428091 CEST	443	49769	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:55.689445019 CEST	49768	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:55.689461946 CEST	443	49768	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:55.689485073 CEST	49767	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:55.689492941 CEST	443	49767	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:55.689671993 CEST	49766	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:55.689685106 CEST	49777	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:55.689697027 CEST	443	49777	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:55.689699888 CEST	443	49766	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:55.689702034 CEST	49775	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:55.689713955 CEST	443	49775	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:55.689718962 CEST	49773	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:55.689728022 CEST	443	49773	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:55.689755917 CEST	49761	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:55.689762115 CEST	443	49761	35.227.223.56	192.168.2.4
Aug 29, 2024 12:50:55.689882994 CEST	49776	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:55.689898014 CEST	443	49776	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:55.689943075 CEST	49774	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:55.689949036 CEST	443	49774	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:55.689990044 CEST	49763	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:55.689996004 CEST	443	49763	183.60.146.66	192.168.2.4
Aug 29, 2024 12:50:55.690208912 CEST	49778	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:55.690229893 CEST	443	49778	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:55.690300941 CEST	49778	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:55.691179037 CEST	49778	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:55.691186905 CEST	443	49778	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:57.457679033 CEST	443	49778	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:57.457758904 CEST	49778	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:57.459748983 CEST	49778	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:57.459759951 CEST	443	49778	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:57.459944963 CEST	443	49778	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:57.460012913 CEST	49778	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:57.460939884 CEST	49779	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:57.460983038 CEST	443	49779	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:57.461060047 CEST	49779	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:57.461848974 CEST	49779	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:57.461859941 CEST	443	49779	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:58.727518082 CEST	443	49779	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:58.727709055 CEST	49779	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:58.729587078 CEST	49779	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:58.729593992 CEST	443	49779	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:58.729896069 CEST	443	49779	23.98.101.155	192.168.2.4
Aug 29, 2024 12:50:58.731215000 CEST	49779	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:58.731671095 CEST	49780	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:58.731709957 CEST	443	49780	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:58.731825113 CEST	49780	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:58.732434988 CEST	49780	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:58.732444048 CEST	443	49780	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:59.452491045 CEST	443	49780	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:59.452553034 CEST	49780	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:59.455214024 CEST	49780	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:59.455224037 CEST	443	49780	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:59.455302954 CEST	443	49780	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:59.455373049 CEST	49780	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:59.455384970 CEST	443	49780	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:59.495697021 CEST	49780	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:59.896545887 CEST	443	49780	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:59.896712065 CEST	443	49780	108.138.24.227	192.168.2.4
Aug 29, 2024 12:50:59.896792889 CEST	49780	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:59.902251959 CEST	49780	443	192.168.2.4	108.138.24.227
Aug 29, 2024 12:50:59.902270079 CEST	443	49780	108.138.24.227	192.168.2.4
Aug 29, 2024 12:51:12.461707115 CEST	49778	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:51:12.461738110 CEST	443	49778	23.98.101.155	192.168.2.4
Aug 29, 2024 12:51:13.739707947 CEST	49779	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:51:13.739727974 CEST	443	49779	23.98.101.155	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:49:11.663631916 CEST	62530	53	192.168.2.4	1.1.1.1
Aug 29, 2024 12:49:11.673854113 CEST	53	62530	1.1.1.1	192.168.2.4
Aug 29, 2024 12:50:35.370908022 CEST	56999	53	192.168.2.4	1.1.1.1
Aug 29, 2024 12:50:35.955493927 CEST	50235	53	192.168.2.4	1.1.1.1
Aug 29, 2024 12:50:36.533138990 CEST	55635	53	192.168.2.4	1.1.1.1
Aug 29, 2024 12:50:39.928719044 CEST	64620	53	192.168.2.4	1.1.1.1
Aug 29, 2024 12:50:39.930322886 CEST	57508	53	192.168.2.4	1.1.1.1
Aug 29, 2024 12:50:39.931442976 CEST	49781	53	192.168.2.4	1.1.1.1
Aug 29, 2024 12:50:39.935419083 CEST	53	64620	1.1.1.1	192.168.2.4
Aug 29, 2024 12:50:39.937429905 CEST	53	57508	1.1.1.1	192.168.2.4
Aug 29, 2024 12:50:39.938091993 CEST	53	49781	1.1.1.1	192.168.2.4
Aug 29, 2024 12:50:40.277998924 CEST	55065	53	192.168.2.4	8.8.8.8
Aug 29, 2024 12:50:40.279856920 CEST	55066	53	192.168.2.4	8.8.8.8
Aug 29, 2024 12:50:40.280504942 CEST	55067	53	192.168.2.4	8.8.8.8
Aug 29, 2024 12:50:40.281274080 CEST	52387	53	192.168.2.4	1.1.1.1
Aug 29, 2024 12:50:40.294984102 CEST	53	52387	1.1.1.1	192.168.2.4
Aug 29, 2024 12:50:40.406104088 CEST	52388	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:40.509768009 CEST	53	55065	8.8.8.8	192.168.2.4
Aug 29, 2024 12:50:40.512342930 CEST	53	55066	8.8.8.8	192.168.2.4
Aug 29, 2024 12:50:40.582045078 CEST	53	55067	8.8.8.8	192.168.2.4
Aug 29, 2024 12:50:41.401402950 CEST	52369	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:42.512655020 CEST	57170	53	192.168.2.4	1.1.1.1
Aug 29, 2024 12:50:42.521038055 CEST	53	57170	1.1.1.1	192.168.2.4
Aug 29, 2024 12:50:42.644809961 CEST	57171	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:43.929213047 CEST	57172	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:45.030714989 CEST	57173	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:46.034368038 CEST	57174	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:47.075803995 CEST	57175	443	192.168.2.4	35.227.223.56
Aug 29, 2024 12:50:48.175930977 CEST	57176	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:49.397551060 CEST	57177	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:50.628393888 CEST	57178	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:51.876883030 CEST	57179	443	192.168.2.4	183.60.146.66
Aug 29, 2024 12:50:53.119009018 CEST	57180	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:54.428313017 CEST	57181	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:55.688863993 CEST	57182	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:57.460563898 CEST	57183	443	192.168.2.4	23.98.101.155
Aug 29, 2024 12:50:58.731201887 CEST	57184	53	192.168.2.4	8.8.8.8
Aug 29, 2024 12:50:59.032056093 CEST	53	57184	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 12:49:11.663631916 CEST	192.168.2.4	1.1.1.1	0x3d9d	Standard query (0)	g00g1e.us.kg	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:35.370908022 CEST	192.168.2.4	1.1.1.1	0xe67a	Standard query (0)	crt.sectigo.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:35.955493927 CEST	192.168.2.4	1.1.1.1	0xda54	Standard query (0)	ocsp.sectigo.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:36.533138990 CEST	192.168.2.4	1.1.1.1	0xb453	Standard query (0)	crl.sectigo.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:39.928719044 CEST	192.168.2.4	1.1.1.1	0xed74	Standard query (0)	www.baidu.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:39.930322886 CEST	192.168.2.4	1.1.1.1	0x5f39	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:39.931442976 CEST	192.168.2.4	1.1.1.1	0xd41b	Standard query (0)	www.yandex.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.277998924 CEST	192.168.2.4	8.8.8.8	0xcfe2	Standard query (0)	nal.fqoqehwib.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.279856920 CEST	192.168.2.4	8.8.8.8	0x19	Standard query (0)	nit.crash1ytics.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.280504942 CEST	192.168.2.4	8.8.8.8	0xce16	Standard query (0)	chr.alipayassets.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.281274080 CEST	192.168.2.4	1.1.1.1	0xa1d2	Standard query (0)	d1dmgcawtbm6l9.cloudfront.net	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:42.512655020 CEST	192.168.2.4	1.1.1.1	0xee8e	Standard query (0)	ws-ap1.pusher.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:58.731201887 CEST	192.168.2.4	8.8.8.8	0x5f5c	Standard query (0)	nit.crash1ytics.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 12:49:11.673854113 CEST	1.1.1.1	192.168.2.4	0x3d9d	No error (0)	g00g1e.us.kg		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:49:11.673854113 CEST	1.1.1.1	192.168.2.4	0x3d9d	No error (0)	g00g1e.us.kg		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:35.378020048 CEST	1.1.1.1	192.168.2.4	0xe67a	No error (0)	crt.sectigo.com	crt.comodoca.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:50:35.962246895 CEST	1.1.1.1	192.168.2.4	0xda54	No error (0)	ocsp.sectigo.com	ocsp.comodoca.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:50:36.541007996 CEST	1.1.1.1	192.168.2.4	0xb453	No error (0)	crl.sectigo.com	crl.comodoca.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:50:39.935419083 CEST	1.1.1.1	192.168.2.4	0xed74	No error (0)	www.baidu.com	www.a.shifen.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:50:39.935419083 CEST	1.1.1.1	192.168.2.4	0xed74	No error (0)	www.a.shifen.com	www.wshifen.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:50:39.935419083 CEST	1.1.1.1	192.168.2.4	0xed74	No error (0)	www.wshifen.com		103.235.47.188	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:39.935419083 CEST	1.1.1.1	192.168.2.4	0xed74	No error (0)	www.wshifen.com		103.235.46.96	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:39.937429905 CEST	1.1.1.1	192.168.2.4	0x5f39	No error (0)	www.google.com		142.250.185.132	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:39.938091993 CEST	1.1.1.1	192.168.2.4	0xd41b	No error (0)	www.yandex.com	yandex.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:50:39.938091993 CEST	1.1.1.1	192.168.2.4	0xd41b	No error (0)	yandex.com		5.255.255.77	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:39.938091993 CEST	1.1.1.1	192.168.2.4	0xd41b	No error (0)	yandex.com		77.88.44.55	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:39.938091993 CEST	1.1.1.1	192.168.2.4	0xd41b	No error (0)	yandex.com		77.88.55.88	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.294984102 CEST	1.1.1.1	192.168.2.4	0xa1d2	No error (0)	d1dmgcawtbm6l9.cloudfront.net		108.138.24.227	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.294984102 CEST	1.1.1.1	192.168.2.4	0xa1d2	No error (0)	d1dmgcawtbm6l9.cloudfront.net		108.138.24.13	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.294984102 CEST	1.1.1.1	192.168.2.4	0xa1d2	No error (0)	d1dmgcawtbm6l9.cloudfront.net		108.138.24.115	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.294984102 CEST	1.1.1.1	192.168.2.4	0xa1d2	No error (0)	d1dmgcawtbm6l9.cloudfront.net		108.138.24.182	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.509768009 CEST	8.8.8.8	192.168.2.4	0xcfe2	No error (0)	nal.fqoqehwib.com		99.34.124.121	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.509768009 CEST	8.8.8.8	192.168.2.4	0xcfe2	No error (0)	nal.fqoqehwib.com		104.112.172.245	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.509768009 CEST	8.8.8.8	192.168.2.4	0xcfe2	No error (0)	nal.fqoqehwib.com		33.86.72.19	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.509768009 CEST	8.8.8.8	192.168.2.4	0xcfe2	No error (0)	nal.fqoqehwib.com		82.150.106.47	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.509768009 CEST	8.8.8.8	192.168.2.4	0xcfe2	No error (0)	nal.fqoqehwib.com		10.176.38.125	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.512342930 CEST	8.8.8.8	192.168.2.4	0x19	No error (0)	nit.crash1ytics.com		223.61.70.52	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.512342930 CEST	8.8.8.8	192.168.2.4	0x19	No error (0)	nit.crash1ytics.com		67.137.174.254	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.512342930 CEST	8.8.8.8	192.168.2.4	0x19	No error (0)	nit.crash1ytics.com		19.88.16.251	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.512342930 CEST	8.8.8.8	192.168.2.4	0x19	No error (0)	nit.crash1ytics.com		142.242.204.31	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.582045078 CEST	8.8.8.8	192.168.2.4	0xce16	No error (0)	chr.alipayassets.com		222.91.58.119	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.582045078 CEST	8.8.8.8	192.168.2.4	0xce16	No error (0)	chr.alipayassets.com		85.222.79.57	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:40.582045078 CEST	8.8.8.8	192.168.2.4	0xce16	No error (0)	chr.alipayassets.com		12.206.118.229	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:42.521038055 CEST	1.1.1.1	192.168.2.4	0xee8e	No error (0)	ws-ap1.pusher.com	socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:50:42.521038055 CEST	1.1.1.1	192.168.2.4	0xee8e	No error (0)	socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com		18.139.76.7	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:42.521038055 CEST	1.1.1.1	192.168.2.4	0xee8e	No error (0)	socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com		52.220.81.111	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:42.521038055 CEST	1.1.1.1	192.168.2.4	0xee8e	No error (0)	socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com		13.215.76.101	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:59.032056093 CEST	8.8.8.8	192.168.2.4	0x5f5c	No error (0)	nit.crash1ytics.com		223.61.70.52	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:59.032056093 CEST	8.8.8.8	192.168.2.4	0x5f5c	No error (0)	nit.crash1ytics.com		19.88.16.251	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:59.032056093 CEST	8.8.8.8	192.168.2.4	0x5f5c	No error (0)	nit.crash1ytics.com		67.137.174.254	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:50:59.032056093 CEST	8.8.8.8	192.168.2.4	0x5f5c	No error (0)	nit.crash1ytics.com		142.242.204.31	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

d1dmgcawtbm6l9.cloudfront.net

ws-ap1.pusher.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49765	18.139.76.7	80	2256	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:50:42.548223019 CEST	265	OUT	GET /app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2 HTTP/1.1 Host: ws-ap1.pusher.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Version: 13 Sec-WebSocket-Key: OWQ3ZTRkZWYtZmZiOS00ZQ== Origin: ws://ws-ap1.pusher.com
Aug 29, 2024 12:50:43.477696896 CEST	166	IN	HTTP/1.1 101 Switching Protocols Date: Thu, 29 Aug 2024 10:50:43 GMT Connection: upgrade Upgrade: websocket Sec-WebSocket-Accept: dcBRytQBF1EeFMRdy/gKQpD6Heo=
Aug 29, 2024 12:50:44.588911057 CEST	25	OUT	Data Raw: 89 93 fc 2c 0d 01 ce 15 22 31 c4 03 3f 31 ce 18 2d 31 c4 16 3c 33 c6 1f 3c Data Ascii: ,"1?1-1<3<
Aug 29, 2024 12:50:44.639729977 CEST	242	IN	Data Raw: 81 7e 00 92 7b 22 65 76 65 6e 74 22 3a 22 70 75 73 68 65 72 3a 65 72 72 6f 72 22 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 34 30 30 31 2c 22 6d 65 73 73 61 67 65 22 3a 22 41 70 70 20 6b 65 79 20 34 66 63 34 33 36 65 66 33 36 66 34 30 32 36 Data Ascii: ~{"event":"pusher:error","data":{"code":4001,"message":"App key 4fc436ef36f4026102d7 not in this cluster. Did you forget to specify the cluster?"}}ZApp key 4fc436ef36f4026102d7 not in this cluster. Did you forget to specify the cluster?
Aug 29, 2024 12:50:45.183603048 CEST	8	OUT	Data Raw: 88 82 c0 85 8d 53 c3 6d Data Ascii: Sm

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49759	108.138.24.227	443	2256	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:50:41 UTC	180	OUT	GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nal.fqoqehwib.com.&type=1 HTTP/1.1 Host: d1dmgcawtbm6l9.cloudfront.net User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-08-29 10:50:41 UTC	676	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: nginx/1.16.0 Date: Thu, 29 Aug 2024 10:50:41 GMT X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Expires: Thu, 29 Aug 2024 10:50:41 GMT Cache-Control: private, max-age=4 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Accept-Ranges: none Vary: Accept-Encoding X-Cache: Miss from cloudfront Via: 1.1 6f32a39163a1e36ace7a71a85e2d2884.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P7 X-Amz-Cf-Id: pTStlLsHXvIRps2oAgfWX_sD8XSL4aUtgesq0005ZbpM2TrnzFhVNQ==
2024-08-29 10:50:41 UTC	518	IN	Data Raw: 31 66 66 0d 0a 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 61 6c 2e 66 71 6f 71 65 68 77 69 62 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 61 6c 2e 66 71 6f 71 65 68 77 69 62 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 34 2c 22 64 61 74 61 22 3a 22 31 30 34 2e 31 31 32 2e 31 37 32 2e 32 34 35 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 6e 61 6c 2e 66 71 6f 71 65 68 77 69 62 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 34 2c 22 64 61 74 61 Data Ascii: 1ff{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"nal.fqoqehwib.com.","type":1}],"Answer":[{"name":"nal.fqoqehwib.com.","type":1,"TTL":4,"data":"104.112.172.245"},{"name":"nal.fqoqehwib.com.","type":1,"TTL":4,"data
2024-08-29 10:50:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49758	108.138.24.227	443	2256	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:50:41 UTC	183	OUT	GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=chr.alipayassets.com.&type=1 HTTP/1.1 Host: d1dmgcawtbm6l9.cloudfront.net User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-08-29 10:50:41 UTC	676	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: nginx/1.16.0 Date: Thu, 29 Aug 2024 10:50:41 GMT X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Expires: Thu, 29 Aug 2024 10:50:41 GMT Cache-Control: private, max-age=4 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Accept-Ranges: none Vary: Accept-Encoding X-Cache: Miss from cloudfront Via: 1.1 3199fed6c4260c9448326645d333530a.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P7 X-Amz-Cf-Id: VDdGb0EvpWnqvlydyN5XMBaaQsl0FSURt9UYhhF76LnH6QkXkiDDrg==
2024-08-29 10:50:41 UTC	390	IN	Data Raw: 31 37 66 0d 0a 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 63 68 72 2e 61 6c 69 70 61 79 61 73 73 65 74 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 63 68 72 2e 61 6c 69 70 61 79 61 73 73 65 74 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 34 2c 22 64 61 74 61 22 3a 22 32 32 32 2e 39 31 2e 35 38 2e 31 31 39 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 63 68 72 2e 61 6c 69 70 61 79 61 73 73 65 74 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a Data Ascii: 17f{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"chr.alipayassets.com.","type":1}],"Answer":[{"name":"chr.alipayassets.com.","type":1,"TTL":4,"data":"222.91.58.119"},{"name":"chr.alipayassets.com.","type":1,"TTL":
2024-08-29 10:50:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49760	108.138.24.227	443	2256	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:50:41 UTC	182	OUT	GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1 HTTP/1.1 Host: d1dmgcawtbm6l9.cloudfront.net User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-08-29 10:50:41 UTC	676	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: nginx/1.16.0 Date: Thu, 29 Aug 2024 10:50:41 GMT X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Expires: Thu, 29 Aug 2024 10:50:41 GMT Cache-Control: private, max-age=1 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Accept-Ranges: none Vary: Accept-Encoding X-Cache: Miss from cloudfront Via: 1.1 78720628b37ebf3e33c42dc098252ee8.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P7 X-Amz-Cf-Id: eWxhFhZhcuakXrxsivv6kwQ5PcGOVhnv5SpQVd1xpXGPBBGHrwA8Cg==
2024-08-29 10:50:41 UTC	458	IN	Data Raw: 31 63 33 0d 0a 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 31 2c 22 64 61 74 61 22 3a 22 36 37 2e 31 33 37 2e 31 37 34 2e 32 35 34 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 31 2c Data Ascii: 1c3{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"nit.crash1ytics.com.","type":1}],"Answer":[{"name":"nit.crash1ytics.com.","type":1,"TTL":1,"data":"67.137.174.254"},{"name":"nit.crash1ytics.com.","type":1,"TTL":1,
2024-08-29 10:50:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49780	108.138.24.227	443	2256	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:50:59 UTC	182	OUT	GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1 HTTP/1.1 Host: d1dmgcawtbm6l9.cloudfront.net User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-08-29 10:50:59 UTC	676	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: nginx/1.16.0 Date: Thu, 29 Aug 2024 10:50:59 GMT Accept-Ranges: none X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Expires: Thu, 29 Aug 2024 10:50:59 GMT Cache-Control: private, max-age=6 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding X-Cache: Miss from cloudfront Via: 1.1 f1a22cc8d842b0950e4bd5bda60806f2.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P7 X-Amz-Cf-Id: tgv539swE7qiahiScZ2AOVsP5MBzPKcPF5qfWbSJY2qHC0YG-hOWvg==
2024-08-29 10:50:59 UTC	458	IN	Data Raw: 31 63 33 0d 0a 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 36 2c 22 64 61 74 61 22 3a 22 36 37 2e 31 33 37 2e 31 37 34 2e 32 35 34 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 36 2c Data Ascii: 1c3{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"nit.crash1ytics.com.","type":1}],"Answer":[{"name":"nit.crash1ytics.com.","type":1,"TTL":6,"data":"67.137.174.254"},{"name":"nit.crash1ytics.com.","type":1,"TTL":6,
2024-08-29 10:50:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:49:02
Start date:	29/08/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SBSLMD5qhm.msi"
Imagebase:	0x7ff7ecf20000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:49:02
Start date:	29/08/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7ecf20000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	06:49:03
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 7BAC104BD5378FDDE0B63E7FB4B3F634
Imagebase:	0xf70000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:49:05
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 8446B195F51217FC669CD1E61AA0CBB0 E Global\MSI0000
Imagebase:	0xf70000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:49:06
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Imagebase:	0xef0000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:49:06
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:49:06
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Imagebase:	0x90000
File size:	53'248 bytes
MD5 hash:	544B0DBFF3F393BCE8BB9D815F532D51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:49:06
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:49:08
Start date:	29/08/2024
Path:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN3.8.1.exe"
Imagebase:	0x7ff6281c0000
File size:	12'288 bytes
MD5 hash:	92114D5C56FD14D35E98E60ED2943477
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:49:08
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:49:09
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c copy runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"
Imagebase:	0x7ff75dab0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:49:09
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c copy desk_compositor_x86.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll"
Imagebase:	0x7ff75dab0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:49:09
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c copy msvcr120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcr120.dll"
Imagebase:	0x7ff75dab0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:49:09
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c copy msvcp120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcp120.dll"
Imagebase:	0x7ff75dab0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:49:09
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start "" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"
Imagebase:	0x7ff75dab0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:49:09
Start date:	29/08/2024
Path:	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"
Imagebase:	0xd40000
File size:	32'584 bytes
MD5 hash:	2BA1B334190DC1FE43B1D9FC330EA384
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Shellcode_Generic_8c487e57, Description: unknown, Source: 0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_24338919, Description: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., Source: 0000000F.00000002.1775883317.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:49:09
Start date:	29/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start "" "FileVPN.exe"
Imagebase:	0x7ff75dab0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:49:09
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:49:09
Start date:	29/08/2024
Path:	C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files\FileVPN.exe
Wow64 process (32bit):	true
Commandline:	"FileVPN.exe"
Imagebase:	0x400000
File size:	15'195'472 bytes
MD5 hash:	A59B68EA2372F9C9F6A0603FD5013174
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:49:10
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Imagebase:	0xef0000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	06:49:10
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
Imagebase:	0xa80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	06:49:10
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	06:49:10
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	06:49:10
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	Regsvr32.exe
Imagebase:	0x240000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Shellcode_Generic_8c487e57, Description: unknown, Source: 00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_24338919, Description: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., Source: 00000017.00000002.1883185994.0000000002BB0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	06:49:11
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-5dd92490-67e1-4ac5-ad76-150eaa0f9d99\files"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	06:49:11
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	06:49:12
Start date:	29/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	06:49:12
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7252 -ip 7252
Imagebase:	0xfe0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	06:49:13
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 1512
Imagebase:	0xfe0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	06:50:15
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
Imagebase:	0xa80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	06:50:15
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	06:50:21
Start date:	29/08/2024
Path:	C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
Imagebase:	0x7ff7682b0000
File size:	101'536 bytes
MD5 hash:	1E3CF83B17891AEE98C3E30012F0B034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	06:50:21
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	06:50:21
Start date:	29/08/2024
Path:	C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
Imagebase:	0x7ff7682b0000
File size:	101'536 bytes
MD5 hash:	1E3CF83B17891AEE98C3E30012F0B034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	06:50:21
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	06:50:23
Start date:	29/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	06:50:23
Start date:	29/08/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "4" "1" "c:\program files (x86)\letsvpn\driver\oemvista.inf" "9" "4d14a44ff" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\letsvpn\driver"
Imagebase:	0x7ff65e4e0000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	06:50:24
Start date:	29/08/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000144"
Imagebase:	0x7ff65e4e0000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	06:50:25
Start date:	29/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	06:50:26
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c netsh advfirewall firewall Delete rule name=lets
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	06:50:26
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	06:50:27
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall Delete rule name=lets
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	06:50:27
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c netsh advfirewall firewall Delete rule name=lets.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	06:50:27
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	06:50:27
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall Delete rule name=lets.exe
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	06:50:28
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	06:50:28
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	06:50:28
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall Delete rule name=LetsPRO.exe
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	06:50:28
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	06:50:28
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	06:50:28
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall Delete rule name=LetsPRO
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	06:50:29
Start date:	29/08/2024
Path:	C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
Imagebase:	0x7ff7682b0000
File size:	101'536 bytes
MD5 hash:	1E3CF83B17891AEE98C3E30012F0B034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	06:50:29
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	06:50:32
Start date:	29/08/2024
Path:	C:\Program Files (x86)\letsvpn\LetsPRO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\letsvpn\LetsPRO.exe"
Imagebase:	0x360000
File size:	245'880 bytes
MD5 hash:	51F74B2422CA5C2E15A4FF761B9AF586
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	06:50:32
Start date:	29/08/2024
Path:	C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\letsvpn\app-3.9.1\LetsPRO.exe"
Imagebase:	0x230000
File size:	1'482'360 bytes
MD5 hash:	5C8BA6EB1D1C2F078C4C812EA51E1701
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	61
Start time:	06:50:35
Start date:	29/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	62
Start time:	06:50:37
Start date:	29/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	63
Start time:	06:50:37
Start date:	29/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	64
Start time:	06:50:39
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C ipconfig /all
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	06:50:39
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	06:50:39
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	ipconfig /all
Imagebase:	0xd90000
File size:	29'184 bytes
MD5 hash:	3A3B9A5E00EF6A3F83BF300E2B6B67BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	06:50:40
Start date:	29/08/2024
Path:	C:\Windows\System32\wbem\WmiApSrv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\WmiApSrv.exe
Imagebase:	0x7ff796930000
File size:	209'920 bytes
MD5 hash:	9A48D32D7DBA794A40BF030DA500603B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	68
Start time:	06:50:42
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C route print
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	06:50:42
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	06:50:42
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\ROUTE.EXE
Wow64 process (32bit):	true
Commandline:	route print
Imagebase:	0xbc0000
File size:	19'456 bytes
MD5 hash:	C563191ED28A926BCFDB1071374575F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	06:50:43
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C arp -a
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	06:50:43
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	06:50:43
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\ARP.EXE
Wow64 process (32bit):	true
Commandline:	arp -a
Imagebase:	0x150000
File size:	22'528 bytes
MD5 hash:	4D3943EDBC9C7E18DC3469A21B30B3CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	23.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	33.8%
Total number of Nodes:	74
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF6281C1000 Relevance: 42.1, APIs: 17, Strings: 7, Instructions: 69
processwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00007FF6281C1019
ShowWindow.USER32 ref: 00007FF6281C1035
GetConsoleWindow.KERNELBASE ref: 00007FF6281C103B
ShowWindow.USER32 ref: 00007FF6281C104F
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6281C105A
Process32FirstW.KERNEL32 ref: 00007FF6281C1079
FindCloseChangeNotification.KERNELBASE ref: 00007FF6281C1086
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6281C1093
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6281C10A0
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6281C10AD
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6281C10BA
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6281C10C7
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6281C10D4
wcsstr.VCRUNTIME140 ref: 00007FF6281C110C
Process32NextW.KERNEL32 ref: 00007FF6281C111F
MessageBoxW.USER32 ref: 00007FF6281C1153

Strings

copy desk_compositor_x86.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll", xrefs: 00007FF6281C1099
start "" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe", xrefs: 00007FF6281C10C0
360, xrefs: 00007FF6281C1100
start "" "FileVPN.exe", xrefs: 00007FF6281C10CD
copy msvcp120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcp120.dll", xrefs: 00007FF6281C10B3
copy msvcr120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcr120.dll", xrefs: 00007FF6281C10A6
copy runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe", xrefs: 00007FF6281C108C

Memory Dump Source

Source File: 00000008.00000002.1762868358.00007FF6281C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6281C0000, based on PE: true

Associated: 00000008.00000002.1762852681.00007FF6281C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1762910505.00007FF6281C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1762928088.00007FF6281C5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6281c0000_FileVPN3.jbxd

Similarity

API ID: system$Window$ConsoleProcess32Show$ChangeCloseCreateFindFirstMessageNextNotificationSnapshotToolhelp32wcsstr
String ID: 360$copy desk_compositor_x86.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desk_compositor_x86.dll"$copy msvcp120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcp120.dll"$copy msvcr120.dll "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\msvcr120.dll"$copy runshelldraw_x86.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"$start "" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\runshelldraw_x86.exe"$start "" "FileVPN.exe"
API String ID: 2597489144-3104905842
Opcode ID: a7704d5001edc36d9c2bd9acc36c506d59c19b401df0f01e39e8db3a3b666f19
Instruction ID: b74e4a7d59e774dbeaf290a66b440fe31e733e073d98e1597df9de35b2f7b787
Opcode Fuzzy Hash: a7704d5001edc36d9c2bd9acc36c506d59c19b401df0f01e39e8db3a3b666f19
Instruction Fuzzy Hash: AE31D120A19A4382FE589B30EC5C2B923A1BF94F45F844137C51E826E6EF3CE559C30B

Function 00007FF6281C1274 Relevance: 15.1, APIs: 10, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF6281C1288
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6281C129D
__scrt_release_startup_lock.LIBCMT ref: 00007FF6281C130B
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6281C1359
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6281C135E
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6281C1366
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6281C136E
__scrt_is_managed_app.LIBCMT ref: 00007FF6281C1382
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6281C1390
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6281C13EA

Memory Dump Source

Source File: 00000008.00000002.1762868358.00007FF6281C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6281C0000, based on PE: true

Associated: 00000008.00000002.1762852681.00007FF6281C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1762910505.00007FF6281C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1762928088.00007FF6281C5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6281c0000_FileVPN3.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 3019265742-0
Opcode ID: aaa5c525b2c4af79c213164bba0f60c53b93b75a922ef3363efbbc886cd3c07e
Instruction ID: 2d7d49e18c57be29e6cd0a9bdaeaa07df711511e0dc2506bf58091cfaaf36711
Opcode Fuzzy Hash: aaa5c525b2c4af79c213164bba0f60c53b93b75a922ef3363efbbc886cd3c07e
Instruction Fuzzy Hash: C6314C21E8C24342FF14AB719C1D3B92291AF65784F845037EA0EC76D7DE2DE845C64B

Non-executed Functions

Function 00007FF6281C18F8 Relevance: 13.6, APIs: 9, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6281C1914
memset.VCRUNTIME140 ref: 00007FF6281C1938
RtlCaptureContext.KERNEL32 ref: 00007FF6281C1941
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6281C195B
RtlVirtualUnwind.KERNEL32 ref: 00007FF6281C199C
memset.VCRUNTIME140 ref: 00007FF6281C19CF
IsDebuggerPresent.KERNEL32 ref: 00007FF6281C19F0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6281C1A11
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6281C1A1C

Memory Dump Source

Source File: 00000008.00000002.1762868358.00007FF6281C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6281C0000, based on PE: true

Associated: 00000008.00000002.1762852681.00007FF6281C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1762910505.00007FF6281C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1762928088.00007FF6281C5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6281c0000_FileVPN3.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 17e4ac96b087dfc9f8c58bfd19fa17baf0543d5619cda781355043519fff301e
Instruction ID: 2753ea0ab2a4323c3ac1d5bed0380c72466725c917d7caf1374b0031c23200f7
Opcode Fuzzy Hash: 17e4ac96b087dfc9f8c58bfd19fa17baf0543d5619cda781355043519fff301e
Instruction Fuzzy Hash: 38315A72609A828AEB648F70EC443EE2361FB94744F44403BDA4E87AD6EF38D548C706

Function 00007FF6281C1AA0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1762868358.00007FF6281C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF6281C0000, based on PE: true

Associated: 00000008.00000002.1762852681.00007FF6281C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1762910505.00007FF6281C2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1762928088.00007FF6281C5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6281c0000_FileVPN3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb72a34125f5e5569dbb9934361a19847b3b9246cd262d6199107ec10c44898
Instruction ID: 6d6955914fe4acaa52093ea4f66a79ce9dd1bfd11193f6966312888f600d0a02
Opcode Fuzzy Hash: bfb72a34125f5e5569dbb9934361a19847b3b9246cd262d6199107ec10c44898
Instruction Fuzzy Hash: 7DA00121948883D1EA488B21AD591202331BB60B44B400633D00E818E29F2CE411C20B

Analysis Process: runshelldraw_x86.exePID: 344, Parent PID: 1744COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.1%
Total number of Nodes:	771
Total number of Limit Nodes:	13

Executed Functions

Function 6C3DFA40 Relevance: 61.6, Strings: 48, Instructions: 1619
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

water, xrefs: 6C3DFA7B, 6C3DFDA1, 6C3E0116, 6C3E11DD, 6C3E141B
tax, xrefs: 6C3E08F4, 6C3E0D02, 6C3E0D36, 6C3E181F
before, xrefs: 6C3E100E, 6C3E1754, 6C3E1B2B
when, xrefs: 6C3E0E06
son, xrefs: 6C3E0652, 6C3E12AD
generation, xrefs: 6C3E0CD5
join, xrefs: 6C3E09F8, 6C3E18EF, 6C3E19F3
under, xrefs: 6C3DFBCE, 6C3DFED8, 6C3E0247, 6C3E0B98, 6C3E1175, 6C3E1557
apply, xrefs: 6C3E1279
that, xrefs: 6C3DFAFE, 6C3DFE08, 6C3E0177, 6C3E09C4, 6C3E0A2C, 6C3E0DD2, 6C3E147C, 6C3E1853
difficult, xrefs: 6C3E04E6
nation, xrefs: 6C3DFC02, 6C3DFF0C, 6C3E0485, 6C3E058D
few, xrefs: 6C3E06EE
Republican, xrefs: 6C3E0D75, 6C3E17F2
consumer, xrefs: 6C3E05EA, 6C3E0B30
the, xrefs: 6C3DFACA, 6C3DFDD4, 6C3E0143, 6C3E037F, 6C3E1448, 6C3E1684, 6C3E1A5B
bit, xrefs: 6C3E0010
environment, xrefs: 6C3E1877
civil, xrefs: 6C3E1349
image, xrefs: 6C3E0D9E, 6C3E1720, 6C3E1AC3
nocannocan, xrefs: 6C3E034B, 6C3E0E6E, 6C3E0FDA, 6C3E1650
particular, xrefs: 6C3E089E, 6C3E0AFC
once, xrefs: 6C3DFB66, 6C3DFE70, 6C3E01DF, 6C3E14E4
city, xrefs: 6C3E04B2, 6C3E095C, 6C3E0B64, 6C3E0BF0, 6C3E10D9, 6C3E1211
according, xrefs: 6C3DFC36, 6C3DFF4B
place, xrefs: 6C3E1923
reflect, xrefs: 6C3E108B
share, xrefs: 6C3DFCD2, 6C3DFFDC, 6C3E0BCC
ago, xrefs: 6C3E03B3, 6C3E061E, 6C3E0FA6, 6C3E16B8, 6C3E1AF7
reach, xrefs: 6C3E1A1E
take, xrefs: 6C3DFB32, 6C3DFC9E, 6C3DFE3C, 6C3DFFA8, 6C3E01AB, 6C3E02E3, 6C3E051A, 6C3E05B6, 6C3E0ED6, 6C3E14B0, 6C3E15E8
respond, xrefs: 6C3E0990
ever, xrefs: 6C3E0078, 6C3E03E7, 6C3E0826, 6C3E137D
attorney, xrefs: 6C3E054E, 6C3E0A5A, 6C3E198B
let, xrefs: 6C3DFB9A, 6C3DFEA4, 6C3E0213, 6C3E07F2, 6C3E0928, 6C3E1518
region, xrefs: 6C3E16FD
trade, xrefs: 6C3E078A, 6C3E1141
~, xrefs: 6C3E142F
buy, xrefs: 6C3E0317, 6C3E07BE, 6C3E1315, 6C3E161C
Congress, xrefs: 6C3DFD06
mean, xrefs: 6C3DFC6A, 6C3DFF74, 6C3E0E3A, 6C3E18BB
skin, xrefs: 6C3E0044, 6C3E0F15, 6C3E1235
allow, xrefs: 6C3E0C34
different, xrefs: 6C3E027B, 6C3E1580
hour, xrefs: 6C3E0686, 6C3E0756, 6C3E0A94, 6C3E0AC8, 6C3E0F3E
security, xrefs: 6C3E02AF, 6C3E06BA, 6C3E072D, 6C3E0F72, 6C3E12E1, 6C3E15B4, 6C3E1A8F
yeah, xrefs: 6C3E110D, 6C3E11A9, 6C3E1957
above, xrefs: 6C3E0EA2

Memory Dump Source

Source File: 0000000F.00000002.1781780424.000000006C3D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C3D0000, based on PE: true

Associated: 0000000F.00000002.1781733544.000000006C3D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781844917.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781873068.000000006C40B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781899919.000000006C40E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c3d0000_runshelldraw_x86.jbxd

Similarity

API ID: CleanupConcurrency::cancel_current_taskCurrentEnumErrorInitializeLastProcessSymbols
String ID: Congress$Republican$above$according$ago$allow$apply$attorney$before$bit$buy$city$civil$consumer$different$difficult$environment$ever$few$generation$hour$image$join$let$mean$nation$nocannocan$once$particular$place$reach$reflect$region$respond$security$share$skin$son$take$tax$that$the$trade$under$water$when$yeah$~
API String ID: 691211741-2757300109
Opcode ID: eb97d692eca198d003cfaf1e9be3a5283c08c7fa6c321042a99a6e21e9c678cd
Instruction ID: 90d804a152d75954ad7bb890a94fe578a7b3d9bc3a882f7645e0f95d536c8302
Opcode Fuzzy Hash: eb97d692eca198d003cfaf1e9be3a5283c08c7fa6c321042a99a6e21e9c678cd
Instruction Fuzzy Hash: 8F136171C553A99AEB61CF60CD48BDDBB74AF65308F1082C9E58836181DBB42BC8CF56

Function 6C3E20B0 Relevance: 58.2, APIs: 19, Strings: 14, Instructions: 413
memorythreadprocessCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C3DF230: SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?,CDB469A1,00000001,00000000,00000000), ref: 6C3DF2B2
Part of subcall function 6C3DF230: FindFirstFileW.KERNELBASE(00000000,?,?), ref: 6C3DF2FD
Part of subcall function 6C3DF230: FindNextFileW.KERNELBASE(00000000,?), ref: 6C3DF370
Part of subcall function 6C3DF230: FindClose.KERNELBASE(00000000), ref: 6C3DF377

VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000040,CDB469A1,00000001,00000000), ref: 6C3E2108

Part of subcall function 6C3DEDE0: Concurrency::cancel_current_task.LIBCPMT ref: 6C3DEEB6

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000214,00000000,00000000,00000044,?,?,?,?,?,?,0000000A), ref: 6C3E2478
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?,?,?,0000000A), ref: 6C3E24BF
ReadProcessMemory.KERNELBASE(?,?,00000000,?,?,?,?,?,?,?,0000000A), ref: 6C3E24DE
VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,0000000A), ref: 6C3E2552
VirtualProtect.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,0000000A), ref: 6C3E2581
ResumeThread.KERNELBASE(?,?,?,?,?,?,0000000A), ref: 6C3E25A1
VirtualProtectEx.KERNELBASE(?,?,?,00000040,?,?,?,?,?,?,0000000A), ref: 6C3E2628
ReadProcessMemory.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,0000000A), ref: 6C3E264B
VirtualProtectEx.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,0000000A), ref: 6C3E2665
Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,0000000A), ref: 6C3E2699
VirtualAllocEx.KERNELBASE(?,00000000,00000400,00001000,00000040,?,?,?,?,?,0000000A), ref: 6C3E26B8
WriteProcessMemory.KERNELBASE(?,00000000,?,00000400,00000000,?,?,?,?,?,0000000A), ref: 6C3E26D2
Wow64SetThreadContext.KERNEL32(?,00010003,?,?,?,?,?,0000000A), ref: 6C3E26EB
ResumeThread.KERNELBASE(?,?,?,?,?,?,0000000A), ref: 6C3E26F7
CloseHandle.KERNEL32(?,?,?,?,?,?,0000000A), ref: 6C3E2709
CloseHandle.KERNEL32(?,?,?,?,?,?,0000000A), ref: 6C3E2711
GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 6C3E271B
TerminateProcess.KERNELBASE(00000000,?,?,?,?,?,0000000A), ref: 6C3E2722

Strings

tax, xrefs: 6C3E21A8, 6C3E2210
D, xrefs: 6C3E2156
.text, xrefs: 6C3E250F, 6C3E25DF
election, xrefs: 6C3E21DC
when, xrefs: 6C3E237C
son, xrefs: 6C3E2348
that, xrefs: 6C3E2278
but, xrefs: 6C3E22A6
Congress, xrefs: 6C3E23E4
particular, xrefs: 6C3E2123
nocannocan, xrefs: 6C3E23B0
hour, xrefs: 6C3E2244
bag, xrefs: 6C3E22E0
likely, xrefs: 6C3E2314

Memory Dump Source

Source File: 0000000F.00000002.1781780424.000000006C3D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C3D0000, based on PE: true

Associated: 0000000F.00000002.1781733544.000000006C3D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781844917.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781873068.000000006C40B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781899919.000000006C40E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c3d0000_runshelldraw_x86.jbxd

Similarity

API ID: Virtual$Process$ProtectThread$AllocCloseFindMemory$ContextFileHandleReadResumeWow64$Concurrency::cancel_current_taskCreateCurrentFirstFolderNextPathTerminateWrite
String ID: .text$Congress$D$bag$but$election$hour$likely$nocannocan$particular$son$tax$that$when
API String ID: 2408778585-784861279
Opcode ID: 667d955583922e7d31d43a9832b6b5a4b59761c8d36efcbcb891bc37a0aece39
Instruction ID: 590106f87861f857a1c19561f5a8a33e3de5a703d746d2e468279ce4a918e734
Opcode Fuzzy Hash: 667d955583922e7d31d43a9832b6b5a4b59761c8d36efcbcb891bc37a0aece39
Instruction Fuzzy Hash: EF028F71D503699BDB21CF60CD48BDEBBB8BF49308F144289E549A7280DBB16AC8CF55

Function 6C3DF230 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 244
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?,CDB469A1,00000001,00000000,00000000), ref: 6C3DF2B2
FindFirstFileW.KERNELBASE(00000000,?,?), ref: 6C3DF2FD
FindNextFileW.KERNELBASE(00000000,?), ref: 6C3DF370
FindClose.KERNELBASE(00000000), ref: 6C3DF377
SHGetFolderPathW.SHELL32(00000000,00000008,00000000,00000000,?), ref: 6C3DF49A
FindFirstFileW.KERNELBASE(00000000,?,?), ref: 6C3DF4DF
FindNextFileW.KERNELBASE(00000000,?), ref: 6C3DF559
FindClose.KERNELBASE(00000000), ref: 6C3DF560

Strings

Media side vote price executive writer myself choose situation professor or do go organization store as event region game sport myself he focus research quickly., xrefs: 6C3DF406
Matter continue hold tough red although lose when lead attack spring study red fly tell court movement already ability., xrefs: 6C3DF3F2
Drive threat consumer power evening follow wait door environmental nation specific such return who firm manage hope whose happen scientist road film my president store bad poor but glass to policy hear for about present well according almost check window., xrefs: 6C3DF424
Decision suddenly design financial difference time another something gas according campaign green spring listen he too president grow let air attorney hour tree girl., xrefs: 6C3DF410
Bad night beat entire Mr explain easy help executive conference career day west ago yeah there coach thousand kind town pull party tend laugh cup drug., xrefs: 6C3DF3E8
Line age society certainly billion after magazine house finally fire under American assume arm arrive recent dark fast activity protect computer sign particular growth., xrefs: 6C3DF42E
Much across language sign rich write old improve game blue executive difference surface pay statement well meet animal recently trip behavior must she change rock., xrefs: 6C3DF438
Team decade difficult too hot property model foreign decade bit man about traditional exactly former mind institution serve age guess peace tonight prepare poor reflect decision finish machine back hand loss free glass because., xrefs: 6C3DF41A
Citizen performance order he energy spring decade financial present similar focus trial because number public many international yet city impact federal remain crime receive behavior raise itself ago six officer herself to for kind threat point beat conference, xrefs: 6C3DF3FC
Reduce note member onto draw others chance behavior deep activity they could through chair onto popular standard big money service water now concern a catch Mrs decide believe half last., xrefs: 6C3DF3DE

Memory Dump Source

Source File: 0000000F.00000002.1781780424.000000006C3D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C3D0000, based on PE: true

Associated: 0000000F.00000002.1781733544.000000006C3D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781844917.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781873068.000000006C40B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781899919.000000006C40E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c3d0000_runshelldraw_x86.jbxd

Similarity

API ID: Find$File$CloseFirstFolderNextPath
String ID: Bad night beat entire Mr explain easy help executive conference career day west ago yeah there coach thousand kind town pull party tend laugh cup drug.$Citizen performance order he energy spring decade financial present similar focus trial because number public many international yet city impact federal remain crime receive behavior raise itself ago six officer herself to for kind threat point beat conference$Decision suddenly design financial difference time another something gas according campaign green spring listen he too president grow let air attorney hour tree girl.$Drive threat consumer power evening follow wait door environmental nation specific such return who firm manage hope whose happen scientist road film my president store bad poor but glass to policy hear for about present well according almost check window.$Line age society certainly billion after magazine house finally fire under American assume arm arrive recent dark fast activity protect computer sign particular growth.$Matter continue hold tough red although lose when lead attack spring study red fly tell court movement already ability.$Media side vote price executive writer myself choose situation professor or do go organization store as event region game sport myself he focus research quickly.$Much across language sign rich write old improve game blue executive difference surface pay statement well meet animal recently trip behavior must she change rock.$Reduce note member onto draw others chance behavior deep activity they could through chair onto popular standard big money service water now concern a catch Mrs decide believe half last.$Team decade difficult too hot property model foreign decade bit man about traditional exactly former mind institution serve age guess peace tonight prepare poor reflect decision finish machine back hand loss free glass because.
API String ID: 1819976387-3567503233
Opcode ID: d46be0276fcffb7ba7e884b13602eeb0ad8dc47ea3db52c28057a8294e2b9406
Instruction ID: e3c5fe43dceeee9651c64ab3c00aeac6a4b2226ebdae2354138818727f491b41
Opcode Fuzzy Hash: d46be0276fcffb7ba7e884b13602eeb0ad8dc47ea3db52c28057a8294e2b9406
Instruction Fuzzy Hash: 9A9127B2A001299BDB14DB24CC88BDEB775AF48318F1142E9D505A7B90DB34AE85CF95

Function 6C431995 Relevance: 18.1, APIs: 12, Instructions: 116
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__crtFlsGetValue.MSVCR120(6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C4319C6
_calloc_crt.MSVCR120(00000001,000003BC,00000008,6C431A5F,?,00000001,?), ref: 6C4319D7
__crtFlsSetValue.MSVCR120(00000000,00000008,6C431A5F,?,00000001,?), ref: 6C4319EF
_initptd.MSVCR120(00000000,00000000,6C431A5F,?,00000001,?), ref: 6C431A00

Part of subcall function 6C431BFD: _lock.MSVCR120(0000000D), ref: 6C431C41
Part of subcall function 6C431BFD: _lock.MSVCR120(0000000C), ref: 6C431C62

GetCurrentThreadId.KERNEL32 ref: 6C431A07
__freeptd.LIBCMT ref: 6C431BE9
GetCommandLineW.KERNEL32(6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C44CAA6
GetCommandLineA.KERNEL32 ref: 6C44CD71
free.MSVCR120(00000000,6C431A5F,?,00000001,?), ref: 6C473B99

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CommandLineValue__crt_lock$CurrentThread__freeptd_calloc_crt_initptdfree
String ID:
API String ID: 1616718619-0
Opcode ID: 6961230b6a9f33c3e84cbf51bd0d0b5330af2e2b302bd97d5c12f9d2bc97fa68
Instruction ID: af490ff1a32d12e38035261c906b02ca2b1a493227dcc11a4f5e7618eb65087f
Opcode Fuzzy Hash: 6961230b6a9f33c3e84cbf51bd0d0b5330af2e2b302bd97d5c12f9d2bc97fa68
Instruction Fuzzy Hash: 42310C3264522196F720FB765841F8D3AB4AF862DDBA0511EEC24D7F91DF20C06AC5F6

Function 6C44D2E1 Relevance: 15.2, APIs: 10, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lock.MSVCR120(0000000B,6C44D360,00000064,6C44CA9E,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C44D2EF

Part of subcall function 6C42EDD7: EnterCriticalSection.KERNEL32(?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C42EDF3

_calloc_crt.MSVCR120(00000020,00000040,6C44D360,00000064,6C44CA9E,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C44D300
GetStartupInfoW.KERNEL32(?,6C44D360,00000064,6C44CA9E,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C44D380
GetStdHandle.KERNEL32(-000000F6), ref: 6C44D3D0
_local_unwind4.MSVCR120(6C4FF7B8,?,000000FE,6C44D360,00000064,6C44CA9E,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C47DC9D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalEnterHandleInfoSectionStartup_calloc_crt_local_unwind4_lock
String ID:
API String ID: 4203667266-0
Opcode ID: f2d263749751dc8b8e1434dc7d75bf8c726ae4980971cd3e97454b7ed2c9aee2
Instruction ID: 00374ddc8fc510ea2149bdc95108a818056e8bd26564377b4ff76677d27ea822
Opcode Fuzzy Hash: f2d263749751dc8b8e1434dc7d75bf8c726ae4980971cd3e97454b7ed2c9aee2
Instruction Fuzzy Hash: 8891C571A052559FEB20CF68C840D9DBBF0EF4A329B34866ED4B6AB781D7349442CB54

Function 6C3E3FDF Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6C3E4026
___scrt_uninitialize_crt.LIBCMT ref: 6C3E4040

Memory Dump Source

Source File: 0000000F.00000002.1781780424.000000006C3D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C3D0000, based on PE: true

Associated: 0000000F.00000002.1781733544.000000006C3D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781844917.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781873068.000000006C40B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781899919.000000006C40E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c3d0000_runshelldraw_x86.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 7f49251d9c181feafe6ec1d7e1f8c68e5d6851286de21b0183acfae5ee3c43c7
Instruction ID: e1cd4b8bf23388960fc82613fd2fc6631412144896665d49be74f52f4588d869
Opcode Fuzzy Hash: 7f49251d9c181feafe6ec1d7e1f8c68e5d6851286de21b0183acfae5ee3c43c7
Instruction Fuzzy Hash: 6F41C032E01274AADB209FD98900BEE7AB9EB9D798F10462BE85057B50C7318D059FE1

Function 6C3DF5E0 Relevance: 7.7, APIs: 5, Instructions: 241
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(CDB469A1,00000000,00000001), ref: 6C3DF69A
SymInitialize.DBGHELP(00000000,00000000,00000001), ref: 6C3DF6A7
SymEnumSymbols.DBGHELP(00000000,?,00000000,00000000,6C3DF7C0,00000000), ref: 6C3DF6BA
SymCleanup.DBGHELP(00000000,?,00000000,00000000,6C3DF7C0,00000000), ref: 6C3DF6C5

Part of subcall function 6C3E398C: AcquireSRWLockExclusive.KERNEL32(6C40C64C,?,00000001,?,6C3DF632,6C40D62C,CDB469A1,00000000,00000001), ref: 6C3E3997
Part of subcall function 6C3E398C: ReleaseSRWLockExclusive.KERNEL32(6C40C64C,?,00000001,?,6C3DF632,6C40D62C,CDB469A1,00000000,00000001), ref: 6C3E39D1

Part of subcall function 6C3E393B: AcquireSRWLockExclusive.KERNEL32(6C40C64C,00000001,?,6C3DF68E,6C40D62C,6C3FE8A0,0000002C,00000001), ref: 6C3E3945
Part of subcall function 6C3E393B: ReleaseSRWLockExclusive.KERNEL32(6C40C64C,?,6C3DF68E,6C40D62C,6C3FE8A0,0000002C,00000001), ref: 6C3E3978
Part of subcall function 6C3E393B: WakeAllConditionVariable.KERNEL32(6C40C648,?,6C3DF68E,6C40D62C,6C3FE8A0,0000002C,00000001), ref: 6C3E3983

SetLastError.KERNEL32(0000007F,CDB469A1,?,?,?,CDB469A1,00000000,00000001), ref: 6C3DF792

Memory Dump Source

Source File: 0000000F.00000002.1781780424.000000006C3D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C3D0000, based on PE: true

Associated: 0000000F.00000002.1781733544.000000006C3D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781844917.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781873068.000000006C40B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781899919.000000006C40E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c3d0000_runshelldraw_x86.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$CleanupConditionCurrentEnumErrorInitializeLastProcessSymbolsVariableWake
String ID:
API String ID: 687693109-0
Opcode ID: 14bcd4ca5fac2c21bf8a83ec80fdae0512d189dd27f9754e8fb8ca14799f1502
Instruction ID: e0a84e9b83a15f2f971461c7f4dbadc2fc4018b8a99dff709e46b980ecd06fe4
Opcode Fuzzy Hash: 14bcd4ca5fac2c21bf8a83ec80fdae0512d189dd27f9754e8fb8ca14799f1502
Instruction Fuzzy Hash: 8F71F272A002049FCB04CF64C984BEEB7F8EF4D328F15465AE819A7B90D735A948CF91

Function 6C3E408F Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6C3E40CC
dllmain_crt_dispatch.LIBCMT ref: 6C3E40E3
dllmain_raw.LIBCMT ref: 6C3E412B
dllmain_crt_dispatch.LIBCMT ref: 6C3E413E
dllmain_raw.LIBCMT ref: 6C3E4151

Memory Dump Source

Source File: 0000000F.00000002.1781780424.000000006C3D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C3D0000, based on PE: true

Associated: 0000000F.00000002.1781733544.000000006C3D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781844917.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781873068.000000006C40B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781899919.000000006C40E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c3d0000_runshelldraw_x86.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 21e36d493867e5d9397942c0e0e7f5099d3b1d7a265c6378c7177b0a7aeaaee3
Instruction ID: fe0ad3e8722dd0df7e7dccb73b94f77be67983b702c2809d8425011574673e16
Opcode Fuzzy Hash: 21e36d493867e5d9397942c0e0e7f5099d3b1d7a265c6378c7177b0a7aeaaee3
Instruction Fuzzy Hash: 8221A032E01274AACF218E95C840AEF3A79EB9D798F01422AF81457B50C7329D029FE1

Function 6C3E3ED8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6C3E3F25

Part of subcall function 6C3E4801: InitializeSListHead.KERNEL32(6C40C9A8,6C3E3F2F,6C409838,00000010,6C3E3EC0,?,?,?,6C3E40E8,?,00000001,?,?,00000001,?,6C409880), ref: 6C3E4806

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C3E3F8F

Strings

eD>l, xrefs: 6C3E3FA5

Memory Dump Source

Source File: 0000000F.00000002.1781780424.000000006C3D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C3D0000, based on PE: true

Associated: 0000000F.00000002.1781733544.000000006C3D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781844917.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781873068.000000006C40B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781899919.000000006C40E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c3d0000_runshelldraw_x86.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID: eD>l
API String ID: 3231365870-1609485119
Opcode ID: 45c2eaa3dcb2e40495913497c7a216c938e58dd62034c2c540d9145656760020
Instruction ID: edd87c5e438b6bc5a1fc7bb4b873ab61a16018d8a095b5c2c7d917531369c81d
Opcode Fuzzy Hash: 45c2eaa3dcb2e40495913497c7a216c938e58dd62034c2c540d9145656760020
Instruction Fuzzy Hash: 46219F326892619ADB40BBA4D404BDC37B0AF1E32DF20091BD4D057E90CB67400ACFA7

Function 6C3F233B Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6C3F2387
GetFileType.KERNELBASE(00000000), ref: 6C3F2399

Memory Dump Source

Source File: 0000000F.00000002.1781780424.000000006C3D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C3D0000, based on PE: true

Associated: 0000000F.00000002.1781733544.000000006C3D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781844917.000000006C3FF000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781873068.000000006C40B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000F.00000002.1781899919.000000006C40E000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c3d0000_runshelldraw_x86.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 0999d66e983e6872a65e92c37b9b74258eea1a7ff7b553535ce4c391c9e617cc
Instruction ID: 941f51f2232bd2c63f8da1a98b15e63418cc3cc26e13f9632ced6c7c30f7c6f7
Opcode Fuzzy Hash: 0999d66e983e6872a65e92c37b9b74258eea1a7ff7b553535ce4c391c9e617cc
Instruction Fuzzy Hash: C61187B2204795C6D7244E7E8E8C611BAA8A757338B340F1BE4B586AF1C2B7D487CE50

Non-executed Functions

Function 6C44D40E Relevance: 122.7, APIs: 36, Strings: 34, Instructions: 192libraryloaderCOMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,6C44CA0D,6C44CA91,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C44D411
__initp_misc_winsig.LIBCMT ref: 6C44D42C

Part of subcall function 6C44C60E: EncodePointer.KERNEL32(?,6C44D437,00000000,00000000,00000000,00000000,00000000,?,6C44CA0D,6C44CA91,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C44C613

GetModuleHandleW.KERNEL32(kernel32.dll,00000000), ref: 6C44D448
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6C44D45C
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6C44D46F
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6C44D482
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6C44D495
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 6C44D4A8
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 6C44D4BB
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 6C44D4CE
GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6C44D4E1
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 6C44D4F4
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 6C44D507
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 6C44D51A
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 6C44D52D
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 6C44D540
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 6C44D553
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 6C44D566
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 6C44D579
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 6C44D58C
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 6C44D59F
GetProcAddress.KERNEL32(00000000,GetLogicalProcessorInformation), ref: 6C44D5B2
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 6C44D5C5
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C44D5D8
GetProcAddress.KERNEL32(00000000,EnumSystemLocalesEx), ref: 6C44D5EB
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 6C44D5FE
GetProcAddress.KERNEL32(00000000,GetDateFormatEx), ref: 6C44D611
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 6C44D624
GetProcAddress.KERNEL32(00000000,GetTimeFormatEx), ref: 6C44D637
GetProcAddress.KERNEL32(00000000,GetUserDefaultLocaleName), ref: 6C44D64A
GetProcAddress.KERNEL32(00000000,IsValidLocaleName), ref: 6C44D65D
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 6C44D670
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 6C44D683
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 6C44D696
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleExW), ref: 6C44D6A9
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandleW), ref: 6C44D6BC

Strings

GetCurrentProcessorNumber, xrefs: 6C44D594
LCMapStringEx, xrefs: 6C44D665
CreateSymbolicLinkW, xrefs: 6C44D5BA
GetUserDefaultLocaleName, xrefs: 6C44D63F
CompareStringEx, xrefs: 6C44D5F3
kernel32.dll, xrefs: 6C44D443
CloseThreadpoolWait, xrefs: 6C44D55B
WaitForThreadpoolTimerCallbacks, xrefs: 6C44D50F
FlsAlloc, xrefs: 6C44D456
CreateSemaphoreExW, xrefs: 6C44D4C3
FlsSetValue, xrefs: 6C44D48A
GetLocaleInfoEx, xrefs: 6C44D619
SetFileInformationByHandleW, xrefs: 6C44D6B1
EnumSystemLocalesEx, xrefs: 6C44D5E0
SetThreadStackGuarantee, xrefs: 6C44D4D6
SetThreadpoolWait, xrefs: 6C44D548
CloseThreadpoolTimer, xrefs: 6C44D522
GetDateFormatEx, xrefs: 6C44D606
CreateThreadpoolTimer, xrefs: 6C44D4E9
SetDefaultDllDirectories, xrefs: 6C44D5CD
GetCurrentPackageId, xrefs: 6C44D678
CreateThreadpoolWait, xrefs: 6C44D535
InitializeCriticalSectionEx, xrefs: 6C44D49D
CreateEventExW, xrefs: 6C44D4B0
FlsFree, xrefs: 6C44D464
FlushProcessWriteBuffers, xrefs: 6C44D573
GetTimeFormatEx, xrefs: 6C44D62C
FlsGetValue, xrefs: 6C44D477
GetFileInformationByHandleExW, xrefs: 6C44D6A3
IsValidLocaleName, xrefs: 6C44D652
SetThreadpoolTimer, xrefs: 6C44D4FC
GetLogicalProcessorInformation, xrefs: 6C44D5A7
GetTickCount64, xrefs: 6C44D68B
FreeLibraryWhenCallbackReturns, xrefs: 6C44D581

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: AddressProc$EncodePointer$HandleModule__initp_misc_winsig
String ID: CloseThreadpoolTimer$CloseThreadpoolWait$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$EnumSystemLocalesEx$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetDateFormatEx$GetFileInformationByHandleExW$GetLocaleInfoEx$GetLogicalProcessorInformation$GetTickCount64$GetTimeFormatEx$GetUserDefaultLocaleName$InitializeCriticalSectionEx$IsValidLocaleName$LCMapStringEx$SetDefaultDllDirectories$SetFileInformationByHandleW$SetThreadStackGuarantee$SetThreadpoolTimer$SetThreadpoolWait$WaitForThreadpoolTimerCallbacks$kernel32.dll
API String ID: 1581159588-2934716456
Opcode ID: f7fdf553ed3f886bdb4846b86893042ecf6feb6b9d1aec0f6b167d566c3be105
Instruction ID: acf242d8897e2172499151f29dba1bacb337b9d793982624e76bd7a5c3abc207
Opcode Fuzzy Hash: f7fdf553ed3f886bdb4846b86893042ecf6feb6b9d1aec0f6b167d566c3be105
Instruction Fuzzy Hash: FA614A72E22258ABFB40FFB9EC94D56FBF8FB97704310981EA620D2914D6749061CF58

Function 6C4C63C7 Relevance: 110.9, APIs: 53, Strings: 10, Instructions: 671stringwindowCOMMON

Download Yara Rule

APIs

_set_error_mode.MSVCR120(00000003), ref: 6C4C63EB
_set_error_mode.MSVCR120(00000003), ref: 6C4C63FE

Part of subcall function 6C49B3D7: _errno.MSVCR120(?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C49B402
Part of subcall function 6C49B3D7: _invalid_parameter_noinfo.MSVCR120(?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C49B40D

strcpy_s.MSVCR120(?,00000240,Assertion failed!), ref: 6C4C642D
strcat_s.MSVCR120(?,00000240), ref: 6C4C644F
strcat_s.MSVCR120(?,00000240,Program: ), ref: 6C4C6470
GetModuleHandleExW.KERNEL32(00000006,?,?), ref: 6C4C648C
GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 6C4C64C8
strcpy_s.MSVCR120(?,00000105,<program name unknown>), ref: 6C4C64E3
strlen.MSVCR120(?), ref: 6C4C6500
strlen.MSVCR120(?), ref: 6C4C6515
memcpy_s.MSVCR120(00000000,?,00000003,?), ref: 6C4C653D
strcat_s.MSVCR120(?,00000240,?), ref: 6C4C655F
strcat_s.MSVCR120(?,00000240), ref: 6C4C6581
strcat_s.MSVCR120(?,00000240,File: ), ref: 6C4C65A2
strlen.MSVCR120(?), ref: 6C4C65B3
strlen.MSVCR120(?), ref: 6C4C65C6
__cftof.LIBCMT(?,00000240,?,00000035), ref: 6C4C6620
strcat_s.MSVCR120(?,00000240), ref: 6C4C663E
strcat_s.MSVCR120(?,00000240,?), ref: 6C4C665F
strcat_s.MSVCR120(?,00000240), ref: 6C4C667D
strcat_s.MSVCR120(?,00000240,Line: ), ref: 6C4C669A
strlen.MSVCR120(?,0000000A), ref: 6C4C66B3
strlen.MSVCR120(?,00000240,0000000A), ref: 6C4C66C5
__itow_s.LIBCMT(?,?,00000240,0000000A), ref: 6C4C66D6
strcat_s.MSVCR120(?,00000240), ref: 6C4C66F4
strcat_s.MSVCR120(?,00000240,Expression: ), ref: 6C4C6711
strlen.MSVCR120(?), ref: 6C4C6728
strlen.MSVCR120(?,?), ref: 6C4C6736
strlen.MSVCR120(?), ref: 6C4C6759
__cftof.LIBCMT(?,00000240,?,0000018D,?), ref: 6C4C676F
strcat_s.MSVCR120(?,00000240), ref: 6C4C678D
strcat_s.MSVCR120(?,00000240), ref: 6C4C67AB
strcat_s.MSVCR120(?,00000240,For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts), ref: 6C4C67C8
strcat_s.MSVCR120(?,00000240), ref: 6C4C67E6
strcat_s.MSVCR120(?,00000240,(Press Retry to debug the application - JIT must be enabled)), ref: 6C4C6803
___crtMessageBoxW.LIBCMT ref: 6C4C6824
__cftof.LIBCMT(?,00000240,?,00000035), ref: 6C4C6854
strcat_s.MSVCR120(?,00000240), ref: 6C4C6876
__cftof.LIBCMT(?,00000240,?,00000023), ref: 6C4C68A9
strcat_s.MSVCR120(?,00000240), ref: 6C4C68C7
__cftof.LIBCMT(?,00000240,?,00000008), ref: 6C4C68E6
strcat_s.MSVCR120(?,00000240), ref: 6C4C6900
__p__iob.MSVCR120 ref: 6C4C693E
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C4C6953
_raise.LIBCMT(00000016,00000000,00000000,00000000,00000000,00000000), ref: 6C4C695A
_exit.MSVCR120(00000003,00000000,00000000,00000000,00000000,00000000), ref: 6C4C6962
__p__iob.MSVCR120(00000000,00000004,00000000), ref: 6C4C696D
setvbuf.MSVCR120(-00000040,00000000,00000004,00000000), ref: 6C4C6976
__p__iob.MSVCR120(Assertion failed: %s, file %s, line %d,?,?,?), ref: 6C4C698D
fprintf.MSVCR120(-00000040,Assertion failed: %s, file %s, line %d,?,?,?), ref: 6C4C6996
__p__iob.MSVCR120(-00000040,Assertion failed: %s, file %s, line %d,?,?,?), ref: 6C4C699B
fflush.MSVCR120(-00000040,-00000040,Assertion failed: %s, file %s, line %d,?,?,?), ref: 6C4C69A4
_abort.LIBCMT ref: 6C4C69AC

Strings

For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 6C4C6A10, 6C4C67BB
Assertion failed!, xrefs: 6C4C69B4, 6C4C6414
File: , xrefs: 6C4C6591
Assertion failed: %s, file %s, line %d, xrefs: 6C4C6988
Expression: , xrefs: 6C4C6704
(Press Retry to debug the application - JIT must be enabled), xrefs: 6C4C6A80, 6C4C67F6
<program name unknown>, xrefs: 6C4C64D2
Microsoft Visual C++ Runtime Library, xrefs: 6C4C6AC0, 6C4C681E
Program: , xrefs: 6C4C69C8, 6C4C645F
Line: , xrefs: 6C4C668D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: strcat_s$strlen$__cftof$__p__iob$Module_set_error_modestrcpy_s$FileHandleMessageName___crt__itow_s_abort_errno_exit_invalid_parameter_noinfo_invoke_watson_raisefflushfprintfmemcpy_ssetvbuf
String ID: (Press Retry to debug the application - JIT must be enabled)$<program name unknown>$Assertion failed!$Assertion failed: %s, file %s, line %d$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Microsoft Visual C++ Runtime Library$Program:
API String ID: 349605258-2333777566
Opcode ID: 1f3f4d24f1dcb1048ed8e3c243b1d12591f756c1b90c28de9f37534d1272792f
Instruction ID: ff1b9189ceec50fd70c9b069b59c5aaa7d07387b290fca85f940a9d2dbe77ffd
Opcode Fuzzy Hash: 1f3f4d24f1dcb1048ed8e3c243b1d12591f756c1b90c28de9f37534d1272792f
Instruction Fuzzy Hash: 56227B76F042596AEB11D6758D48FFA7BBDDF02318F08C4A9E908D6A62F631C604C783

Function 6C44AD6C Relevance: 95.7, APIs: 40, Strings: 14, Instructions: 1204COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6C44AED2
DName::DName.LIBCMT ref: 6C44AF0B
DName::operator+.LIBCMT ref: 6C44AF12
DName::DName.LIBCMT ref: 6C44AFAA
DName::operator+.LIBCMT ref: 6C44AFB1
DName::DName.LIBCMT ref: 6C44B0FB
DName::operator+.LIBCMT ref: 6C44B102
DName::DName.LIBCMT ref: 6C44B226
DName::operator+.LIBCMT ref: 6C44B22D
UnDecorator::getVfTableType.LIBCMT ref: 6C47BBC4

Strings

extern "C" , xrefs: 6C47BF72
`template static data member destructor helper', xrefs: 6C47BD3E
`vtordispex{, xrefs: 6C47BA44
private: , xrefs: 6C47BEFD
}' , xrefs: 6C47B837, 6C47BB21
protected: , xrefs: 6C47BF23
`vtordisp{, xrefs: 6C47BAD0
`template static data member constructor helper', xrefs: 6C47BCF0
virtual , xrefs: 6C47BEBA
`local static destructor helper', xrefs: 6C47BC9F
[thunk]:, xrefs: 6C47BF45
static , xrefs: 6C44B0F3
`adjustor{, xrefs: 6C47BB08
public: , xrefs: 6C44B21E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Name::operator+$NameName::$Decorator::getTableType
String ID: [thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
API String ID: 693871946-3028518216
Opcode ID: 1965e7e5606811846f0f7586a136ef2d4fa099017d624edfe2276331a21eb69b
Instruction ID: a73b214f40d4a2040f679f5e0604d983375e3a47d61544ac2b9a236edb7b8b6c
Opcode Fuzzy Hash: 1965e7e5606811846f0f7586a136ef2d4fa099017d624edfe2276331a21eb69b
Instruction Fuzzy Hash: 3D926272E505099BEB15CEA8C895FED77B5EF08305F24813DE925E7B80EB34D9098B60

Function 6C4B1AB7 Relevance: 71.1, APIs: 38, Strings: 2, Instructions: 1065COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4B1B18
_invalid_parameter_noinfo.MSVCR120 ref: 6C4B1B23

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

isspace.MSVCR120(?,?), ref: 6C4B1B67
__whiteout.LIBCMT ref: 6C4B1B7F
isspace.MSVCR120(00000000,?), ref: 6C4B1B91
isdigit.MSVCR120(00000000,?), ref: 6C4B1C0B

Strings

?, xrefs: 6C4B2339
, xrefs: 6C4B2416

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: isspace$__whiteout_errno_invalid_parameter_invalid_parameter_noinfoisdigit
String ID: $?
API String ID: 3408345096-2156024681
Opcode ID: d7b492d2d9de3e86fa02ffac3be89d11bcb97c58f0de0fa83bc8fbbb6abc5d98
Instruction ID: 4f13a0a3dbda6fd9ef0bc6d78ca88bd8d4ca8290eb1a67738e1e0ac2973b2018
Opcode Fuzzy Hash: d7b492d2d9de3e86fa02ffac3be89d11bcb97c58f0de0fa83bc8fbbb6abc5d98
Instruction Fuzzy Hash: 9E929070D052698FDB35CB298894FE9BBB4AF0A319F1440DAD55CB7B41DB309A82CF61

Function 6C4B4DB2 Relevance: 64.3, APIs: 42, Instructions: 1273COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4B4E21
_invalid_parameter_noinfo.MSVCR120 ref: 6C4B4E2C

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

iswctype.MSVCR120(00000000,00000008,?), ref: 6C4B4E73
__whiteout.LIBCMT ref: 6C4B4E8C
iswctype.MSVCR120(00000000,00000008,?), ref: 6C4B4EA5
isdigit.MSVCR120(00000000,?), ref: 6C4B4F56

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: iswctype$__whiteout_errno_invalid_parameter_invalid_parameter_noinfoisdigit
String ID:
API String ID: 794361993-0
Opcode ID: 03df0085fb7a960be539c882b1acd13b2bf7b46a6ef2bef508986a5e616091f3
Instruction ID: 83406d4a84ddeed9b57c234bda448f5e94750f158ff01ebe98a3eca5e757a541
Opcode Fuzzy Hash: 03df0085fb7a960be539c882b1acd13b2bf7b46a6ef2bef508986a5e616091f3
Instruction Fuzzy Hash: 6FA2BF71D4626A8BEB25CB29C888FEDF7B4AB05315F6441EAD449B7B40DA704EC1CF60

Function 6C435C91 Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 335timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_wcspbrk.LIBCMT(?,6C435F14), ref: 6C435CC5
towlower.MSVCR120(00000000), ref: 6C435CF2
FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 6C435D10
FileTimeToSystemTime.KERNEL32(?,?), ref: 6C435D4F
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 6C435D66
FileTimeToSystemTime.KERNEL32(?,?), ref: 6C435DCE
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 6C435DE5
FileTimeToSystemTime.KERNEL32(?,?), ref: 6C435E4D
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 6C435E64
FindClose.KERNEL32(?), ref: 6C435EB8

Part of subcall function 6C43619F: wcsrchr.MSVCR120(6C435ECA,0000002E,00000000,?,?,6C435ECA,00000400,?), ref: 6C4361FA
Part of subcall function 6C43619F: _wcsicmp.MSVCR120(00000000,.exe,00000000,?,?,6C435ECA,00000400,?), ref: 6C43620D
Part of subcall function 6C43619F: _wcsicmp.MSVCR120(00000000,.cmd,00000000,?,?,6C435ECA,00000400,?), ref: 6C43621E
Part of subcall function 6C43619F: _wcsicmp.MSVCR120(00000000,.bat,00000000,?,?,6C435ECA,00000400,?), ref: 6C43622F
Part of subcall function 6C43619F: _wcsicmp.MSVCR120(00000000,.com,00000000,?,?,6C435ECA,00000400,?), ref: 6C436240

_getdrive.MSVCR120 ref: 6C44F5D8
GetLastError.KERNEL32 ref: 6C44F5E2
_errno.MSVCR120 ref: 6C44F6E1
__doserrno.MSVCR120 ref: 6C44F6EB
__doserrno.MSVCR120 ref: 6C4743BF
_errno.MSVCR120 ref: 6C4743C6
_invalid_parameter_noinfo.MSVCR120 ref: 6C4743D1
GetDriveTypeW.KERNEL32(?), ref: 6C4743E1
free.MSVCR120(?), ref: 6C474400
_errno.MSVCR120 ref: 6C474523
__dosmaperr.LIBCMT(00000000), ref: 6C47453A
FindClose.KERNEL32(?), ref: 6C474549

Part of subcall function 6C435F93: _get_daylight.MSVCR120(?,00000190,00000190,00000000,?,?), ref: 6C436067
Part of subcall function 6C435F93: _get_dstbias.MSVCR120(?,00000190,00000190,00000000,?,?), ref: 6C436079
Part of subcall function 6C435F93: _get_timezone.MSVCR120(?,00000190,00000190,00000000,?,?), ref: 6C43608B

Strings

./\, xrefs: 6C44F673

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Time$System$File_wcsicmp$FindLocalSpecific_errno$Close__doserrno$DriveErrorFirstLastType__dosmaperr_get_daylight_get_dstbias_get_timezone_getdrive_invalid_parameter_noinfo_wcspbrkfreetowlowerwcsrchr
String ID: ./\
API String ID: 4076242085-3176372042
Opcode ID: f13ef84b9b53287cd365cfdcf79aba7867b6ea8feb1e302faa3867fddad133fd
Instruction ID: 6a6e81067f0465a6a75a8323a2ca25e181d2b1259645ca8c1cf033d5b2f7074a
Opcode Fuzzy Hash: f13ef84b9b53287cd365cfdcf79aba7867b6ea8feb1e302faa3867fddad133fd
Instruction Fuzzy Hash: 55C1B6B19052289EEB20CF268C44FBAB7F8FF49315F10469EE55DD2690E7348985CF64

Function 6C440189 Relevance: 54.8, APIs: 30, Strings: 1, Instructions: 552fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_isatty.MSVCR120(?,00000000,00000000,00000000), ref: 6C440222
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 6C440263
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 6C44044F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C44045D
_getptd.MSVCR120(00000000,00000000,00000000), ref: 6C440545
GetConsoleMode.KERNEL32(?,?,00000000,00000000,00000000), ref: 6C44057B
__dosmaperr.LIBCMT(00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C4405A2
__doserrno.MSVCR120(00000000,00000000), ref: 6C47E83E
_errno.MSVCR120(00000000,00000000), ref: 6C47E845
_invalid_parameter_noinfo.MSVCR120(00000000,00000000), ref: 6C47E850
__doserrno.MSVCR120(00000000,00000000,00000000), ref: 6C47E866
_errno.MSVCR120(00000000,00000000,00000000), ref: 6C47E86D
_invalid_parameter_noinfo.MSVCR120(00000000,00000000,00000000), ref: 6C47E878
GetConsoleCP.KERNEL32 ref: 6C47E8B1
mbtowc.MSVCR120(?,?,00000001), ref: 6C47E9B2
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,6C475D30,00000005,00000000,00000000), ref: 6C47E9F0
WriteFile.KERNEL32(?,6C475D30,00000000,?,00000000), ref: 6C47EA28

Strings

0]Gl, xrefs: 6C440189

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: FileWrite$Console__doserrno_errno_invalid_parameter_noinfo$ByteCharErrorLastModeMultiWide__dosmaperr_getptd_isattymbtowc
String ID: 0]Gl
API String ID: 1935141453-1312255727
Opcode ID: 1a7c60b65304d3bf367e93f5821fb52543bf0c61997c88b31886fd56ba26f5f3
Instruction ID: e3150c1b489d968293d4bc25b0d3caa3c770c90067089a4b32fd14c059e53677
Opcode Fuzzy Hash: 1a7c60b65304d3bf367e93f5821fb52543bf0c61997c88b31886fd56ba26f5f3
Instruction Fuzzy Hash: FC322975B022688FEB24CF59D880ED9B7B5FB4A315F1441D9E41AA7B80D7309E81CF92

Function 6C4B8B41 Relevance: 46.8, APIs: 25, Strings: 1, Instructions: 1253COMMON

Download Yara Rule

APIs

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

_errno.MSVCR120(?), ref: 6C4B8BAF
_errno.MSVCR120(?), ref: 6C4B8BC4
_errno.MSVCR120(?,?), ref: 6C4B903A
_invalid_parameter_noinfo.MSVCR120(?), ref: 6C4B8BCF

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

wcstol.MSVCR120(?,?,0000000A,?,?), ref: 6C4B8CE5
memset.MSVCR120(?,00000000,00000640,?), ref: 6C4B8D17
wcstol.MSVCR120(?,?,0000000A,?,?), ref: 6C4B8D57
_invalid_parameter_noinfo.MSVCR120(?,?), ref: 6C4B9045

Strings

X, xrefs: 6C4B8BF0

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfowcstol$_getptd_invalid_parametermemset
String ID: X
API String ID: 277282848-3081909835
Opcode ID: 5aa8ac62341d97fc44cd46c0e77ab9c259edc7217695a255b801bdfdd2746741
Instruction ID: 67a44565ed103d8608aa75cc5411caf2d6b5280518b2932d8d5004878b00525d
Opcode Fuzzy Hash: 5aa8ac62341d97fc44cd46c0e77ab9c259edc7217695a255b801bdfdd2746741
Instruction Fuzzy Hash: 7BB29E71B053298AEB24CE19CC80F99B7B1AB76319F1445DAD40DF7B80D7729A81CF62

Function 6C448D59 Relevance: 40.8, APIs: 27, Instructions: 275stringtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.MSVCR120(00000007,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C448D7E

Part of subcall function 6C42EDD7: EnterCriticalSection.KERNEL32(?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C42EDF3

__tzname.MSVCR120(6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C448D87
_get_timezone.MSVCR120(0000003B,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C448D93
_get_daylight.MSVCR120(?,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C448DA5
_get_dstbias.MSVCR120(?,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C448DB7
___lc_codepage_func.MSVCR120(6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C448DC5

Part of subcall function 6C437060: strlen.MSVCR120(00000000,00000064,00000000,?,6C448DEB,6C448F1C,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000), ref: 6C43707C
Part of subcall function 6C437060: strlen.MSVCR120(00000000,00000064,00000000,?,6C448DEB,6C448F1C,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000), ref: 6C43708B
Part of subcall function 6C437060: _mbsnbicoll.MSVCR120(00000000,00000000,00000000,00000064,00000000,?,6C448DEB,6C448F1C,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190), ref: 6C4370A7

GetTimeZoneInformation.KERNEL32(6C500C00,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C448E0B
WideCharToMultiByte.KERNEL32(?,00000000,6C500C04,000000FF,6C474437,0000003F,00000000,?), ref: 6C448E84
WideCharToMultiByte.KERNEL32(?,00000000,6C500C58,000000FF,1CC48320,0000003F,00000000,?), ref: 6C448EBC
__timezone.MSVCR120 ref: 6C448EE3
__daylight.MSVCR120 ref: 6C448EED
__dstbias.MSVCR120 ref: 6C448EF7
strcmp.MSVCR120(00000000,00000000,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C4766A5
free.MSVCR120(00000000,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C4766BA
strlen.MSVCR120(00000000,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C4766C1
_malloc_crt.MSVCR120(00000001,00000000,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C4766C8
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C476709
free.MSVCR120(00000000,00000000,00000000,00000000,00000000,00000000,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?), ref: 6C47670F
strncpy_s.MSVCR120(6C474437,00000040,00000000,00000003), ref: 6C47672A
atol.MSVCR120(-00000003), ref: 6C476747

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: strlen$ByteCharMultiWidefree$CriticalEnterInformationSectionTimeZone___lc_codepage_func__daylight__dstbias__timezone__tzname_get_daylight_get_dstbias_get_timezone_invoke_watson_lock_malloc_crt_mbsnbicollatolstrcmpstrncpy_s
String ID:
API String ID: 427740661-0
Opcode ID: 2666d0f23e574e418ae2bbb06282acbb49fd0a904f96e28238357683ea26968f
Instruction ID: 057ac1fb3d46f2d99729359eba3e21455c6985321ebdbbfb155c87649ec7a132
Opcode Fuzzy Hash: 2666d0f23e574e418ae2bbb06282acbb49fd0a904f96e28238357683ea26968f
Instruction Fuzzy Hash: 82A1A070E042459EEB10DFA9C941EEDBBB9FF4A758F24401EE014EB790DB389845CBA4

Function 6C49E060 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 159fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(00000000,?), ref: 6C49E082
_invalid_parameter_noinfo.MSVCR120(00000000,?), ref: 6C49E08D

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

FindNextFileW.KERNEL32(?,?,00000000,?), ref: 6C49E0B0
GetLastError.KERNEL32 ref: 6C49E0BA
_errno.MSVCR120 ref: 6C49E0D6
_errno.MSVCR120 ref: 6C49E0E3
_errno.MSVCR120 ref: 6C49E0F0
___time64_t_from_ft.LIBCMT ref: 6C49E115

Part of subcall function 6C49D1A9: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,6C49D935,?), ref: 6C49D1CC
Part of subcall function 6C49D1A9: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,?,6C49D935,?), ref: 6C49D1E0
Part of subcall function 6C49D1A9: ___loctotime32_t.LIBCMT ref: 6C49D20A

___time64_t_from_ft.LIBCMT ref: 6C49E124
___time64_t_from_ft.LIBCMT ref: 6C49E133
wcscpy_s.MSVCR120(?,00000104,?,?,?,?), ref: 6C49E164
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C49E179
_errno.MSVCR120(?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C49E18A
_invalid_parameter_noinfo.MSVCR120(?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C49E195
_errno.MSVCR120(00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C49E1A8
_invalid_parameter_noinfo.MSVCR120(00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C49E1B3
memset.MSVCR120(00000000,00000000,00000010,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C49E1C2
GetDiskFreeSpaceA.KERNEL32(00000000,00000008,0000000C,00000004,00000000), ref: 6C49E1F3
GetLastError.KERNEL32(00000000), ref: 6C49E1FE
_errno.MSVCR120 ref: 6C49E206

Strings

:\, xrefs: 6C49E1D5

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$Time$___time64_t_from_ft_invalid_parameter_noinfo$ErrorFileLastSystem$DiskFindFreeLocalNextSpaceSpecific___loctotime32_t_invalid_parameter_invoke_watsonmemsetwcscpy_s
String ID: :\
API String ID: 2675026314-112054617
Opcode ID: f1670908649b3fc3887560ff7855e1421fa5ca46e01552945cca73d299ac6d70
Instruction ID: 41f2b5f41b6e1cae5d213ee5499f4065430f49713c738631b1d5445f4cc4722c
Opcode Fuzzy Hash: f1670908649b3fc3887560ff7855e1421fa5ca46e01552945cca73d299ac6d70
Instruction Fuzzy Hash: 2D51C072A002289BDB20DFA5DC84FEEBBB8AF49315F04455EE519C7B40E734D5848BE5

Function 6C448579 Relevance: 27.2, APIs: 18, Instructions: 209COMMON

Download Yara Rule

APIs

__crtGetLocaleInfoEx.MSVCR120(?,?,?,00000040), ref: 6C4484ED
_wcsicmp.MSVCR120(0000009C,?), ref: 6C448502
_wcsnicmp.MSVCR120(0000009C,?,?), ref: 6C448529
_TestDefaultCountry.LIBCMT ref: 6C448544
wcslen.MSVCR120(?), ref: 6C448557
wcsncpy_s.MSVCR120(000002EC,00000055,?,00000001,?), ref: 6C448568
_getptd.MSVCR120 ref: 6C448597
__crtGetLocaleInfoEx.MSVCR120(?,?,?,00000040), ref: 6C4485C0
_wcsicmp.MSVCR120(?,?), ref: 6C4485DB

Part of subcall function 6C42F840: _wcsicmp_l.MSVCR120(?,?,00000000), ref: 6C42F858

__crtGetLocaleInfoEx.MSVCR120(?,?,?,00000080), ref: 6C44861A
_wcsicmp.MSVCR120(0000009C,?), ref: 6C448633
wcslen.MSVCR120(?), ref: 6C480496
wcsncpy_s.MSVCR120(000002EC,00000055,?,00000001,?), ref: 6C4804A7
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C4804FF
__crtGetLocaleInfoEx.MSVCR120(?,2000000B,?,00000002,0000009C,?,6C44809C,?,0000009C,?,00000000,00000055,00000000,?,6C4481D9,?), ref: 6C480519

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: InfoLocale__crt$_wcsicmp$wcslenwcsncpy_s$CountryDefaultTest_getptd_invoke_watson_wcsicmp_l_wcsnicmp
String ID:
API String ID: 2789717988-0
Opcode ID: 13e633a513e132952540ef6a236947f55a83f61073885820b2ade926e2198c63
Instruction ID: ecb5d27ecef72a67f2deca66292f158a81d3dde99f7018a69d930dc23bb02f62
Opcode Fuzzy Hash: 13e633a513e132952540ef6a236947f55a83f61073885820b2ade926e2198c63
Instruction Fuzzy Hash: C55108715521155BFF04CA24CC82FAA33ACEF01719F24C0AAED18CAA85EF74D945CBE4

Function 6C444FC6 Relevance: 25.9, APIs: 17, Instructions: 443COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C445D05: __EH_prolog3.LIBCMT ref: 6C445D0C
Part of subcall function 6C445D05: ??2@YAPAXI@Z.MSVCR120(00000090,0000000C,6C44500E,5425FDEF,?,00000180,?), ref: 6C445D35

?GetProcessorNodeCount@Concurrency@@YAIXZ.MSVCR120(5425FDEF,?,00000180,?), ref: 6C445027

Part of subcall function 6C4444E0: __EH_prolog3.LIBCMT ref: 6C4444E7

Part of subcall function 6C4444FF: GetNumaHighestNodeNumber.KERNEL32(?,?,6C445034,5425FDEF,?,00000180,?), ref: 6C444509

??_U@YAPAXI@Z.MSVCR120(00000000,5425FDEF,?,00000180,?), ref: 6C445059
??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C4450A3
??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C4450BB
memset.MSVCR120(?,00000000,?), ref: 6C4450D1
memset.MSVCR120(?,00000000,?,?,00000180,?), ref: 6C4450E4
Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 6C445160
??2@YAPAXI@Z.MSVCR120(000000C0), ref: 6C445250
??2@YAPAXI@Z.MSVCR120(00000088,?,00000000,00000000,?,?,00000000,000000C0,000000C0), ref: 6C4452EB

Part of subcall function 6C444F63: ??2@YAPAXI@Z.MSVCR120(0000000C,?,00000000,00000000,00000000,00000000,?,6C4453A3,?,?,?,?,?,?,?,00000000), ref: 6C444F88

free.MSVCR120(?,?,?,?,?,?,00000000,00000000,?,?,00000000,000000C0,000000C0), ref: 6C4453E5
??_U@YAPAXI@Z.MSVCR120(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000180,?), ref: 6C44542F
__crtCreateSemaphoreExW.MSVCR120(00000000,00000000,7FFFFFFF,00000000,00000000,001F0003,?,?,?,?,00000180,?), ref: 6C4454A1

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??2@$H_prolog3NodeQuickmemset$Concurrency::details::Concurrency@@Count@CreateHighestNumaNumberProcessorSemaphoreSet::__crtfree
String ID:
API String ID: 1225761749-0
Opcode ID: 2e1efb27472cce662bf803a3534019714a94b1370e7f2fcb4ac4fd2cc44ab933
Instruction ID: 879155c37eb58683f758b157f302cc4a702e17d24c77af9457480b84ed32bf92
Opcode Fuzzy Hash: 2e1efb27472cce662bf803a3534019714a94b1370e7f2fcb4ac4fd2cc44ab933
Instruction Fuzzy Hash: 20025CB1605741AFD714CF28C884E9ABBE4FF89314F108A2EE59AC7750DB30E815CB91

Function 6C448036 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

_getptd.MSVCR120(?,00000000,00000055,00000000,?,6C4481D9,?,?,?,?,00000000,00000000,00000000), ref: 6C44803D

Part of subcall function 6C4483EE: __crtGetUserDefaultLocaleName.MSVCR120(?,00000055,0000009C), ref: 6C448415
Part of subcall function 6C4483EE: wcslen.MSVCR120(?,0000009C), ref: 6C448428
Part of subcall function 6C4483EE: wcsncpy_s.MSVCR120(?,00000055,?,00000001,?,0000009C), ref: 6C44843F

Part of subcall function 6C447FE9: wcscmp.MSVCR120(?,ACP,0000009C,?,6C44809C,?,0000009C,?,00000000,00000055,00000000,?,6C4481D9,?,?,?), ref: 6C448008
Part of subcall function 6C447FE9: wcscmp.MSVCR120(?,OCP,0000009C,?,6C44809C,?,0000009C,?,00000000,00000055,00000000,?,6C4481D9,?,?,?), ref: 6C44801D
Part of subcall function 6C447FE9: _wtol.MSVCR120(?,0000009C,?,6C44809C,?,0000009C,?,00000000,00000055,00000000,?,6C4481D9,?,?,?), ref: 6C44802D

IsValidCodePage.KERNEL32(00000000,?,00000000,00000055,00000000,?,6C4481D9,?,?,?,?,00000000,00000000,00000000), ref: 6C4480C4
wcslen.MSVCR120(?,?,6C4481D9,?,?,?,?,00000000,00000000,00000000), ref: 6C4480F4
wcsncpy_s.MSVCR120(6C4482F9,00000055,?,00000001,?,?,6C4481D9,?,?,?,?,00000000,00000000,00000000), ref: 6C448101
__crtGetLocaleInfoEx.MSVCR120(6C4482F9,00001001,6C4481D9,00000040,?,6C4481D9,?,?,?,?,00000000,00000000,00000000), ref: 6C44811A
__crtGetLocaleInfoEx.MSVCR120(6C4482F9,00001002,6C448259,00000040,?,?,?,?,?,6C4481D9,?,?,?,?,00000000,00000000), ref: 6C44813F
wcschr.MSVCR120(6C448259,0000005F,?,?,?,?,?,?,?,?,?,6C4481D9,?,?,?), ref: 6C448152
wcschr.MSVCR120(6C448259,0000002E,?,?,?,?,?,?,?,?,?,6C4481D9,?,?,?), ref: 6C448164
_itow_s.MSVCR120(00000000,6C4482D9,00000010,0000000A), ref: 6C44817F

Strings

t3HlE, xrefs: 6C480554

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Locale__crt$Infowcschrwcscmpwcslenwcsncpy_s$CodeDefaultNamePageUserValid_getptd_itow_s_wtol
String ID: t3HlE
API String ID: 2649615383-2576984977
Opcode ID: ce3f7eb4d29f64297dc728a76239ad7c8a0189124ef2e5e65966d2151fbefb95
Instruction ID: dfa67c75b4c5e844c6782cde883d7ee9513ccab996abc4d4a6ddf82fa5ce8004
Opcode Fuzzy Hash: ce3f7eb4d29f64297dc728a76239ad7c8a0189124ef2e5e65966d2151fbefb95
Instruction Fuzzy Hash: 60513275A01605AAF710DB79CC41FA673A8EF4830AF34882BE958DBB80FB70D54486E1

Function 6C441BFC Relevance: 22.7, APIs: 15, Instructions: 214stringCOMMON

Download Yara Rule

APIs

__crtGetLocaleInfoEx.MSVCR120(?,00001004,?,00000002,?,?,00000000), ref: 6C4419EA
free.MSVCR120(00006A69), ref: 6C441A0D
_calloc_crt.MSVCR120(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C441BBB
strncpy_s.MSVCR120(00000000,?,00000000,?), ref: 6C441BDB
__crtGetLocaleInfoEx.MSVCR120(?,00001004,00000000,00000000,?,?,00000000), ref: 6C441C46
_calloc_crt.MSVCR120(00000000,00000002,?,?,?,00000000), ref: 6C441C5B
__crtGetLocaleInfoEx.MSVCR120(?,00001004,00000000,00000000,?,?,?,00000000), ref: 6C441C77
free.MSVCR120(00000000), ref: 6C47F249

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: InfoLocale__crt$_calloc_crtfree$strncpy_s
String ID:
API String ID: 2184820072-0
Opcode ID: 9fa10a5ef90e7c2c6245f4fe62104967acd09c76a919b55ea5a4619f5565b351
Instruction ID: 2f98cdb5a640fe3696e53b76b4f6723127265498d5d9885471f9c86f02ba5197
Opcode Fuzzy Hash: 9fa10a5ef90e7c2c6245f4fe62104967acd09c76a919b55ea5a4619f5565b351
Instruction Fuzzy Hash: 5961F6719012169FFF20CF65DD41F9A7BB8FF01359F208599E808E2A10EB31C954CBA0

Function 6C446BF4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?,.iDl), ref: 6C446C19
??0exception@std@@QAE@XZ.MSVCR120 ref: 6C4724B7
_CxxThrowException.MSVCR120(?,6C4FCFD8), ref: 6C4724D2
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E,?,00000000,?,6C4469B0,00000002,00000001), ref: 6C4724D8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E,?,00000000,?,6C4469B0,00000002), ref: 6C4724EE
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E,?,00000000), ref: 6C4724FC
GetCurrentThread.KERNEL32 ref: 6C47250A
??2@YAPAXI@Z.MSVCR120(0000000C,00000000), ref: 6C47251B
??2@YAPAXI@Z.MSVCR120(00000008,00000000), ref: 6C472544

Strings

.iDl, xrefs: 6C472511, 6C446C07

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??2@ExceptionThrow$??0exception@std@@Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCurrentErrorLastThreadVersion
String ID: .iDl
API String ID: 124800099-4139667660
Opcode ID: 601be0c79be1f17b498ef4715c5eafa636d31b31c57767b49a392dbc7c398aa1
Instruction ID: 9cd41339089cc282116b86d52f75d8a0539da2f3e10522e375c617e6872dcbee
Opcode Fuzzy Hash: 601be0c79be1f17b498ef4715c5eafa636d31b31c57767b49a392dbc7c398aa1
Instruction Fuzzy Hash: 3341CF70A02169DBEB21DF68CC98FDDB7B4EB0A309F11815EE144D7A80DB348955CBE8

Function 6C48D846 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 6C443AF4: TlsGetValue.KERNEL32(6C443DF7,00000000,00000000,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C443AFA

??0exception@std@@QAE@XZ.MSVCR120 ref: 6C48D8C3
_CxxThrowException.MSVCR120(twHl,6C4FCF5C), ref: 6C48D8F1

Part of subcall function 6C48DCC4: ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR120(00000000), ref: 6C48DCE1

??0exception@std@@QAE@XZ.MSVCR120(00000004,?,00000000), ref: 6C48D8DC

Part of subcall function 6C493BC9: __EH_prolog3_catch.LIBCMT ref: 6C493BD0
Part of subcall function 6C493BC9: InterlockedPopEntrySList.KERNEL32(?,?,?,6C473091,00000000,00000000), ref: 6C493BF1
Part of subcall function 6C493BC9: __crtGetTickCount64.MSVCR120(?,?,?,6C473091,00000000,00000000), ref: 6C493C14

Concurrency::details::WorkItem::BindTo.LIBCMT ref: 6C48D983

Part of subcall function 6C49669C: Concurrency::details::InternalContextBase::PrepareForUse.LIBCMT ref: 6C4966BE

Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCMT ref: 6C48D9B0
Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCMT ref: 6C48D9CE

Strings

twHl, xrefs: 6C48D8CF, 6C48D8F0

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::details::$Base::ContextInternal$??0exception@std@@ReleaseSchedulerSpin$BindConcurrency@@Count64EntryExceptionH_prolog3_catchInterlockedItem::ListOnce@?$_PrepareThrowTickValueWait@$00@details@Work__crt
String ID: twHl
API String ID: 1328105426-3892543100
Opcode ID: 3ab5f508d6600e6a6bf869b2a19a6dae166c6d345f0053a884ed525656206c45
Instruction ID: 74478fa79177bb3614ca3d21c8e572c4dc10180e47d36480995762c9a3ef23ae
Opcode Fuzzy Hash: 3ab5f508d6600e6a6bf869b2a19a6dae166c6d345f0053a884ed525656206c45
Instruction Fuzzy Hash: A2519E72A02116ABD704DF64C890EE9B778EF45718F11825AE92667B91DB30ED09CBD0

Function 6C447FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

wcscmp.MSVCR120(?,ACP,0000009C,?,6C44809C,?,0000009C,?,00000000,00000055,00000000,?,6C4481D9,?,?,?), ref: 6C448008
wcscmp.MSVCR120(?,OCP,0000009C,?,6C44809C,?,0000009C,?,00000000,00000055,00000000,?,6C4481D9,?,?,?), ref: 6C44801D
_wtol.MSVCR120(?,0000009C,?,6C44809C,?,0000009C,?,00000000,00000055,00000000,?,6C4481D9,?,?,?), ref: 6C44802D

Part of subcall function 6C43C8E3: wcstol.MSVCR120(?,00000000,0000000A,?,6C4C99C5,?,?,?,6C4C9BDB,?,00000000), ref: 6C43C8ED

__crtGetLocaleInfoEx.MSVCR120(?,20001004,?,00000002,0000009C,?,6C44809C,?,0000009C,?,00000000,00000055,00000000,?,6C4481D9,?), ref: 6C453813
__crtGetLocaleInfoEx.MSVCR120(?,2000000B,?,00000002,0000009C,?,6C44809C,?,0000009C,?,00000000,00000055,00000000,?,6C4481D9,?), ref: 6C480519

Strings

OCP, xrefs: 6C448017
ACP, xrefs: 6C448002

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: InfoLocale__crtwcscmp$_wtolwcstol
String ID: ACP$OCP
API String ID: 1531225338-711371036
Opcode ID: ccca949cb98b5992e7c01065865e5f200b0508623c1f58d0804bd902f0606c37
Instruction ID: e840dbeb05406d92315cc455d281e9bb22f716660440c6a0c7d82db207ca4513
Opcode Fuzzy Hash: ccca949cb98b5992e7c01065865e5f200b0508623c1f58d0804bd902f0606c37
Instruction Fuzzy Hash: 8801D6726075656AFB00DA59DC81FC633A8DF013AAF608416FE28D6A80FF70E24082F4

Function 6C4C996B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

wcscmp.MSVCR120(?,ACP,?,?,6C4C9BDB,?,00000000), ref: 6C4C9982
wcscmp.MSVCR120(?,OCP,?,?,6C4C9BDB,?,00000000), ref: 6C4C9993
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,6C4C9BDB,?,00000000), ref: 6C4C99AF
_wtol.MSVCR120(?,?,?,6C4C9BDB,?,00000000), ref: 6C4C99C0
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,6C4C9BDB,?,00000000), ref: 6C4C99D9

Strings

OCP, xrefs: 6C4C998D
ACP, xrefs: 6C4C997C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: InfoLocalewcscmp$_wtol
String ID: ACP$OCP
API String ID: 3515354035-711371036
Opcode ID: 2c48298b959cfc8ce6cd643d0e91beedf1f676d0d40df3b6068867ca65852e12
Instruction ID: 8a025135a0ee35b92cc51db393898fbecfde2b953747af32262e0dab80097205
Opcode Fuzzy Hash: 2c48298b959cfc8ce6cd643d0e91beedf1f676d0d40df3b6068867ca65852e12
Instruction Fuzzy Hash: FC019235305526BBEF10DE5ACC40FCA37A89F1566EF108019F908DABA0E771D541C7D6

Function 6C491D6D Relevance: 9.2, APIs: 6, Instructions: 229memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C490FCE: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCMT ref: 6C490FF8

Concurrency::details::SchedulerProxy::AdjustAllocationIncrease.LIBCMT ref: 6C491EF0
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 6C491F65
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCMT ref: 6C491F94
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 6C491FBE
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCMT ref: 6C491FC7
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 6C491FDC

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::details::$Manager::Resource$Cores$AllocationCoreDistributePrepareReceiversTransfer$AdjustBorrowedDataExclusiveGlobalHandleIdleIncreaseProxy::ResetScheduler
String ID:
API String ID: 912522943-0
Opcode ID: 0794facf088872c7d98497a5bf15cc8704173fadcf00802c4ad8f689fd845be9
Instruction ID: 93cce10a3e8d597e63a155f57155cf23d19c650e00d42e86ebd81cf2f21a93ec
Opcode Fuzzy Hash: 0794facf088872c7d98497a5bf15cc8704173fadcf00802c4ad8f689fd845be9
Instruction Fuzzy Hash: C9914C71E0022ADFCB09CF69C594E6DBBBAFF48305B1586ADD4469BB45C730E981CB80

Function 6C43CADD Relevance: 9.1, APIs: 6, Instructions: 100COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(00000000,?,6C43CBBA,00000010,?,00000000,0000000A,00000000), ref: 6C474166
_invalid_parameter_noinfo.MSVCR120(00000000,?,6C43CBBA,00000010,?,00000000,0000000A,00000000), ref: 6C474170
_errno.MSVCR120(74DF06A0,?,00000000,?,6C43CBBA,00000010,?,00000000,0000000A,00000000), ref: 6C47417C
_errno.MSVCR120(74DF06A0,?,00000000,?,6C43CBBA,00000010,?,00000000,0000000A,00000000), ref: 6C474186
_errno.MSVCR120(0000000A,74DF06A0,?,00000000,?,6C43CBBA,00000010,?,00000000,0000000A,00000000), ref: 6C4741AA
_invalid_parameter_noinfo.MSVCR120(74DF06A0,?,00000000,?,6C43CBBA,00000010,?,00000000,0000000A,00000000), ref: 6C4741B1

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: dea5b091f72f7a48e888e6ccef4a73393b70c24eab73c1da3d0af656f801356b
Instruction ID: 489c752e1e3e84f9af1cfc22ed2fcf3e898a36570b3090b6bb9e0ca5e84290eb
Opcode Fuzzy Hash: dea5b091f72f7a48e888e6ccef4a73393b70c24eab73c1da3d0af656f801356b
Instruction Fuzzy Hash: C93104357403269BD711EF39D840EAA37A5EF9D3A0F24612AE408CBB50E730C4128BE2

Function 6C441A74 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

__crtGetLocaleInfoEx.MSVCR120(?,00000080,00000000,00000000,?,00000000,?,?,?,?,6C441B76,00000080,?,00000080,?,?), ref: 6C441A9B
__crtGetLocaleInfoEx.MSVCR120(?,00000080,00000000,00000000,00000080,?,?,?,00000080,?,?,00000000), ref: 6C441AFF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000,?,?,?,?,00000080,?,?,?), ref: 6C441B23
_freea_s.MSVCR120(00000000,?,?,?,?,00000080,?,?,?,00000080,?,?,00000000), ref: 6C441B2C
malloc.MSVCR120(?,00000080,?,?,?,00000080,?,?,00000000), ref: 6C48010F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: InfoLocale__crt$ByteCharMultiWide_freea_smalloc
String ID:
API String ID: 3955243501-0
Opcode ID: f311b35a54d2272add1719b8388d7a6ab50dd7cc46b0b749c800e74bec029dcb
Instruction ID: a40078872dc213f372830f00f306a220b27887fcbd1bcbf3e94b5d397652fd0f
Opcode Fuzzy Hash: f311b35a54d2272add1719b8388d7a6ab50dd7cc46b0b749c800e74bec029dcb
Instruction Fuzzy Hash: 33214632901155ABEB11CF95CC41D9BBFA8EF8A321B708129FD1893720EB31C820C7E0

Function 6C49C385 Relevance: 7.5, APIs: 5, Instructions: 49fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.MSVCR120(00000244,?,6C49C48E,6C503B90,00000000), ref: 6C49C39C

Part of subcall function 6C432226: malloc.MSVCR120(6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C432237

FindClose.KERNEL32(00000000,00000000,?,6C49C48E,6C503B90,00000000), ref: 6C49C3BD
FindFirstFileExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,6C49C48E,6C503B90,00000000), ref: 6C49C3D6
FindNextFileA.KERNEL32(?,6C49C48E,6C503B90,00000000), ref: 6C49C3FD
FindClose.KERNEL32(?,6C49C48E,6C503B90,00000000), ref: 6C49C40D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Find$CloseFile$FirstNext_malloc_crtmalloc
String ID:
API String ID: 1203757345-0
Opcode ID: edf10ff48f46c8dffb9eb8209e98dd28703458d59583a19d4500f2f00efeebf9
Instruction ID: d92eaaa8b4e98642515a025d4eac62359a973c0dda02d581b01d9779ed99a8c9
Opcode Fuzzy Hash: edf10ff48f46c8dffb9eb8209e98dd28703458d59583a19d4500f2f00efeebf9
Instruction Fuzzy Hash: 370129313A6A249FDF249B66CD58E5A3FB8FF1739EB46011CF409C6A50DB308410CA98

Function 6C448683 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

wcslen.MSVCR120(6C480578,0000009C,?,6C480578,0000009C,?,?,?,?,00000000,00000000,00000000), ref: 6C44868C
wcslen.MSVCR120(8DDDE8FF,6C480578,0000009C,?,6C480578,0000009C,?,?,?,?,00000000,00000000,00000000), ref: 6C44869F
__crtEnumSystemLocalesEx.MSVCR120(6C448579,00000003,00000000,0000009C,?,6C480578,0000009C,?,?,?,?,00000000,00000000,00000000), ref: 6C4486CF

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: wcslen$EnumLocalesSystem__crt
String ID:
API String ID: 1973884627-0
Opcode ID: 108f84853463542c9f8244ffc22091862d75dd4e00f9ed3d42dd701caaacbd5f
Instruction ID: 94f50f0dcdf629c7056444cec604910acfbfc5fdf3f4fe7c8895b33c153773df
Opcode Fuzzy Hash: 108f84853463542c9f8244ffc22091862d75dd4e00f9ed3d42dd701caaacbd5f
Instruction Fuzzy Hash: 6301A2314517159AF721DE39D409F61B7E4EB0071DF30CA2EE5AAD1E91D7B4E4488AC4

Function 6C4643CE Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18aeb88d5147581b7b57c1536758ea30acdd08a6b736d5c7e97a85248ed9e452
Instruction ID: d93ef60645cf949d086200fde160bf193637b5aadff33a26450c3dc7ff45d399
Opcode Fuzzy Hash: 18aeb88d5147581b7b57c1536758ea30acdd08a6b736d5c7e97a85248ed9e452
Instruction Fuzzy Hash: 16B1E260E2AF514DDB23E53A8831336BA6C6FBB2C5B51D72BFC67B0D16EB2185834140

Function 6C448660 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(6C4C604E,00000001,?,6C4C9399,6C4C93A9,00000003,00000000,0000009C,?,6C4487A1,0000009C,?,00000000,00000055,00000000), ref: 6C47FC16

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 111cdcbfb8ce823d3edbae8f90f49c0c07ab85c9ad1e349cc51db812127c8557
Instruction ID: abeb99ff0b6e531e2f6b4007b7950f2e96b9bad2e7fe880b1963467460bc1ac5
Opcode Fuzzy Hash: 111cdcbfb8ce823d3edbae8f90f49c0c07ab85c9ad1e349cc51db812127c8557
Instruction Fuzzy Hash: 3EE08C32321208AFEF21DF94EC45FA93BF4FB45719F404404FE188A550C372A460CB48

Function 6C440F41 Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,6C47F7A8,?,6C47F7A8,00000000,20001004,?,00000002,?,00000000,00000000,00000000), ref: 6C47FC2C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2328ea57fe667bad795c8302c973aeeb073a7092b7dc4c95aab6d4d99c35995c
Instruction ID: 8415cd369320b992d1a72c184303aebcc4448d30ca3e4c5cade831bd2ea25fde
Opcode Fuzzy Hash: 2328ea57fe667bad795c8302c973aeeb073a7092b7dc4c95aab6d4d99c35995c
Instruction Fuzzy Hash: F1D0177260110EAF9F01EFD0E804CAA3BF9FF49214B004804FA2889610C732A570DBA5

Function 6C43A8CA Relevance: 1.4, Strings: 1, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

Strings

9ZEl, xrefs: 6C43A8FF, 6C43A933, 6C43A94F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID: 9ZEl
API String ID: 0-71718242
Opcode ID: 03e6e2f8172059ccd8b4c9a72a01bf6faae1159ec8f1b3a86536142ea1dd2bd5
Instruction ID: dc712f940d821c693f4875806482d6c112fcd01fa88faf79ab82ea9354a2307c
Opcode Fuzzy Hash: 03e6e2f8172059ccd8b4c9a72a01bf6faae1159ec8f1b3a86536142ea1dd2bd5
Instruction Fuzzy Hash: 37510A71E016258BDF18CF5EC89095ABBF2AFC8304B19C1AAED19EF715E670D941CB90

Function 6C43ADE5 Relevance: .6, Instructions: 567COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d665a9209b326aae9daeb8a6b5362bbe22127e3452c798be36d822b3bf9961b
Instruction ID: 76210abacba04510bb34c57677c9088faa39deefb7f47304183b07264a765a4d
Opcode Fuzzy Hash: 9d665a9209b326aae9daeb8a6b5362bbe22127e3452c798be36d822b3bf9961b
Instruction Fuzzy Hash: 56128F71A526198FDB04CFADD890EACB7B2FBCC310F65462EE825E7784D770A9418B40

Function 6C44BA78 Relevance: .6, Instructions: 563COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbc7b91ff46acf0806a6cdf0fba9866b7c48bae3f11121577f39ddd4ea63d61
Instruction ID: 2c5e62683b914850c7f53ac110cdd9bb7c3a0ec2fec0f542efacf40d877aabcc
Opcode Fuzzy Hash: bdbc7b91ff46acf0806a6cdf0fba9866b7c48bae3f11121577f39ddd4ea63d61
Instruction Fuzzy Hash: 8D127271A125199FDB04CFACD890DEDBBB2FBC8314F25866DE425E7794D770A9018B40

Function 6C430EAC Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b24fc7d8cbca283e30c44a48d9dc80ea3ae4b895a9e7e6d871628bf429150e
Instruction ID: 63c69b9b8bcce0664fa265ae1969a72c40b649ca73f757c361926da8bfcfd7ef
Opcode Fuzzy Hash: b4b24fc7d8cbca283e30c44a48d9dc80ea3ae4b895a9e7e6d871628bf429150e
Instruction Fuzzy Hash: C102B83120D1B249D70DCA3F8970D3E7BB06AD67BA319675ED8BACBAC1EE20D125C550

Function 6C430F38 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf0af3a25b0f8add8d1426f8d8e68bfbda64b6322e262968d6f7dabb175f663
Instruction ID: 5f627589406117af13eae7ea97641d5b131dacb618659d9645922f52cf25a9cc
Opcode Fuzzy Hash: 8bf0af3a25b0f8add8d1426f8d8e68bfbda64b6322e262968d6f7dabb175f663
Instruction Fuzzy Hash: DA51B93220A0B349DB1DC63F8874D3EBAB16AD6776319275ED4BACBEC5EE10C125D510

Function 6C437F5A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a25a1deb36db66b7e0c6803a9304a0173073941ffdf6a583c9a51d2958c695
Instruction ID: 018b2fef8a42351aa4d5a5d24086e1fe82a408e003d01f14fbc204a2bb1eb259
Opcode Fuzzy Hash: 57a25a1deb36db66b7e0c6803a9304a0173073941ffdf6a583c9a51d2958c695
Instruction Fuzzy Hash: 8111297724A06283D200C92BDEB0FA6E795FACA32E739A36AD0958BF88D122D115D500

Function 6C4A5C14 Relevance: 103.7, APIs: 54, Strings: 5, Instructions: 443stringprocessCOMMON

Download Yara Rule

APIs

_errno.MSVCR120(6C4A6120,0000009C), ref: 6C4A5C46
_invalid_parameter_noinfo.MSVCR120(6C4A6120,0000009C), ref: 6C4A5C51
__pipe.LIBCMT(?,00000400,00000000,6C4A6120,0000009C), ref: 6C4A5CBB
_close.MSVCR120(?,?,?,?,?,?,?,?,6C4A6120,0000009C), ref: 6C4A5CFA
_close.MSVCR120(?,?,?,?,?,?,?,?,?,6C4A6120,0000009C), ref: 6C4A5D02
_lock.MSVCR120(00000009,?,?,?,?,?,?,?,6C4A6120,0000009C), ref: 6C4A5D10
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6C4A6120,0000009C), ref: 6C4A5D1F
DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000002,?,?,?,?,?,?,?,6C4A6120,0000009C), ref: 6C4A5D4B
_close.MSVCR120(?,?,?,?,?,?,?,?,6C4A6120,0000009C), ref: 6C4A5D5D
_fdopen.MSVCR120(?,00000077,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4A5D72
_idtab.LIBCMT ref: 6C4A5D89
__wdupenv_s.LIBCMT(?,00000000,COMSPEC), ref: 6C4A5DA6

Part of subcall function 6C4C5072: _lock.MSVCR120(00000007,6C4C5150,00000010,6C49F6AB,00000000,00000000,00000000,?,00000000,?,?,?,6C49FF5D,00000000,00000000,00000000), ref: 6C4C5085
Part of subcall function 6C4C5072: _errno.MSVCR120(6C4C5150,00000010,6C49F6AB,00000000,00000000,00000000,?,00000000,?,?,?,6C49FF5D,00000000,00000000,00000000,00000000), ref: 6C4C509C
Part of subcall function 6C4C5072: _invalid_parameter_noinfo.MSVCR120(6C4C5150,00000010,6C49F6AB,00000000,00000000,00000000,?,00000000,?,?,?,6C49FF5D,00000000,00000000,00000000,00000000), ref: 6C4C50A6

_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C4A5DBC

Part of subcall function 6C4C469B: IsProcessorFeaturePresent.KERNEL32(00000017,6C4C466F,?,?,?,?,?,?,6C4C467C,00000000,00000000,00000000,00000000,00000000,6C49B412), ref: 6C4C469D
Part of subcall function 6C4C469B: __crtTerminateProcess.MSVCR120(C0000417,00000002,C0000417,00000001,?,00000017,6C4C466F,?,?,?,?,?,?,6C4C467C,00000000,00000000), ref: 6C4C46BC

memset.MSVCR120(?,00000000,00000044), ref: 6C4A5DE4
strlen.MSVCR120(?), ref: 6C4A5E33
strlen.MSVCR120(?,?), ref: 6C4A5E3D
strlen.MSVCR120( /c ,?,?), ref: 6C4A5E49
_calloc_crt.MSVCR120(00000000,00000001, /c ,?,?), ref: 6C4A5E56
strcpy_s.MSVCR120(00000000,?,?), ref: 6C4A5E72
strcat_s.MSVCR120(00000000,?, /c ), ref: 6C4A5E8B
strcat_s.MSVCR120(00000000,?,?), ref: 6C4A5EA2
memset.MSVCR120(?,00000000,00000010), ref: 6C4A5EB9
_errno.MSVCR120(?,00000000,00000010), ref: 6C4A5EBE
__access_s.LIBCMT(?,00000000,?,00000000,00000010), ref: 6C4A5ECD
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 6C4A5EF0
_calloc_crt.MSVCR120(00000104,00000001), ref: 6C4A5F07
free.MSVCR120(00000000,00000000), ref: 6C4A5F1B
free.MSVCR120(?,00000000,00000000), ref: 6C4A5F23
_errno.MSVCR120 ref: 6C4A5F2B
free.MSVCR120(00000000), ref: 6C4A5F15

Part of subcall function 6C42ECE0: HeapFree.KERNEL32(00000000,00000000,?,6C473D3A,00000000,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C42ECF4

__wdupenv_s.LIBCMT(00000000,00000000,PATH), ref: 6C4A5F45
free.MSVCR120(00000000), ref: 6C4A6078
free.MSVCR120(?,00000000), ref: 6C4A6080
CloseHandle.KERNEL32(?), ref: 6C4A6090
CloseHandle.KERNEL32(?), ref: 6C4A6099
_errno.MSVCR120 ref: 6C4A609B
fclose.MSVCR120(00000000), ref: 6C4A60BD
_close.MSVCR120(?), ref: 6C4A60E0
_close.MSVCR120(?), ref: 6C4A60F1

Strings

cmd.exe, xrefs: 6C4A5DCF
/c , xrefs: 6C4A5E44, 6C4A5E82
COMSPEC, xrefs: 6C4A5D9A
w, xrefs: 6C4A5CCE
PATH, xrefs: 6C4A5F3A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _close_errnofree$HandleProcessstrlen$Close__wdupenv_s_calloc_crt_invalid_parameter_noinfo_lockmemsetstrcat_s$CreateCurrentDuplicateFeatureFreeHeapPresentProcessorTerminate__access_s__crt__pipe_fdopen_idtab_invoke_watsonfclosestrcpy_s
String ID: /c $COMSPEC$PATH$cmd.exe$w
API String ID: 1434950611-3679458415
Opcode ID: 64db5c4bd326b483582b69ff46a228398f9022276d0cd8c970f90d3b35a80c23
Instruction ID: 2ee9fcd4b3aa8a4cab26ca1642a016b1cd639c8bc1c595c2b163060f275f83f2
Opcode Fuzzy Hash: 64db5c4bd326b483582b69ff46a228398f9022276d0cd8c970f90d3b35a80c23
Instruction Fuzzy Hash: EBE10171D04214ABDB10DFEADD41FDE7BB4AF59358F244029E904E6B48EB318946CBE1

Function 6C446B1C Relevance: 57.9, APIs: 27, Strings: 6, Instructions: 192libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,.iDl,00000006,?,?,?,?,?,6C446C5D), ref: 6C446B29
GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 6C446B3D
GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 6C446B48
GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentProcessorNumberEx,?,?,?,?,?,6C446C5D), ref: 6C446B77
GetProcAddress.KERNEL32(00000000), ref: 6C446B7E
GetLastError.KERNEL32(?,?,?,?,?,6C446C5D), ref: 6C446B9C
GetLastError.KERNEL32(?,?,?,?,?,6C446C5D), ref: 6C471FEB
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C446C5D), ref: 6C472007
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C472015
GetLastError.KERNEL32(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C47201B
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C446C5D), ref: 6C472031
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C47203F
GetLastError.KERNEL32(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C472045
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C446C5D), ref: 6C47205B
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C472069
GetLastError.KERNEL32(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C47206F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?,?,?,?,?,?,6C446C5D), ref: 6C4720B5
_CxxThrowException.MSVCR120(?,6C4FCF40,?,?,?,?,?,?,6C446C5D), ref: 6C4720C3
GetLastError.KERNEL32(?,6C4FCF40,?,?,?,?,?,?,6C446C5D), ref: 6C4720C9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C446C5D), ref: 6C4720DF
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C4720ED
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C4720F3

Strings

GetThreadGroupAffinity, xrefs: 6C446B3F
SetThreadGroupAffinity, xrefs: 6C446B37
kernel32.dll, xrefs: 6C446B24, 6C446B66
GetCurrentProcessorNumberEx, xrefs: 6C446B5D
]lDl, xrefs: 6C446B4A, 6C4720FD, 6C472130
.iDl, xrefs: 6C446B23

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionThrow$AddressProc$HandleModuleVersion@$Concurrency@@Manager@1@Resource
String ID: .iDl$GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$]lDl$kernel32.dll
API String ID: 2361529535-2559552485
Opcode ID: 6e1eb9eade96ca709fa814880a3e3d0baf61f5f1d57000de0a63f1bebba5b612
Instruction ID: fc507188e8d42497a042e576af156386713d6f3b1489f59cede9d3f7dddb5138
Opcode Fuzzy Hash: 6e1eb9eade96ca709fa814880a3e3d0baf61f5f1d57000de0a63f1bebba5b612
Instruction Fuzzy Hash: 7951D2717012569BE720EF62CC48EEFBBB8FB85345F10491EF905E6A50DB31C90986B9

Function 6C439453 Relevance: 52.8, APIs: 27, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

__TypeMatch.MSVCR120(19930511,?,00000000,?,?,19930522,00000000,E06D7363,?,?,?,6C4396BA,?,?,?,?), ref: 6C43956C
_getptd.MSVCR120(19930522,00000000,E06D7363,?,?,?,6C4396BA,?,?,?,?), ref: 6C4395F4
_getptd.MSVCR120(19930522,00000000,E06D7363,?,?,?,6C4396BA,?,?,?,?,?,00000000,00000000,00000000), ref: 6C43A02D
_getptd.MSVCR120(19930522,00000000,E06D7363,?,?,?,6C4396BA,?,?,?,?,?,00000000,00000000,00000000), ref: 6C43A03E
_getptd.MSVCR120(19930522,00000000,E06D7363,?,?,?,6C4396BA,?,?,?,?,?,00000000,00000000,00000000), ref: 6C43A049
?_ValidateWrite@@YAHPAXI@Z.MSVCR120(?,00000001,19930522,00000000,E06D7363,?,?,?,6C4396BA,?,?), ref: 6C43A05E
_getptd.MSVCR120(19930522,00000000,E06D7363,?,?,?,6C4396BA,?,?), ref: 6C43A091
?_inconsistency@@YAXXZ.MSVCR120(19930522,00000000,E06D7363,?,?,?,6C4396BA,?,?,?,?,?,00000000,00000000,00000000), ref: 6C43A0B2

Strings

csm, xrefs: 6C439493
csm, xrefs: 6C43A06D
csm, xrefs: 6C4394C1

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _getptd$?_inconsistency@@MatchTypeValidateWrite@@
String ID: csm$csm$csm
API String ID: 3232922278-393685449
Opcode ID: 8767d4740b6b875400a75e5c4d6d454ec5d4fa14e5090bd645aa2c1b39785cfd
Instruction ID: 664b13106de2436369c0cefba075b8378231327d9ea774931d4c667552ac7511
Opcode Fuzzy Hash: 8767d4740b6b875400a75e5c4d6d454ec5d4fa14e5090bd645aa2c1b39785cfd
Instruction Fuzzy Hash: 44C1C07180521ADFCF20CFA6C880EDEBBB4BF98319F04515EE45967B10CB36A595CBA1

Function 6C452135 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C45216B
_errno.MSVCR120 ref: 6C452175
_wspawnve.MSVCR120(?,?,?,?), ref: 6C452186

Part of subcall function 6C452085: wcsrchr.MSVCR120(?,0000005C), ref: 6C4520BB
Part of subcall function 6C452085: wcsrchr.MSVCR120(?,0000002F,?,0000005C), ref: 6C4520C5
Part of subcall function 6C452085: wcsrchr.MSVCR120(00000000,0000002E), ref: 6C4520E4
Part of subcall function 6C452085: _waccess_s.MSVCR120(?,00000000), ref: 6C4520F6

_errno.MSVCR120 ref: 6C45219C
_errno.MSVCR120 ref: 6C4521A7
_errno.MSVCR120 ref: 6C4521CC
_errno.MSVCR120 ref: 6C474D25
_invalid_parameter_noinfo.MSVCR120 ref: 6C474D30
_invalid_parameter_noinfo.MSVCR120 ref: 6C474D43
_errno.MSVCR120 ref: 6C474D50
wcschr.MSVCR120(?,0000002F), ref: 6C474D63
_wdupenv_s.MSVCR120(?,00000000,PATH), ref: 6C474D7C
_calloc_crt.MSVCR120(00000104,00000002), ref: 6C474DA6
wcslen.MSVCR120(00000000), ref: 6C474DD1
wcscat_s.MSVCR120(00000000,00000104,6C48218C), ref: 6C474DF9
wcslen.MSVCR120(00000000), ref: 6C474E0A
wcslen.MSVCR120(?,00000000), ref: 6C474E12
wcscat_s.MSVCR120(00000000,00000104,?), ref: 6C474E2B
_errno.MSVCR120 ref: 6C474E3B
_wspawnve.MSVCR120(?,00000000,?,?), ref: 6C474E4E
_errno.MSVCR120 ref: 6C474E64
__doserrno.MSVCR120 ref: 6C474E6E

Strings

PATH, xrefs: 6C474D72

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$wcslenwcsrchr$_invalid_parameter_noinfo_wspawnvewcscat_s$__doserrno_calloc_crt_waccess_s_wdupenv_swcschr
String ID: PATH
API String ID: 2749365969-1036084923
Opcode ID: 912c3fdfd093c252eb0f04436fffe33e9a27cb5ff6f5e61c6fa03b01aa69af6c
Instruction ID: 6a08c62f535b897e0992e3d1239ac47e431bfe1c38cd0296fc0fe14025212ed0
Opcode Fuzzy Hash: 912c3fdfd093c252eb0f04436fffe33e9a27cb5ff6f5e61c6fa03b01aa69af6c
Instruction Fuzzy Hash: E8513635900221AAEB30EA758C05EFF3674DF46369F60522AE96497F90EF3089548AF1

Function 6C44A6D5 Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 315COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 6C44A74B
DName::DName.LIBCMT ref: 6C44A939
DName::operator+.LIBCMT ref: 6C44A940
DName::DName.LIBCMT ref: 6C47CCCD
DName::operator+.LIBCMT ref: 6C47CCD4

Strings

D6Dl, xrefs: 6C47CD97, 6C47CDAA
`anonymous namespace', xrefs: 6C47CE79

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: D6Dl$`anonymous namespace'
API String ID: 168861036-2850992414
Opcode ID: 717306c4f708e532135ff782305d7229ea8b9111b5792e1584ef0929fd2ee166
Instruction ID: 6961718c115e20dde683e1efe2c45b2629867fb104c380d10398e6a4e7f57a0f
Opcode Fuzzy Hash: 717306c4f708e532135ff782305d7229ea8b9111b5792e1584ef0929fd2ee166
Instruction Fuzzy Hash: 29C14B71E012499FEB20DFA4C884FE9BBF8EF05305F24846EE555A7B81D730A949CB90

Function 6C452085 Relevance: 36.2, APIs: 24, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

APIs

wcsrchr.MSVCR120(?,0000005C), ref: 6C4520BB
wcsrchr.MSVCR120(?,0000002F,?,0000005C), ref: 6C4520C5
wcsrchr.MSVCR120(00000000,0000002E), ref: 6C4520E4
_waccess_s.MSVCR120(?,00000000), ref: 6C4520F6
_errno.MSVCR120 ref: 6C452126
_invalid_parameter_noinfo.MSVCR120 ref: 6C474BAA
wcschr.MSVCR120(?,0000003A), ref: 6C474BBA
wcslen.MSVCR120(?), ref: 6C474BCC
_calloc_crt.MSVCR120(00000003,00000002,?), ref: 6C474BD7
wcscpy_s.MSVCR120(00000000,00000003,6C482178), ref: 6C474BEC
wcscat_s.MSVCR120(00000000,00000003,?), ref: 6C474BFF

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: wcsrchr$_calloc_crt_errno_invalid_parameter_noinfo_waccess_swcscat_swcschrwcscpy_swcslen
String ID:
API String ID: 501526102-0
Opcode ID: fda5d30ae6588cb4dd165f4c69d0f6ae0b57b29926cc2b6c716f9007a1bd7f75
Instruction ID: 9334d7a1e41991b466653688be7087a0d09b192f039adcd66c841445a0956eca
Opcode Fuzzy Hash: fda5d30ae6588cb4dd165f4c69d0f6ae0b57b29926cc2b6c716f9007a1bd7f75
Instruction Fuzzy Hash: 61512771A013056FE720DE768D85EEF3678AF49368F10162AF92497B80EF74C9148AA1

Function 6C450FC8 Relevance: 34.7, APIs: 23, Instructions: 222stringCOMMON

Download Yara Rule

APIs

_wcsnlen.LIBCMT(?,00007FFF,?,?,00000000,00000007,?,6C451179,?,?,6C4511A0,0000000C), ref: 6C450FF0
_wcsnlen.LIBCMT(?,00007FFF,?,00007FFF,?,?,00000000,00000007,?,6C451179,?,?,6C4511A0,0000000C), ref: 6C450FFA
_calloc_crt.MSVCR120(-00000002,00000002), ref: 6C451021
wcscpy_s.MSVCR120(00000000,?,?), ref: 6C451038
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C45108E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C4510AD
_calloc_crt.MSVCR120(00000000,00000001), ref: 6C4510BD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C4510DC
strlen.MSVCR120(?), ref: 6C4510ED
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 6C45110B
_errno.MSVCR120 ref: 6C451133
wcscpy_s.MSVCR120(00000000,?,?,00000000,?,?), ref: 6C451056

Part of subcall function 6C431693: _errno.MSVCR120(?,?,6C49BEB4,6C503568,00000314,Runtime Error!Program: ,?,?,?), ref: 6C4316D5
Part of subcall function 6C431693: _invalid_parameter_noinfo.MSVCR120(?,?,6C49BEB4,6C503568,00000314,Runtime Error!Program: ,?,?,?), ref: 6C47634D

Part of subcall function 6C45120C: wcschr.MSVCR120(?,0000003D,00000000,?,014281C0), ref: 6C451232
Part of subcall function 6C45120C: free.MSVCR120(?,00000000,?,014281C0), ref: 6C451296

_errno.MSVCR120(00000000,00000007,?,6C451179,?,?,6C4511A0,0000000C), ref: 6C47FD29
_invalid_parameter_noinfo.MSVCR120(00000000,00000007,?,6C451179,?,?,6C4511A0,0000000C), ref: 6C47FD34
wcschr.MSVCR120(?,0000003D,?,?,00000000,00000007,?,6C451179,?,?,6C4511A0,0000000C), ref: 6C47FD46
_wcsnlen.LIBCMT(-00000002,00007FFF,?,?,00000000,00000007,?,6C451179,?,?,6C4511A0,0000000C), ref: 6C47FD6A
wcslen.MSVCR120(?,?,?,00000000,00000007,?,6C451179,?,?,6C4511A0,0000000C), ref: 6C47FD76
_calloc_crt.MSVCR120(00000001,00000002,?,?,?,00000000,00000007,?,6C451179,?,?,6C4511A0,0000000C), ref: 6C47FD81
wcscpy_s.MSVCR120(00000000,00000001,?), ref: 6C47FD97
_errno.MSVCR120(?,?,00000000,00000007,?,6C451179,?,?,6C4511A0,0000000C), ref: 6C47FDA4
_invalid_parameter_noinfo.MSVCR120(?,?,00000000,00000007,?,6C451179,?,?,6C4511A0,0000000C), ref: 6C47FDAF
free.MSVCR120(?), ref: 6C47FDCB
free.MSVCR120(00000000), ref: 6C47FDEE

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ByteCharMultiWide_errno$_calloc_crt_invalid_parameter_noinfo_wcsnlenfreewcscpy_s$wcschr$strlenwcslen
String ID:
API String ID: 3308320376-0
Opcode ID: c1a5db6bcf81b61d0eecb4d7507ab43f0a821e4736663bd2daa933f271cc37c7
Instruction ID: b74d96253c7ddb4df5cc5031840fcc79f8e1a3a4d6a7fa6c1f1f310ae41c2325
Opcode Fuzzy Hash: c1a5db6bcf81b61d0eecb4d7507ab43f0a821e4736663bd2daa933f271cc37c7
Instruction Fuzzy Hash: 3951D171A05215BAFB10CE75CC45FBB36ACDF867A8F60422DF814D6A90EB34C94486B5

Function 6C444A40 Relevance: 33.2, APIs: 22, Instructions: 201registrytimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C444A47
Concurrency::SchedulerPolicy::SchedulerPolicy.LIBCMT(?,00000038,6C446A9C,6C4348CA,0000000C,6C443D89,0000000C,6C443E4B,?,00000000,?,6C443A7E,?,6C4348CA), ref: 6C444A62

Part of subcall function 6C446F6A: ??2@YAPAXI@Z.MSVCR120(00000028,00000180,?,6C444A67,?,00000038,6C446A9C,6C4348CA,0000000C,6C443D89,0000000C,6C443E4B,?,00000000,?,6C443A7E), ref: 6C446F72
Part of subcall function 6C446F6A: memcpy.MSVCR120(00000000,?,00000028,00000028,00000180,?,6C444A67,?,00000038,6C446A9C,6C4348CA,0000000C,6C443D89,0000000C,6C443E4B,?), ref: 6C446F81

Part of subcall function 6C44433D: ??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C444382
Part of subcall function 6C44433D: memset.MSVCR120(00000000,00000000,?,00000000), ref: 6C444392
Part of subcall function 6C44433D: ??2@YAPAXI@Z.MSVCR120(0000000C,00000000,00000000,?,00000000), ref: 6C444399
Part of subcall function 6C44433D: ??_U@YAPAXI@Z.MSVCR120(00000000,?,?,00000180,00000000,6C444A97), ref: 6C4443C3
Part of subcall function 6C44433D: InitializeSListHead.KERNEL32(?,?,?,00000180,00000000,6C444A97), ref: 6C4443D8
Part of subcall function 6C44433D: InitializeSListHead.KERNEL32(00000180,?,?,00000180,00000000,6C444A97), ref: 6C4443DE

Part of subcall function 6C4443FE: ??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C444443
Part of subcall function 6C4443FE: memset.MSVCR120(00000000,00000000,?,00000000), ref: 6C444453
Part of subcall function 6C4443FE: ??2@YAPAXI@Z.MSVCR120(0000000C,00000000,00000000,?,00000000), ref: 6C44445A
Part of subcall function 6C4443FE: ??_U@YAPAXI@Z.MSVCR120(00000000,?,?,00000180,00000000,6C444AC1), ref: 6C444484
Part of subcall function 6C4443FE: InitializeSListHead.KERNEL32(?,?,?,00000180,00000000,6C444AC1), ref: 6C444499
Part of subcall function 6C4443FE: InitializeSListHead.KERNEL32(?,?,?,00000180,00000000,6C444AC1), ref: 6C44449F

??0_ReentrantBlockingLock@details@Concurrency@@QAE@XZ.MSVCR120(?,?,?,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C444AC7

Part of subcall function 6C445C29: __crtInitializeCriticalSectionEx.MSVCR120(?,00000000,00000180,6C444ACC,?,?,?,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C445C35

Part of subcall function 6C444A04: ??_U@YAPAXI@Z.MSVCR120(00000000,?,?,?,00000180,6C444B22), ref: 6C444A21
Part of subcall function 6C444A04: memset.MSVCR120(00000000,00000000,?,00000000,?,?,?,00000180,6C444B22), ref: 6C444A32

InitializeSListHead.KERNEL32(?), ref: 6C444BC6
InitializeSListHead.KERNEL32(?), ref: 6C444BCF
InitializeSListHead.KERNEL32(?), ref: 6C444BD8
InitializeSListHead.KERNEL32(?), ref: 6C444BE1
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000000), ref: 6C444BED
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000004,00000000), ref: 6C444BFA
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000007,00000004,00000000), ref: 6C444C08

Part of subcall function 6C4458DA: __EH_prolog3.LIBCMT ref: 6C4458E1

?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000001,00000007,00000004,00000000), ref: 6C444C1C
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000001,00000001,00000007,00000004,00000000), ref: 6C472ED9

Part of subcall function 6C446F10: TlsAlloc.KERNEL32 ref: 6C446F16

Part of subcall function 6C443C0B: __crtCreateEventExW.MSVCR120(00000000,00000000,00000000,001F0002), ref: 6C443C1B

RegisterWaitForSingleObject.KERNEL32(?,00000000,6C4939D0,?,000000FF,00000000), ref: 6C444C60
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120 ref: 6C444C6E

Part of subcall function 6C443E7E: __EH_prolog3.LIBCMT ref: 6C443E85

Part of subcall function 6C446FED: ___crtSetThreadpoolTimer.LIBCMT ref: 6C447032

GetLastError.KERNEL32 ref: 6C472EE3
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C472EF9
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000), ref: 6C472F07
GetLastError.KERNEL32(?,6C4FCF40,00000000), ref: 6C472F0C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C472F22
CreateTimerQueueTimer.KERNEL32(?,00000000,6C493192,?,7FFFFFFF,7FFFFFFF,00000000), ref: 6C472F46
GetLastError.KERNEL32 ref: 6C472F54
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C472F6A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Policy$Initialize$HeadList$Concurrency@@Scheduler$ElementKey@2@@Policy@Value@$??2@Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorH_prolog3LastTimermemset$CreateVersion@__crt$??0_AllocBlockingConcurrency::CriticalEventExceptionLock@details@Manager@1@ObjectPolicy::QueueReentrantRegisterResourceSectionSingleThreadpoolThrowWait___crtmemcpy
String ID:
API String ID: 1785735614-0
Opcode ID: 688220b6c82ddc34f781c96202ce6a431464761e6ccaa57476f74ff5421b9f1f
Instruction ID: c176375c5790eff440573defe01619bc2a9cc2ef8de150a0f6b0b7f9ef6efbdd
Opcode Fuzzy Hash: 688220b6c82ddc34f781c96202ce6a431464761e6ccaa57476f74ff5421b9f1f
Instruction Fuzzy Hash: F09109B0A01646AAD718DF75C984FD9FBA4FF49344F60422EE42897B80DB30A524CBE0

Function 6C48BA5F Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 269timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C48BA69
_CxxThrowException.MSVCR120(6C48754C,6C4FCEE8,?,0000009C,6C48B7F8,?,00000001,00000001), ref: 6C48BA98

Part of subcall function 6C4392EB: RaiseException.KERNEL32(?,?,?,6C44C7FC,?,?,?,?,?,6C47DA6A,?,6C44C7FC,?,00000001), ref: 6C439333

std::exception::exception.LIBCMT(?,0000009C,6C48B7F8,?,00000001,00000001,?,5425FDEF,00000000,6C48923C), ref: 6C48BAD2
?wait@event@Concurrency@@QAEII@Z.MSVCR120(?,0000009C,6C48B7F8,?,00000001,00000001,?,5425FDEF,00000000,6C48923C), ref: 6C48BAE9
??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR120(?,?,?,?,00000000,0000009C,6C48B7F8,?,00000001,00000001,?,5425FDEF,00000000,6C48923C), ref: 6C48BB55
std::exception::exception.LIBCMT(?,0000009C,6C48B7F8,?,00000001,00000001,?,5425FDEF,00000000,6C48923C), ref: 6C48BA83

Part of subcall function 6C4BDD30: std::exception::_Copy_str.LIBCMT(?,?,?,6C4BDD23,?,?,?,6C47B529,Attempted a typeid of NULL pointer!,6C4340D0,00000014), ref: 6C4BDD49

std::exception::exception.LIBCMT(6C48923C,0000009C,6C48B7F8,?,00000001,00000001,?,5425FDEF,00000000), ref: 6C48BBC7
?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR120(?,?,?,?,00000000,0000009C,6C48B7F8,?,00000001,00000001,?,5425FDEF,00000000,6C48923C), ref: 6C48BBFA
?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR120 ref: 6C48BC57
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,?,?,00000000,0000009C,6C48B7F8,?,00000001,00000001,?,5425FDEF,00000000,6C48923C), ref: 6C48BCBA

Part of subcall function 6C443E7E: __EH_prolog3.LIBCMT ref: 6C443E85

std::exception::exception.LIBCMT(?,00000001,5425FDEF,00000000,6C48923C), ref: 6C48BCFE

Part of subcall function 6C446FED: ___crtSetThreadpoolTimer.LIBCMT ref: 6C447032

?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR120(?,?,?,00000000,0000009C,6C48B7F8,?,00000001,00000001,?,5425FDEF,00000000,6C48923C), ref: 6C48BD1D
CreateTimerQueueTimer.KERNEL32(00000001,00000000,6C48C02B,?,?,00000000,00000020,?,?,?,00000000,0000009C,6C48B7F8,?,00000001,00000001), ref: 6C48BD31
std::exception::exception.LIBCMT(?,00000001), ref: 6C48BD4B
?Block@Context@Concurrency@@SAXXZ.MSVCR120(?,?,?,00000000,0000009C,6C48B7F8,?,00000001,00000001,?,5425FDEF,00000000,6C48923C), ref: 6C48BD67
Concurrency::details::MultiWaitBlock::NotifyCompletedNode.LIBCMT ref: 6C48BD8E

Strings

pEvents, xrefs: 6C48BA78, 6C48BAC7, 6C48BBBC
LuHl, xrefs: 6C48BA8F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency@@$std::exception::exception$Timer$?unlock@critical_section@ExceptionH_prolog3Version@$??0scoped_lock@critical_section@?wait@event@Block::Block@CompletedConcurrency::details::Context@Copy_strCreateManager@1@MultiNodeNotifyQueueQueue@details@RaiseResourceSharedThreadpoolThrowV12@@Wait___crtstd::exception::_
String ID: LuHl$pEvents
API String ID: 4129581172-2186197011
Opcode ID: 2411e984d0e805a782c382cecb7791def5c906e287496c17a8ce52ddf79d5046
Instruction ID: 54e4b0b8a4ba97bbe043da575857a35b89f95a155ce79a001c768a35ee56ef48
Opcode Fuzzy Hash: 2411e984d0e805a782c382cecb7791def5c906e287496c17a8ce52ddf79d5046
Instruction Fuzzy Hash: A9A19E719022099FCB15CFA4CC90EDEBBB5EF45309F24855DE815ABB51DB30D94ACBA0

Function 6C450C66 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.MSVCR120(.El,.El,00000010,00000000,6C45028F,00000000), ref: 6C47D17F
DName::DName.LIBCMT ref: 6C47D1DF
DName::DName.LIBCMT ref: 6C47D248

Strings

.El, xrefs: 6C47D16F, 6C47D17B, 6C47D172, 6C47D17E
., xrefs: 6C47D1F9
., xrefs: 6C47D1FF
`non-type-template-parameter, xrefs: 6C47D31F
`template-parameter, xrefs: 6C47D2F8
NULL, xrefs: 6C47D241

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: NameName::$atol
String ID: .$.$.El$NULL$`non-type-template-parameter$`template-parameter
API String ID: 2083219425-1440283947
Opcode ID: 184e1901d33a57b94993989dd9e2d2b0a321d795746616afdd62a111d25f81c6
Instruction ID: adb3228fa30c2ddd186d792aa5209256e375e73a3a3f3bfe82a4c258babfcdae
Opcode Fuzzy Hash: 184e1901d33a57b94993989dd9e2d2b0a321d795746616afdd62a111d25f81c6
Instruction Fuzzy Hash: 5F71C6719152489AEB35CBB4CC94FED7B78EF02308FA0446ED105E3A80DF749949CBA1

Function 6C450F2D Relevance: 30.2, APIs: 20, Instructions: 229stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_mbschr.MSVCR120(00000000,0000003D,00000000,00000000,00000000,00000000), ref: 6C450F4E

Part of subcall function 6C4512F9: _mbschr_l.MSVCR120(00000000,00000000,00000000,?,6C450F53,00000000,0000003D,00000000,00000000,00000000,00000000), ref: 6C451304

free.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C450FA9
_errno.MSVCR120(00000000,00000000,00000000,00000000), ref: 6C450FBE
_errno.MSVCR120(00000000,00000000), ref: 6C4805EA
_invalid_parameter_noinfo.MSVCR120(00000000,00000000), ref: 6C4805F5
___wtomb_environ.LIBCMT ref: 6C480626
_malloc_crt.MSVCR120(00000004,00000000,00000000,00000000,00000000), ref: 6C48064D
_malloc_crt.MSVCR120(00000004,00000000,00000000,00000000,00000000), ref: 6C48066A
free.MSVCR120(014281C0,00000000,00000000,00000000,00000000), ref: 6C480698
__recalloc_crt.LIBCMT(00000001,00000004,00000000,00000000,00000000,00000000), ref: 6C4806CE
strlen.MSVCR120(00000000,00000001,?,00000000,00000000), ref: 6C480735
_calloc_crt.MSVCR120(-00000002,00000001,?,00000000,00000000), ref: 6C48073F
strlen.MSVCR120(00000000,00000000,?,00000000,00000000), ref: 6C48074E
strcpy_s.MSVCR120(00000000,-00000002,00000000,?,00000000,00000000), ref: 6C480759
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 6C48077C
_errno.MSVCR120(?,?,?,?,00000000,00000000), ref: 6C48078A
free.MSVCR120(00000000,?,?,?,?,00000000,00000000), ref: 6C480796
free.MSVCR120(00000000,?,00000000,00000000), ref: 6C4807A3

Part of subcall function 6C450EE6: _mbsnbicoll.MSVCR120(00000000,00000000,00000000,014281C0,00000000,?,6C450F92,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C450F01

_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 6C4807BB

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$_errno$_malloc_crtstrlen$EnvironmentVariable___wtomb_environ__recalloc_crt_calloc_crt_invalid_parameter_noinfo_invoke_watson_mbschr_mbschr_l_mbsnbicollstrcpy_s
String ID:
API String ID: 1943959764-0
Opcode ID: 0ee206fc9edaf6e48f058cb3de60306334e9f7027480185e5ff0194c0a37a49b
Instruction ID: 23d62ac11eb840c026c43cf97200bbee7dbefd0b0f939479c67c6bf719fd8d60
Opcode Fuzzy Hash: 0ee206fc9edaf6e48f058cb3de60306334e9f7027480185e5ff0194c0a37a49b
Instruction Fuzzy Hash: E0712276A17351AFEB00DB78D900F9D37B4AF8136AF240219D820A7B94DB35C852CAD5

Function 6C48F89F Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C48FC19
??0exception@std@@QAE@XZ.MSVCR120(000000A8), ref: 6C48FC4A
_CxxThrowException.MSVCR120(6C48754C,6C4FCEE8), ref: 6C48FC5F
??0exception@std@@QAE@XZ.MSVCR120(000000A8), ref: 6C48FC7F
std::exception::exception.LIBCMT(?,?,?,?,?,?,000000A8), ref: 6C48FCAB
std::exception::exception.LIBCMT(?,?,?,?,?,?,?,?,?,000000A8), ref: 6C48FCD9
??_U@YAPAXI@Z.MSVCR120(00000000,000000A8), ref: 6C48FD09
std::exception::exception.LIBCMT(?,?,?,?,?,?,?,?,?,?,?,?,?,000000A8), ref: 6C48FE8E
std::exception::exception.LIBCMT(?,?,?,?,?,?,?,?,000000A8), ref: 6C48FEBB
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 6C48FF4C
free.MSVCR120(?,?,?,?,?,000000A8), ref: 6C48FF5E
free.MSVCR120(00000000,?,?,?,?,?,000000A8), ref: 6C48FF64
??2@YAPAXI@Z.MSVCR120(00000008,?,?,?,?,000000A8), ref: 6C48FF6D
std::exception::exception.LIBCMT(00000000,?,?,?,?,000000A8), ref: 6C48FFA7
std::exception::exception.LIBCMT(?,?,?,?,?,?,?,000000A8), ref: 6C48FFD7

Part of subcall function 6C4BDD30: std::exception::_Copy_str.LIBCMT(?,?,?,6C4BDD23,?,?,?,6C47B529,Attempted a typeid of NULL pointer!,6C4340D0,00000014), ref: 6C4BDD49

Strings

count, xrefs: 6C48FC9D, 6C48FE80
pGroupAffinity, xrefs: 6C48FCCE, 6C48FEB0, 6C48FF99, 6C48FFC9

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: std::exception::exception$??0exception@std@@free$??2@CleanupConcurrency::details::Copy_strExceptionH_prolog3InformationManager::ResourceThrowTopologystd::exception::_
String ID: count$pGroupAffinity
API String ID: 2906875064-3379709940
Opcode ID: 478d47468f286adff3854528b54b06488a5a0006984d8c18c82387f2089b7b29
Instruction ID: 56fd2f998499841e2a661cabf76b548a5c8cbb0b7ac36550f896910d0a0afecc
Opcode Fuzzy Hash: 478d47468f286adff3854528b54b06488a5a0006984d8c18c82387f2089b7b29
Instruction Fuzzy Hash: 6FC17E71E022298BDB10CF94C881EEEF7B0FF48314F60456AD955ABB50EB30DA45CBA0

Function 6C447B2F Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 111libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformationEx,?,00000000,00000000,0000FFFF,6C4725E8,?,00000000,00000000,?,?,?,?,6C4458C9,00000004), ref: 6C447B47
GetProcAddress.KERNEL32(00000000), ref: 6C447B4E
GetLastError.KERNEL32(?,00000000,00000000,0000FFFF,6C4725E8,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E), ref: 6C447B6E
malloc.MSVCR120(?,00000000,00000000,0000FFFF,6C4725E8,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E), ref: 6C447B7F

Part of subcall function 6C42ED30: HeapAlloc.KERNEL32(01410000,00000000,6C49C0AD,00000000,?,00000000,?,6C43223C,6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000), ref: 6C42ED5D

GetLastError.KERNEL32(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C47206F
GetLastError.KERNEL32(?,00000000,00000000,0000FFFF,6C4725E8,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E), ref: 6C47207B
std::exception::exception.LIBCMT(00000000,00000001,00000000,00000000,0000FFFF,6C4725E8,?,00000000), ref: 6C472093
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?,?,?,?,?,?,6C446C5D), ref: 6C4720B5
_CxxThrowException.MSVCR120(?,6C4FCF40,?,?,?,?,?,?,6C446C5D), ref: 6C4720C3
GetLastError.KERNEL32(?,6C4FCF40,?,?,?,?,?,?,6C446C5D), ref: 6C4720C9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C446C5D), ref: 6C4720DF
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C4720ED
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C4720F3

Strings

GetLogicalProcessorInformationEx, xrefs: 6C447B38
kernel32.dll, xrefs: 6C447B3F
%Gl, xrefs: 6C472090
]lDl, xrefs: 6C4720FD

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionThrowVersion@$AddressAllocConcurrency@@HandleHeapManager@1@ModuleProcResourcemallocstd::exception::exception
String ID: GetLogicalProcessorInformationEx$]lDl$kernel32.dll$%Gl
API String ID: 615551232-2825231733
Opcode ID: 987f5d18120419044c0ff2210a7a417e21f485becdbbd76cdf59d7b8d9c275e9
Instruction ID: 0b93f9cd43bd234e3d96f5233c14755191fe86f64724d64391a00ac0e97ce258
Opcode Fuzzy Hash: 987f5d18120419044c0ff2210a7a417e21f485becdbbd76cdf59d7b8d9c275e9
Instruction Fuzzy Hash: 0631D97170119AEBEB30EAA5CC48EDFB77CEF85255B60052AFA01E6A40DF30C90586F5

Function 6C437C5E Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

_getdrive.MSVCR120 ref: 6C437C6F

Part of subcall function 6C434728: GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 6C434754

GetFullPathNameA.KERNEL32(0000002E,00000000,?,0000002E), ref: 6C437CB6
__validdrive.LIBCMT ref: 6C4746AD
__doserrno.MSVCR120 ref: 6C4746BB
_errno.MSVCR120 ref: 6C4746C6
_invalid_parameter_noinfo.MSVCR120 ref: 6C4746D1
_errno.MSVCR120 ref: 6C4746DD
_invalid_parameter_noinfo.MSVCR120 ref: 6C4746E8

Strings

., xrefs: 6C437CE1
:., xrefs: 6C437C99

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$CurrentDirectoryFullNamePath__doserrno__validdrive_getdrive
String ID: .$:.
API String ID: 1520938557-2811378331
Opcode ID: 2ae3d003e45c2768bb60de4f7389e92a279d22b5c9d2920b8a4cc8f2f18f3805
Instruction ID: bd3f8da87891ae5398567bf829f3b97adc8dfca9bd24cfa7aa398c456ed9a067
Opcode Fuzzy Hash: 2ae3d003e45c2768bb60de4f7389e92a279d22b5c9d2920b8a4cc8f2f18f3805
Instruction Fuzzy Hash: 8F312775605225EADB10DFAACC40FEE37A89F8A394F166019D958CBB40EB74C9048FF1

Function 6C4E25B1 Relevance: 28.8, APIs: 19, Instructions: 299COMMON

Download Yara Rule

APIs

_creal.LIBCMT ref: 6C4E25C5
_cimag.LIBCMT ref: 6C4E25D6
_dtest.MSVCR120(?), ref: 6C4E25E2
_dtest.MSVCR120(?,?), ref: 6C4E25EE
__Cbuild.LIBCMT(?), ref: 6C4E2879

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _dtest$Cbuild_cimag_creal
String ID:
API String ID: 2231236516-0
Opcode ID: b93439fdb4125792df7d8e114a27b32068bdb8c6921a297d9a3470ebb3bfdfda
Instruction ID: facb4d3536a52dfc1ad220a79ffdcc509e462b8e5031addbaa1e25d4254329cf
Opcode Fuzzy Hash: b93439fdb4125792df7d8e114a27b32068bdb8c6921a297d9a3470ebb3bfdfda
Instruction Fuzzy Hash: 2381D1B2C0481AD6CF12FF90E808DDE7B75FF0A356F560A84E8817A684EF72456987C5

Function 6C4E28B5 Relevance: 28.7, APIs: 19, Instructions: 244COMMON

Download Yara Rule

APIs

_crealf.LIBCMT(?,?), ref: 6C4E28C2
_cimagf.LIBCMT(?,?,?,?), ref: 6C4E28D0
_fdtest.MSVCR120(?,?,?,?,?), ref: 6C4E28DC
_fdtest.MSVCR120(?,?,?,?,?,?), ref: 6C4E28E8
_logf.LIBCMT ref: 6C4E2B3B
__FCbuild.LIBCMT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6C4E2B56

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _fdtest$Cbuild_cimagf_crealf_logf
String ID:
API String ID: 791420253-0
Opcode ID: d881452415aea34d5734ed6cd0ef4b2004fdbe171ee7ce3b6723a93fc9135330
Instruction ID: a75c8deefe86573dd82bab9bff433c8f9ae11f2bcf3fd7ac6dd5b6dfce0a8b6f
Opcode Fuzzy Hash: d881452415aea34d5734ed6cd0ef4b2004fdbe171ee7ce3b6723a93fc9135330
Instruction Fuzzy Hash: D68169B1E0501BEFCF14AF90DA48EEEBF74FB49316F624588D58072994DB304A718B99

Function 6C443E9D Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 115threadregistryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C443EB4
GetCurrentProcess.KERNEL32(000000A4,00000000,00000000,00000002,?,00000000,?,?,?,?,6C47312D,?), ref: 6C443ED8
GetCurrentThread.KERNEL32 ref: 6C443EDB
GetCurrentProcess.KERNEL32(00000000,?,00000000,?,?,?,?,6C47312D,?), ref: 6C443EE2
DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,6C47312D,?), ref: 6C443EE5
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,00000000,?,?,?,?,6C47312D,?), ref: 6C443EF3

Part of subcall function 6C443E7E: __EH_prolog3.LIBCMT ref: 6C443E85

___crtSetThreadpoolWait.LIBCMT ref: 6C443F37
GetLastError.KERNEL32(?,00000000,?,?,?,?,6C47312D,?), ref: 6C471E48
RegisterWaitForSingleObject.KERNEL32(?,?,6C48CB49,00000000,000000FF,0000000C), ref: 6C471E97
GetLastError.KERNEL32(?,00000000,?,?,?,?,6C47312D,?), ref: 6C471EA1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000,?,?,?,?,6C47312D,?), ref: 6C471EB8

Part of subcall function 6C443A83: GetModuleHandleA.KERNEL32(00000000,74DEF550), ref: 6C443A99
Part of subcall function 6C443A83: GetModuleFileNameW.KERNEL32(6C420000,?,00000104), ref: 6C443AB6
Part of subcall function 6C443A83: LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 6C443ACF

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?,?,00000000,?,?,?,?,6C47312D,?), ref: 6C471EE4
_CxxThrowException.MSVCR120(6C4FCF40,6C4FCF40,?,?,00000000,?,?,?,?,6C47312D,?), ref: 6C471EF3

Strings

-1Gl, xrefs: 6C443EA7

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Current$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorHandleLastModuleProcessThreadVersion@Wait$Concurrency@@DuplicateExceptionFileH_prolog3LibraryLoadManager@1@NameObjectRegisterResourceSingleThreadpoolThrow___crt
String ID: -1Gl
API String ID: 228956268-2911491049
Opcode ID: 74c7c40e5059fff8eb15ceee75974607902c44cffe15840deeaff68894462637
Instruction ID: 9804f3055b86c9b907f4a3529af01c157e3e98aab810471c144fc456abbe9719
Opcode Fuzzy Hash: 74c7c40e5059fff8eb15ceee75974607902c44cffe15840deeaff68894462637
Instruction Fuzzy Hash: C1311671705242ABE710EF758C44F9BBBACFB42A54F104A2DF599D6A40DB20D8098BF6

Function 6C446D17 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 60libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,?,00000180,00000000,6C446E91,00000004,6C446A4C,0000000C,6C443D89,0000000C,6C443E4B,?,00000000,?), ref: 6C446D29
GetProcAddress.KERNEL32(00000000,RegisterTraceGuidsW), ref: 6C446D45
GetProcAddress.KERNEL32(00000000,UnregisterTraceGuids), ref: 6C446D57
GetProcAddress.KERNEL32(00000000,TraceEvent), ref: 6C446D6A
GetProcAddress.KERNEL32(00000000,GetTraceLoggerHandle), ref: 6C446D7D
GetProcAddress.KERNEL32(00000000,GetTraceEnableLevel), ref: 6C446D90
GetProcAddress.KERNEL32(00000000,GetTraceEnableFlags), ref: 6C446DA3
GetLastError.KERNEL32(?,6C4348CA), ref: 6C47379E
LoadLibraryW.KERNEL32(advapi32.dll,?,6C4348CA), ref: 6C4737AE

Strings

UnregisterTraceGuids, xrefs: 6C446D4D
GetTraceEnableFlags, xrefs: 6C446D98
GetTraceEnableLevel, xrefs: 6C446D85
TraceEvent, xrefs: 6C446D5F
advapi32.dll, xrefs: 6C446D21, 6C446D28, 6C4737AD
GetTraceLoggerHandle, xrefs: 6C446D72
RegisterTraceGuidsW, xrefs: 6C446D3F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: GetTraceEnableFlags$GetTraceEnableLevel$GetTraceLoggerHandle$RegisterTraceGuidsW$TraceEvent$UnregisterTraceGuids$advapi32.dll
API String ID: 2340687224-19120757
Opcode ID: 9afc3b8561962b32af10eef68b16bdcb4229cc27f95849b81320d1a2cd1f9933
Instruction ID: 686ff7d5e1853968ef75d1debad9967bfea74386b2bd2d4429d69763e4089b16
Opcode Fuzzy Hash: 9afc3b8561962b32af10eef68b16bdcb4229cc27f95849b81320d1a2cd1f9933
Instruction Fuzzy Hash: 7B112171710250ABEB19DF29CDE5DBA7BB9EB86600725842FE502C7644DB749800CB98

Function 6C443C0B Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

__crtCreateEventExW.MSVCR120(00000000,00000000,00000000,001F0002), ref: 6C443C1B
GetLastError.KERNEL32(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C47201B
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C446C5D), ref: 6C472031
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C47203F
GetLastError.KERNEL32(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C472045
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C446C5D), ref: 6C47205B
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C472069
GetLastError.KERNEL32(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C47206F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?,?,?,?,?,?,6C446C5D), ref: 6C4720B5
_CxxThrowException.MSVCR120(?,6C4FCF40,?,?,?,?,?,?,6C446C5D), ref: 6C4720C3
GetLastError.KERNEL32(?,6C4FCF40,?,?,?,?,?,?,6C446C5D), ref: 6C4720C9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C446C5D), ref: 6C4720DF
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C4720ED
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C4720F3

Strings

]lDl, xrefs: 6C4720FD

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastThrow$Version@$Concurrency@@CreateEventManager@1@Resource__crt
String ID: ]lDl
API String ID: 2006412488-2315230549
Opcode ID: 5e0376ac8183d6948fa3eb206a3d9f63d059aa0ad1c703d8cc96c7c58507deaf
Instruction ID: dc3da4538649c15e138462230d47bc5867f526c7d835d19e03ebfe5c1ef58776
Opcode Fuzzy Hash: 5e0376ac8183d6948fa3eb206a3d9f63d059aa0ad1c703d8cc96c7c58507deaf
Instruction Fuzzy Hash: 9321F97170105A9AA730FAB2CC48EFFB7ACFB40245B500919FA15E6B44EF21C50986F8

Function 6C446C80 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,00000000,?,?,?,?,6C446C6A), ref: 6C446C94
GetModuleHandleW.KERNEL32(combase.dll,RoInitialize,?,?,?,?,6C446C6A), ref: 6C446CAD
GetProcAddress.KERNEL32(00000000), ref: 6C446CB4
GetModuleHandleW.KERNEL32(combase.dll,RoUninitialize,?,?,?,?,6C446C6A), ref: 6C446CD6
GetProcAddress.KERNEL32(00000000), ref: 6C446CDD
GetLastError.KERNEL32(?,?,?,?,6C446C6A), ref: 6C47387A
GetLastError.KERNEL32(?,?,?,?,6C446C6A), ref: 6C473886
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?,?,?,?,?,6C446C6A), ref: 6C47389C
_CxxThrowException.MSVCR120(?,6C4FCF40,?,?,?,?,?,6C446C6A), ref: 6C4738AA
_errno.MSVCR120(?,6C4FCF40,?,?,?,?,?,6C446C6A), ref: 6C4738B0
_invalid_parameter_noinfo.MSVCR120(?,6C4FCF40,?,?,?,?,?,6C446C6A), ref: 6C4738BB

Strings

Pl, xrefs: 6C446CF4
combase.dll, xrefs: 6C446C8E, 6C446C93, 6C446CAC, 6C446CD0
RoInitialize, xrefs: 6C446CA7
RoUninitialize, xrefs: 6C446CC9

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionLibraryLoadThrow_errno_invalid_parameter_noinfo
String ID: RoInitialize$RoUninitialize$combase.dll$Pl
API String ID: 885641006-532509363
Opcode ID: 8a04f2e3559fe26443e278d2c0b2d108979ee872adc9e13ef5e14febd74fc48d
Instruction ID: 163dbc78aad7f2303663c216e0143438006b37d4b285ca15dad4590e181acaad
Opcode Fuzzy Hash: 8a04f2e3559fe26443e278d2c0b2d108979ee872adc9e13ef5e14febd74fc48d
Instruction Fuzzy Hash: 75115E747112469BEF14EF758C59FAF77A8FB46209B52092EB516CAA40EB34C4008ABD

Function 6C48F893 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 103threadCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C48FAC6
??0exception@std@@QAE@XZ.MSVCR120(00000030), ref: 6C48FAEA
_CxxThrowException.MSVCR120(6C48754C,6C4FCEE8,?,?,?,?,?,?), ref: 6C48FAFF
GetCurrentThread.KERNEL32 ref: 6C48FB12
??2@YAPAXI@Z.MSVCR120(0000000C,00000000), ref: 6C48FB23
std::exception::exception.LIBCMT(?,?,?,?,?,?,?,?,?,00000000), ref: 6C48FB62
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 6C48FB89
SetProcessAffinityMask.KERNEL32(00000000), ref: 6C48FB90
free.MSVCR120(?,00000000), ref: 6C48FBA3
free.MSVCR120(00000000,?,00000000), ref: 6C48FBA9
??2@YAPAXI@Z.MSVCR120(00000008,00000000), ref: 6C48FBB2
free.MSVCR120(?,00000000), ref: 6C48FBDB
free.MSVCR120(00000000,?,00000000), ref: 6C48FBE1

Strings

dwAffinityMask, xrefs: 6C48FB57

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$??2@CurrentProcess$??0exception@std@@AffinityExceptionH_prolog3_MaskThreadThrowstd::exception::exception
String ID: dwAffinityMask
API String ID: 2988529099-4260635329
Opcode ID: 7e15a8310af8c6054822d7cd31721cdafba865c025567866e2a9a5ab11ab85ab
Instruction ID: fea77ef2a96087171663c34db6fdc39cc6f6c9e017a35d7b22f1dd263cd6c6b9
Opcode Fuzzy Hash: 7e15a8310af8c6054822d7cd31721cdafba865c025567866e2a9a5ab11ab85ab
Instruction Fuzzy Hash: 2D318D31A066049BEB05DFA4C862FADBBB4FB45729F21441EE451E7B90DB34D844CBD8

Function 6C439BA4 Relevance: 24.2, APIs: 16, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

?_ValidateWrite@@YAHPAXI@Z.MSVCR120(00000000,00000001,6C439BE0,0000000C,6C439C33,?,?,00000000,00000000,6C439C58,00000008,6C439A04,?,?,?,00000000), ref: 6C439CF8
?_ValidateWrite@@YAHPAXI@Z.MSVCR120(?,00000001,6C439BE0,0000000C,6C439C33,?,?,00000000,00000000,6C439C58,00000008,6C439A04,?,?,?,00000000), ref: 6C439D06
__AdjustPointer.MSVCR120(00000000,00000008,6C439BE0,0000000C,6C439C33,?,?,00000000,00000000,6C439C58,00000008,6C439A04,?,?,?,00000000), ref: 6C439D1E
?_inconsistency@@YAXXZ.MSVCR120(6C439BE0,0000000C,6C439C33,?,?,00000000,00000000,6C439C58,00000008,6C439A04,?,?,?,00000000,6C47B112), ref: 6C439D35

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ValidateWrite@@$?_inconsistency@@AdjustPointer
String ID:
API String ID: 105498407-0
Opcode ID: 02110c0254d8be16391cb40b7e9e3e564607cc81de423ab3fbfce547cf3c298f
Instruction ID: a53e49c7c3b3c1f5117c164982f3f949b8d102856f4534f724f011ccd73b5925
Opcode Fuzzy Hash: 02110c0254d8be16391cb40b7e9e3e564607cc81de423ab3fbfce547cf3c298f
Instruction Fuzzy Hash: E65195352453175AEB1ACF27D881F9A37E4AFE922BF20141DE81C86ED0EF27D845C650

Function 6C43C722 Relevance: 24.2, APIs: 16, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR120(?), ref: 6C44DC8C
_fileno.MSVCR120(?), ref: 6C44DC9C
_fileno.MSVCR120(?), ref: 6C44DCAC
_fileno.MSVCR120(?,?), ref: 6C44DCB7
_fileno.MSVCR120(?), ref: 6C44DCE0
_fileno.MSVCR120(?), ref: 6C44DCEC
_fileno.MSVCR120(?), ref: 6C44DCF8
_fileno.MSVCR120(?,?), ref: 6C44DD03
isleadbyte.MSVCR120(00000001), ref: 6C44DD47
mbtowc.MSVCR120(?,00000000,00000001), ref: 6C44DD5E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _fileno$isleadbytembtowc
String ID:
API String ID: 3580289129-0
Opcode ID: 198bb85bb04708c173f8b50c605c15bc4af18b74c21e78587329e3c8f454721a
Instruction ID: ab35726c33cdba3c2819f628c7398a1c4592c87db1838d3210065a97225d898e
Opcode Fuzzy Hash: 198bb85bb04708c173f8b50c605c15bc4af18b74c21e78587329e3c8f454721a
Instruction Fuzzy Hash: 4C512561405162AAC315CB3ED880EB97BA49F8B3B8730531DF5798BFD1DB24D41687E4

Function 6C43448C Relevance: 24.1, APIs: 16, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCR120(00000000,6C44E01F,00000000,?,?,6C434540,00000000,00000000,00000000,?,6C432CCC,0000006C,6C432CF0,0000000C), ref: 6C434523
free.MSVCR120(?,6C44E01F,00000000,?,?,6C434540,00000000,00000000,00000000,?,6C432CCC,0000006C,6C432CF0,0000000C), ref: 6C4498B4
___free_lconv_mon.LIBCMT ref: 6C4498BF
free.MSVCR120(?,6C44E01F,00000000,?,?,6C434540,00000000,00000000,00000000,?,6C432CCC,0000006C,6C432CF0,0000000C), ref: 6C4498D2
___free_lconv_num.LIBCMT ref: 6C4498DD
free.MSVCR120(?,6C44E01F,00000000,?,?,6C434540,00000000,00000000,00000000,?,6C432CCC,0000006C,6C432CF0,0000000C), ref: 6C4498E7
free.MSVCR120(?,?,6C44E01F,00000000,?,?,6C434540,00000000,00000000,00000000,?,6C432CCC,0000006C,6C432CF0,0000000C), ref: 6C4498F2

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$___free_lconv_mon___free_lconv_num
String ID:
API String ID: 2838340673-0
Opcode ID: 65690f3b6b48ce163d9992aedc3cc248b4638ad103170e04a55cdd4ccad0b2c5
Instruction ID: a59b0bfc2b3bba424b01175b7f09efe3bd8869515b8fde367d6aa652235cfd3f
Opcode Fuzzy Hash: 65690f3b6b48ce163d9992aedc3cc248b4638ad103170e04a55cdd4ccad0b2c5
Instruction Fuzzy Hash: D94171315057019BFB20CE7AD982F8677E8FF542AAF24982DE558C6B50DB36E844C690

Function 6C4E5C5D Relevance: 22.7, APIs: 15, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

_creal.LIBCMT ref: 6C4E5C71
_cimag.LIBCMT ref: 6C4E5C82
_ldtest.MSVCR120(?), ref: 6C4E5C8E
_ldtest.MSVCR120(?,?), ref: 6C4E5C9A
cos.MSVCR120(?,?,00000000), ref: 6C4E5DD4
__dexp.LIBCMT ref: 6C4E5DE0
sin.MSVCR120(?,?,00000000), ref: 6C4E5DF2
__dexp.LIBCMT ref: 6C4E5DFE
__Cbuild.LIBCMT(?), ref: 6C4E5E1A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __dexp_ldtest$Cbuild_cimag_creal
String ID:
API String ID: 1450283889-0
Opcode ID: b3e21ca9187ffb4f60daac19d19ea093980b15cc96208fd5e3543255206810c4
Instruction ID: ed35d7e2738d8153d0c6eb85e6fb7591ec81719e20abec53c177ec936939bcc9
Opcode Fuzzy Hash: b3e21ca9187ffb4f60daac19d19ea093980b15cc96208fd5e3543255206810c4
Instruction Fuzzy Hash: DE519C70C0481AD5DF01FB94E849EEEBB78FF09306F828989E5C162A80EF350579C395

Function 6C4E58D2 Relevance: 22.7, APIs: 15, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

_creal.LIBCMT ref: 6C4E58E6
_cimag.LIBCMT ref: 6C4E58F7
_dtest.MSVCR120(?), ref: 6C4E5903
_dtest.MSVCR120(?,?), ref: 6C4E590F
cos.MSVCR120(?,?,00000000), ref: 6C4E5A49
__dexp.LIBCMT ref: 6C4E5A55
sin.MSVCR120(?,?,00000000), ref: 6C4E5A67
__dexp.LIBCMT ref: 6C4E5A73
__Cbuild.LIBCMT(?), ref: 6C4E5A8F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __dexp_dtest$Cbuild_cimag_creal
String ID:
API String ID: 2547048650-0
Opcode ID: 75c19cb04613c9422bafb66ccad68a61ac37efae8011a213197d956c9453fb5b
Instruction ID: acf76443df3785b8c18f135f046f99dd4c54117298958c5df603b718ac501806
Opcode Fuzzy Hash: 75c19cb04613c9422bafb66ccad68a61ac37efae8011a213197d956c9453fb5b
Instruction Fuzzy Hash: 6151B071C0482AD6DF01FB94E849DFEBB78FF09316F924989E9C122A80DB315578C395

Function 6C497E5C Relevance: 21.2, APIs: 14, Instructions: 221windowCOMMON

Download Yara Rule

APIs

??0exception@std@@QAE@XZ.MSVCR120 ref: 6C497E9E
_CxxThrowException.MSVCR120(?,6C4FD0DC), ref: 6C497EB3
__EH_prolog3_catch.LIBCMT ref: 6C497EC0
Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCMT ref: 6C497F15
Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6C497F50
Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6C497F98

Part of subcall function 6C434872: TlsGetValue.KERNEL32(?,6C4348CA,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C43488E

??0exception@std@@QAE@XZ.MSVCR120(00000048,?), ref: 6C497FCC
_CxxThrowException.MSVCR120(6C487484,6C4FCEB0), ref: 6C497FE1
??0exception@std@@QAE@XZ.MSVCR120(?,?,?,?,?,?,?,6C487484,6C4FCEB0), ref: 6C498006
?_Abort@_StructuredTaskCollection@details@Concurrency@@AAEXXZ.MSVCR120(00000048,?,6C4FD0DC), ref: 6C498061
Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6C498081
??0exception@std@@QAE@XZ.MSVCR120(00000000,?,00000048,?,6C4FD0DC), ref: 6C498091

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??0exception@std@@$Base::CancellationConcurrency::details::ContextVisible$ExceptionTaskThrow$Abort@_Base::_CollectionCollection@details@Concurrency::details::_Concurrency@@H_prolog3_catchStateStructuredTokenValue
String ID:
API String ID: 1204123976-0
Opcode ID: eb97be3069952c3aa6e8a3d202d299880858936f9301b5abb2c9c885b2ec559e
Instruction ID: 18af9b6aaac14115d8dba2893b30b11d6685f075e55e3e32315c1c4cc6cc2bfa
Opcode Fuzzy Hash: eb97be3069952c3aa6e8a3d202d299880858936f9301b5abb2c9c885b2ec559e
Instruction Fuzzy Hash: BE817B70A056199FCB14CF6AC480EAEFBF4BF44319B10851EE866A7F50C734E949CB90

Function 6C432F6E Relevance: 21.2, APIs: 14, Instructions: 189COMMON

Download Yara Rule

APIs

_mbstowcs_s.LIBCMT(?,00000000,00000000,?,7FFFFFFF,6C4330E8,00000020), ref: 6C432F98

Part of subcall function 6C432F50: _mbstowcs_s_l.MSVCR120(?,?,?,?,?,00000000), ref: 6C432F64

_calloc_crt.MSVCR120(?,00000002), ref: 6C432FAD
_mbstowcs_s.LIBCMT(00000000,00000000,?,?,00000000), ref: 6C432FCA
_wsetlocale.MSVCR120(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C432FDF

Part of subcall function 6C4332B8: _getptd.MSVCR120(6C4333E8,00000014,6C432FE4,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C4332D3
Part of subcall function 6C4332B8: _calloc_crt.MSVCR120(000000B8,00000001), ref: 6C4332F0
Part of subcall function 6C4332B8: _lock.MSVCR120(0000000C), ref: 6C433306
Part of subcall function 6C4332B8: __copytlocinfo_nolock.LIBCMT ref: 6C433317
Part of subcall function 6C4332B8: wcscmp.MSVCR120(00000000,6C4FF880,00000000,00000000,00000000), ref: 6C433351
Part of subcall function 6C4332B8: _lock.MSVCR120(0000000C,00000000,00000000,00000000), ref: 6C433368

free.MSVCR120(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C432FE8

Part of subcall function 6C42ECE0: HeapFree.KERNEL32(00000000,00000000,?,6C473D3A,00000000,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C42ECF4

_getptd.MSVCR120(00000000,00000000,00000000), ref: 6C432FFB
_wcstombs_s_l.MSVCR120(00000000,00000000,00000000,?,00000000,?,00000000), ref: 6C433022
_malloc_crt.MSVCR120(-00000004,?,?,?,?,?,?,00000000), ref: 6C433039

Part of subcall function 6C432226: malloc.MSVCR120(6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C432237

_wcstombs_s_l.MSVCR120(00000000,00000004,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 6C433060
_lock.MSVCR120(0000000C,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C433075

Part of subcall function 6C42EDD7: EnterCriticalSection.KERNEL32(?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C42EDF3

free.MSVCR120(00000000), ref: 6C4330BA
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C480092
free.MSVCR120(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C4800B1
free.MSVCR120(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C4800FB

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$_lock$_calloc_crt_getptd_mbstowcs_s_wcstombs_s_l$CriticalEnterFreeHeapSection__copytlocinfo_nolock_invoke_watson_malloc_crt_mbstowcs_s_l_wsetlocalemallocwcscmp
String ID:
API String ID: 1259114276-0
Opcode ID: 3c9c2c4902ec18c32a8e88486d7597b4ab88f72aef735ddc72dff9c5ccadc9ad
Instruction ID: fe287d9775cb29c3475afd04fd0a12141888e355dc65c4070a2a9e861708321e
Opcode Fuzzy Hash: 3c9c2c4902ec18c32a8e88486d7597b4ab88f72aef735ddc72dff9c5ccadc9ad
Instruction Fuzzy Hash: 71510A31D136159BEB20CAB69C80FAE72B4AF8A31AF24411DEC19E7B41DB38D44586E0

Function 6C444CD6 Relevance: 21.2, APIs: 14, Instructions: 176threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C444CDD
??0_ReentrantBlockingLock@details@Concurrency@@QAE@XZ.MSVCR120(00000004,6C444EF7,00000000,?,00000000), ref: 6C444CFB

Part of subcall function 6C445C29: __crtInitializeCriticalSectionEx.MSVCR120(?,00000000,00000180,6C444ACC,?,?,?,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C445C35

?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000001,00000004,6C444EF7,00000000,?,00000000), ref: 6C444D4C
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000002,00000001,00000004,6C444EF7,00000000,?,00000000), ref: 6C444D5B
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000003,00000002,00000001,00000004,6C444EF7,00000000,?,00000000), ref: 6C444D6A
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000005,00000003,00000002,00000001,00000004,6C444EF7,00000000,?,00000000), ref: 6C444D79
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000006,00000005,00000003,00000002,00000001,00000004,6C444EF7,00000000,?,00000000), ref: 6C444D88
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000008,00000006,00000005,00000003,00000002,00000001,00000004,6C444EF7,00000000,?,00000000), ref: 6C444D97
??2@YAPAXI@Z.MSVCR120(00000838), ref: 6C444E4D

Part of subcall function 6C42EE11: malloc.MSVCR120(?), ref: 6C42EE1A

Concurrency::details::HillClimbing::HillClimbing.LIBCMT ref: 6C444E60
?GetProcessorNodeCount@Concurrency@@YAIXZ.MSVCR120 ref: 6C444E68
??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C444E85
GetCurrentThread.KERNEL32 ref: 6C473476
GetThreadPriority.KERNEL32(00000000), ref: 6C47347D

Part of subcall function 6C4458DA: __EH_prolog3.LIBCMT ref: 6C4458E1

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Policy$Concurrency@@$ElementKey@2@@Policy@SchedulerValue@$H_prolog3HillThread$??0_??2@BlockingClimbingClimbing::Concurrency::details::Count@CriticalCurrentInitializeLock@details@NodePriorityProcessorReentrantSection__crtmalloc
String ID:
API String ID: 1717548414-0
Opcode ID: 2112aa0ab8c3b5a878a79706fc65223a387d7700dd68fc733ced1831dc039b3c
Instruction ID: 8c704fb40c0bafbfe5a6da3c5b93ea29a0a054e62f1e808b39efcfe4cc82627c
Opcode Fuzzy Hash: 2112aa0ab8c3b5a878a79706fc65223a387d7700dd68fc733ced1831dc039b3c
Instruction Fuzzy Hash: 8C61FAB1B41A12ABE708CF39C555F95FBA1FB89344F24C22ED46DC7B40DB71A4248B80

Function 6C43CCA8 Relevance: 21.2, APIs: 14, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR120(?), ref: 6C440652
_fileno.MSVCR120(?), ref: 6C440667
_fileno.MSVCR120(?), ref: 6C440677
_fileno.MSVCR120(?,?), ref: 6C440682
_fileno.MSVCR120(?), ref: 6C4406A4
_fileno.MSVCR120(?), ref: 6C4406B4
_fileno.MSVCR120(?), ref: 6C4406C4
_fileno.MSVCR120(?,?), ref: 6C4406CF
_fileno.MSVCR120(?), ref: 6C4406F1
_fileno.MSVCR120(?), ref: 6C4406FD
_fileno.MSVCR120(?), ref: 6C440709
_fileno.MSVCR120(?,?), ref: 6C440714
__cftof.LIBCMT(?,00000040,00000005,?), ref: 6C440741

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _fileno$__cftof
String ID:
API String ID: 813615167-0
Opcode ID: 306c9035af6d7240541b53d725a580b949c66a11a5a5dafd2b88328284629a85
Instruction ID: 9da00a05325ae7163d0dc6bbc559b781166fad6c1511cf9c6bb6334087127df1
Opcode Fuzzy Hash: 306c9035af6d7240541b53d725a580b949c66a11a5a5dafd2b88328284629a85
Instruction Fuzzy Hash: E64159328011649AA700DA795880DBF7FA4EFCA7B9330534DE4389BBE1DB20D417C6D5

Function 6C44BD99 Relevance: 21.1, APIs: 14, Instructions: 121COMMONLIBRARYCODE

Download Yara Rule

APIs

_getdrive.MSVCR120(?,?,?), ref: 6C44BDBD

Part of subcall function 6C434728: GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 6C434754

GetFullPathNameW.KERNEL32(?,00000000,?,?,?,?,?), ref: 6C44BE0D
__validdrive.LIBCMT ref: 6C4747CA
__doserrno.MSVCR120(?,?,?), ref: 6C4747D8
_errno.MSVCR120(?,?,?), ref: 6C4747E3
_invalid_parameter_noinfo.MSVCR120(?,?,?), ref: 6C4747EE
_errno.MSVCR120(?,?,?), ref: 6C4747F8

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$CurrentDirectoryFullNamePath__doserrno__validdrive_getdrive_invalid_parameter_noinfo
String ID:
API String ID: 4038912475-0
Opcode ID: 1ff1cb78e80fc88af402815ca82cd8d5479cb26190e80f059e1a9c8e54aa0698
Instruction ID: e851cfc0609111b2481dbfa1063de3f5bc87bd0534ddb10fe56e2f043461be9a
Opcode Fuzzy Hash: 1ff1cb78e80fc88af402815ca82cd8d5479cb26190e80f059e1a9c8e54aa0698
Instruction Fuzzy Hash: E131D179A002599AEB10DFE9CC40EFE73B8AF89354F21655ED514D7B40EB30C9048BB5

Function 6C445BD8 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C445BDF
GetCurrentProcess.KERNEL32(6C500A9C,6C500AB8,00000024,6C4726F0,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E,?,00000000), ref: 6C445BEE
GetProcessAffinityMask.KERNEL32(00000000,?,00000000), ref: 6C445BF5
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E,?,00000000,?,6C4469B0,00000002,00000001), ref: 6C4724D8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E,?,00000000,?,6C4469B0,00000002), ref: 6C4724EE
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E,?,00000000), ref: 6C4724FC
GetCurrentThread.KERNEL32 ref: 6C47250A
??2@YAPAXI@Z.MSVCR120(0000000C,00000000), ref: 6C47251B
??2@YAPAXI@Z.MSVCR120(00000008,00000000), ref: 6C472544

Strings

.iDl, xrefs: 6C472511

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??2@CurrentProcess$AffinityConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionH_prolog3_LastMaskThreadThrow
String ID: .iDl
API String ID: 1331674153-4139667660
Opcode ID: 9e73575aff684cfb711d435bff4a2b859b238ab27e329ed6bf564e541232e265
Instruction ID: 9e22f29172ac01f238e21793a11cc76c147812ba3e6fbec5d59a64cbf4bdaa79
Opcode Fuzzy Hash: 9e73575aff684cfb711d435bff4a2b859b238ab27e329ed6bf564e541232e265
Instruction Fuzzy Hash: 4931B371712651EBEB20DF78CC55E9EB3B0EB49725B11841EE505DBB40EF34880187B5

Function 6C446F10 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 6C446F16
GetLastError.KERNEL32(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C472045
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C446C5D), ref: 6C47205B
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C472069
GetLastError.KERNEL32(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C47206F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?,?,?,?,?,?,6C446C5D), ref: 6C4720B5
_CxxThrowException.MSVCR120(?,6C4FCF40,?,?,?,?,?,?,6C446C5D), ref: 6C4720C3
GetLastError.KERNEL32(?,6C4FCF40,?,?,?,?,?,?,6C446C5D), ref: 6C4720C9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C446C5D), ref: 6C4720DF
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C4720ED
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C4720F3

Strings

]lDl, xrefs: 6C4720FD

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastThrow$Version@$AllocConcurrency@@Manager@1@Resource
String ID: ]lDl
API String ID: 3870855575-2315230549
Opcode ID: d64a16b6594ecdaa921f8bb79bbb12d498ee37222cf149428268620d5b647194
Instruction ID: d24b2f86b8378def1323c267e7e910e336f62fd1cfd799e5f6e4d9807d90df6f
Opcode Fuzzy Hash: d64a16b6594ecdaa921f8bb79bbb12d498ee37222cf149428268620d5b647194
Instruction Fuzzy Hash: 2F11E43170105A9A9730EAB68C4CEEFB778BB45215B600A19FA15E1A84EF21C50986F9

Function 6C446DB6 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,RegisterTraceGuidsW), ref: 6C446D45
GetProcAddress.KERNEL32(00000000,UnregisterTraceGuids), ref: 6C446D57
GetProcAddress.KERNEL32(00000000,TraceEvent), ref: 6C446D6A
GetProcAddress.KERNEL32(00000000,GetTraceLoggerHandle), ref: 6C446D7D
GetProcAddress.KERNEL32(00000000,GetTraceEnableLevel), ref: 6C446D90
GetProcAddress.KERNEL32(00000000,GetTraceEnableFlags), ref: 6C446DA3

Strings

UnregisterTraceGuids, xrefs: 6C446D4D
GetTraceEnableFlags, xrefs: 6C446D98
GetTraceEnableLevel, xrefs: 6C446D85
TraceEvent, xrefs: 6C446D5F
GetTraceLoggerHandle, xrefs: 6C446D72
RegisterTraceGuidsW, xrefs: 6C446D3F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: AddressProc
String ID: GetTraceEnableFlags$GetTraceEnableLevel$GetTraceLoggerHandle$RegisterTraceGuidsW$TraceEvent$UnregisterTraceGuids
API String ID: 190572456-1576993034
Opcode ID: f589b090215e89b09fd80cc6e70123358fb7ba41889389c860d03ae10f4ecd25
Instruction ID: 74451ada85bd10721684081a4593148e5eefb40ffe4b6742fca7e1337f6fc6ad
Opcode Fuzzy Hash: f589b090215e89b09fd80cc6e70123358fb7ba41889389c860d03ae10f4ecd25
Instruction Fuzzy Hash: CE01C8717202509BAB5DDF3DCDE1CBA7BF9EB8A600325846FA806C7644DA75D800CB54

Function 6C498CEC Relevance: 19.8, APIs: 13, Instructions: 290windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C498CF3

Part of subcall function 6C4987CF: __EH_prolog3.LIBCMT ref: 6C4987D6
Part of subcall function 6C4987CF: Concurrency::details::ContextBase::CreateWorkQueue.LIBCMT ref: 6C4987ED

Part of subcall function 6C443AF4: TlsGetValue.KERNEL32(6C443DF7,00000000,00000000,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C443AFA

??0exception@std@@QAE@XZ.MSVCR120(?,?,?,00000074), ref: 6C498DA2
_CxxThrowException.MSVCR120(6C487484,6C4FCEB0), ref: 6C498DB7
Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6C498DE6
Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6C498E31
??0exception@std@@QAE@XZ.MSVCR120(?,?,?,00000074), ref: 6C498E5D
??0exception@std@@QAE@XZ.MSVCR120(?,?,?,00000074), ref: 6C498EDB
??0exception@std@@QAE@XZ.MSVCR120(?,?,?,00000074), ref: 6C498F24

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??0exception@std@@$Base::Concurrency::details::Context$CancellationVisible$CreateExceptionH_prolog3H_prolog3_catchQueueThrowValueWork
String ID:
API String ID: 3898879344-0
Opcode ID: 5d96a88cb2fed30b8f9ed234abfb75f33e72a3aa4774c739d4af437626cc8f80
Instruction ID: da191807f5d239dde40d566e622aa837e6fd8cac656ca5154278040d2fbf2eab
Opcode Fuzzy Hash: 5d96a88cb2fed30b8f9ed234abfb75f33e72a3aa4774c739d4af437626cc8f80
Instruction Fuzzy Hash: 70B19D70A01219DFDB04DF69C890EEDBBB5BF44349F14801EE46A9BB61DB35E946CB80

Function 6C43F94D Relevance: 19.6, APIs: 13, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcsnlen.LIBCMT(?,?,?,?,?,?,?,6C43F9DA,?,?,?,?), ref: 6C43F96D
__crtLCMapStringW.MSVCR120(?,00000200,?,000000FF,00000000,00000000,?,?,?,?,?,6C43F9DA,?,?,?,?), ref: 6C43FA0E
__crtLCMapStringW.MSVCR120(?,00000200,?,000000FF,00000000,00000000,?,6C43F9DA,?,?,?,?), ref: 6C43FA8A
wcscpy_s.MSVCR120(?,?,00000000,?,?,?,?,?,?,?,6C43F9DA,?,?,?,?), ref: 6C43FA9F
_freea_s.MSVCR120(00000000,?,?,?,?,?,?,?,?,?,?,6C43F9DA,?,?,?,?), ref: 6C43FAAA
_errno.MSVCR120(?,?,?,?,?,6C43F9DA,?,?,?,?), ref: 6C47ADEC
_invalid_parameter_noinfo.MSVCR120(?,?,?,?,?,6C43F9DA,?,?,?,?), ref: 6C47ADF6
_errno.MSVCR120(?,6C43F9DA,?,?,?,?), ref: 6C47AE09
_errno.MSVCR120(?,6C43F9DA,?,?,?,?), ref: 6C47AE14

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$String__crt$_freea_s_invalid_parameter_noinfo_wcsnlenwcscpy_s
String ID:
API String ID: 1691615764-0
Opcode ID: 9d8c892d4d7178a0bb125206bb99fe599caf109d728a0173698af62c8e1e3373
Instruction ID: 46f550c71cc9deb2044b245eff78fade83cb67d733e5f976ae6aaed8b4b02c68
Opcode Fuzzy Hash: 9d8c892d4d7178a0bb125206bb99fe599caf109d728a0173698af62c8e1e3373
Instruction Fuzzy Hash: 94412E31641221ABE710DF6ACC84EDB33A4DFCA764F241559E81CDBB90E730C80587E2

Function 6C44F404 Relevance: 19.6, APIs: 13, Instructions: 143stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strnlen.MSVCR120(?,?,?,?,?,?,?,6C44F52F,?,?,?,?), ref: 6C44F424
__crtLCMapStringA.MSVCR120(?,?,00000100,?,000000FF,00000000,00000000,?,00000001,?,?,?,?,?,6C44F52F,?), ref: 6C44F45A
__crtLCMapStringA.MSVCR120(?,?,00000100,?,000000FF,00000000,00000000,?,00000001,?,?,?,?,6C44F52F,?,?), ref: 6C44F4D4
strcpy_s.MSVCR120(?,?,00000000), ref: 6C44F4E9
_freea_s.MSVCR120(00000000), ref: 6C44F4F4
_errno.MSVCR120(?,?,?,?,?,6C44F52F,?,?,?,?), ref: 6C47AAA5
_invalid_parameter_noinfo.MSVCR120(?,?,?,?,?,6C44F52F,?,?,?,?), ref: 6C47AAAF
_errno.MSVCR120(?,?,?,?,6C44F52F,?,?,?,?), ref: 6C47AABE
_errno.MSVCR120(?,?,?,?,6C44F52F,?,?,?,?), ref: 6C47AAC9
_errno.MSVCR120(?,?,?,?,6C44F52F,?,?,?,?), ref: 6C47AAF2
malloc.MSVCR120(00000008,?,?,?,?,6C44F52F,?,?,?,?), ref: 6C47AAFC
_errno.MSVCR120(?,?,?,?,6C44F52F,?,?,?,?), ref: 6C47AB17
_errno.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,6C44F52F,?,?), ref: 6C47AB24

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$String__crt$_freea_s_invalid_parameter_noinfomallocstrcpy_sstrnlen
String ID:
API String ID: 2821879312-0
Opcode ID: b8dd52b885fdbdd109b0026806b9b1758342dff27314d345e1721aa0cc29a686
Instruction ID: 5211a3879a0cd24518dbdb2040a4677a0cd6014b105b1f6fbf91b63e97f495e9
Opcode Fuzzy Hash: b8dd52b885fdbdd109b0026806b9b1758342dff27314d345e1721aa0cc29a686
Instruction Fuzzy Hash: F541F471A06211AFFF24CFA5CC80FEA37A4DF4A318F24515DE9184AB90DB74D88587A1

Function 6C434BF0 Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,?), ref: 6C434C2A
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 6C4742DF
GetLastError.KERNEL32 ref: 6C4742E9
__dosmaperr.LIBCMT(00000000), ref: 6C4742F0
_errno.MSVCR120 ref: 6C47430D
calloc.MSVCR120(?,00000002), ref: 6C474322
_errno.MSVCR120 ref: 6C474333
_errno.MSVCR120 ref: 6C474340
_invalid_parameter_noinfo.MSVCR120 ref: 6C47434B
free.MSVCR120(00000000), ref: 6C474359
_errno.MSVCR120 ref: 6C47435F
free.MSVCR120(00000000), ref: 6C474376
_wgetcwd.MSVCR120(?,?), ref: 6C474387

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$FullNamePathfree$ErrorLast__dosmaperr_invalid_parameter_noinfo_wgetcwdcalloc
String ID:
API String ID: 3145916893-0
Opcode ID: 3e2471002b950195f4dbb94334c626d3907346b798cbbe1ac50f80aabda2533d
Instruction ID: d35d9563c10b1f206934ad41662cfb6d64bde1213cf2506462ffb74c67f14122
Opcode Fuzzy Hash: 3e2471002b950195f4dbb94334c626d3907346b798cbbe1ac50f80aabda2533d
Instruction Fuzzy Hash: 7221B732704215ABEB21DE768C44DFE376CAB853EAF156919E9188BE50DB30C8418AF5

Function 6C4E6878 Relevance: 19.6, APIs: 13, Instructions: 74COMMON

Download Yara Rule

APIs

_cimagf.LIBCMT(?,?), ref: 6C4E6881
_clogf.LIBCMT(?,?), ref: 6C4E6899

Part of subcall function 6C4E6155: _crealf.LIBCMT(?,?), ref: 6C4E6163
Part of subcall function 6C4E6155: _cimagf.LIBCMT(?,?,?,?), ref: 6C4E6171
Part of subcall function 6C4E6155: _fdtest.MSVCR120(?,?,?,?,?), ref: 6C4E617D
Part of subcall function 6C4E6155: _fdtest.MSVCR120(?,?,?,?,?,?), ref: 6C4E6189
Part of subcall function 6C4E6155: __FCbuild.LIBCMT ref: 6C4E635A

__FCmulcc.LIBCMT ref: 6C4E68A6

Part of subcall function 6C4E67B2: _crealf.LIBCMT(?,?,00000000,?,?,?), ref: 6C4E67BE
Part of subcall function 6C4E67B2: _cimagf.LIBCMT(?,?,?,?,00000000,?,?,?), ref: 6C4E67CC
Part of subcall function 6C4E67B2: _crealf.LIBCMT(00000000,?,?,?,?,?,00000000,?,?,?), ref: 6C4E67DA
Part of subcall function 6C4E67B2: _cimagf.LIBCMT(00000000,?,00000000,?,?,?,?,?,00000000,?,?,?), ref: 6C4E67E8
Part of subcall function 6C4E67B2: __FCbuild.LIBCMT(?,?,?,?,?,?,00000000,?,?,?), ref: 6C4E682A

_cexpf.LIBCMT(00000000,?,?,?,00000000,?,?,?), ref: 6C4E68AD

Part of subcall function 6C4E5AA8: _crealf.LIBCMT(?,?), ref: 6C4E5AB5
Part of subcall function 6C4E5AA8: _cimagf.LIBCMT(?,?,?,?), ref: 6C4E5AC3
Part of subcall function 6C4E5AA8: _fdtest.MSVCR120(?,?,?,?,?), ref: 6C4E5ACF
Part of subcall function 6C4E5AA8: _fdtest.MSVCR120(?,?,?,?,?,?), ref: 6C4E5ADB
Part of subcall function 6C4E5AA8: __FCbuild.LIBCMT ref: 6C4E5C51

_cimagf.LIBCMT(?,?), ref: 6C4E68BD
_crealf.LIBCMT(?,?), ref: 6C4E68D9
_logf.LIBCMT ref: 6C4E68E2
__FCmulcr.LIBCMT ref: 6C4E68F0
_cexpf.LIBCMT(00000000,?,?,?,?), ref: 6C4E68F7

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _cimagf$_crealf$_fdtest$Cbuild$_cexpf$CmulccCmulcr_clogf_logf
String ID:
API String ID: 3754504586-0
Opcode ID: a4e0e409156d489dbc52ffeb8f4004f6c55a932f874404115945202b3e0087a7
Instruction ID: a6b4b73a36a8c1ae9e8cfa09b0500a449bfa86c4ca4234225f1f2161404fcc99
Opcode Fuzzy Hash: a4e0e409156d489dbc52ffeb8f4004f6c55a932f874404115945202b3e0087a7
Instruction Fuzzy Hash: FF11AF7240810EFECF056F60EC00DED7B3AEF48325F01885AFA98555A0DB334934AB95

Function 6C4946A1 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 260threadCOMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT(?), ref: 6C4946D4

Part of subcall function 6C4BDD30: std::exception::_Copy_str.LIBCMT(?,?,?,6C4BDD23,?,?,?,6C47B529,Attempted a typeid of NULL pointer!,6C4340D0,00000014), ref: 6C4BDD49

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCMT ref: 6C494714
?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR120 ref: 6C494732
SwitchToThread.KERNEL32 ref: 6C49473B
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCMT ref: 6C49474E
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 6C49476A
std::exception::exception.LIBCMT(?), ref: 6C4947A0
_CxxThrowException.MSVCR120(6C48754C,Function_000DCEE8), ref: 6C4947B7
free.MSVCR120(00000000), ref: 6C49498E

Strings

count, xrefs: 6C4946C7
ppVirtualProcessorRoots, xrefs: 6C494793

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::details::$FindMatchingNode::ProcessorSchedulingSpinVirtualstd::exception::exception$Base::Concurrency@@ContextCopy_strExceptionInternalOnce@?$_OversubscribedProcResetSwitchThreadThrowWait@$00@details@freestd::exception::_
String ID: count$ppVirtualProcessorRoots
API String ID: 1266909556-3650809737
Opcode ID: c9870d2dc515b41da3064a4ec4132d752f0bbb54ab4c75f271ca7b58e6be0be5
Instruction ID: f335c08e3db96be9d757140024d414f9c64fcdfa91ec88d9ac755a71f001a01e
Opcode Fuzzy Hash: c9870d2dc515b41da3064a4ec4132d752f0bbb54ab4c75f271ca7b58e6be0be5
Instruction Fuzzy Hash: 71B14834A046159FCB04DF28C480E9ABBF5FF89355F118AADE8698BB51DB30E945CF90

Function 6C44C264 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

APIs

_wsopen_s.MSVCR120(?,?,00000000,?,00000180,?,00000000,?,?,?,?,6C44C22A,?,?,?,00000000), ref: 6C44C32B

Strings

UTF-8, xrefs: 6C4515B5
ccs, xrefs: 6C45157D
UNICODE, xrefs: 6C4515E5
UTF-16LE, xrefs: 6C4515CD

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _wsopen_s
String ID: UNICODE$UTF-16LE$UTF-8$ccs
API String ID: 2316899696-3573488595
Opcode ID: d92390b79ec59d533755ab959b9a9dbe0b1819e00c503aa5df6860a345fdbf93
Instruction ID: 48581bb4ce0029f882e6506f4a3100727731d3cbea6cf90b57f54beccbce933c
Opcode Fuzzy Hash: d92390b79ec59d533755ab959b9a9dbe0b1819e00c503aa5df6860a345fdbf93
Instruction Fuzzy Hash: 666179B2D4A209DAF720EE6AC844F9937A0EB12359F3CC52BEC14D7F84E6B0C645C255

Function 6C4A1931 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(?,00000000,?,?,?,?,6C4A1D7B,?,?,?,00000000), ref: 6C4A1962
_invalid_parameter_noinfo.MSVCR120(?,00000000,?,?,?,?,6C4A1D7B,?,?,?,00000000), ref: 6C4A196D
_mbsnbcmp.MSVCR120(ccs,?,00000003,?,00000000,?,?,?,?,6C4A1D7B,?,?,?,00000000), ref: 6C4A1AC9
_mbsnbicmp.MSVCR120(?,UTF-8,00000005), ref: 6C4A1AFC
_mbsnbicmp.MSVCR120(?,UTF-16LE,00000008), ref: 6C4A1B1B
_mbsnbicmp.MSVCR120(?,UNICODE,00000007), ref: 6C4A1B3A
__sopen_s.LIBCMT(?,?,00000109,?,00000180,?,00000000,?,?,?,?,6C4A1D7B,?,?,?,00000000), ref: 6C4A1B74

Strings

ccs, xrefs: 6C4A1AC4
UTF-16LE, xrefs: 6C4A1B15
UNICODE, xrefs: 6C4A1B34
UTF-8, xrefs: 6C4A1AF6

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _mbsnbicmp$__sopen_s_errno_invalid_parameter_noinfo_mbsnbcmp
String ID: UNICODE$UTF-16LE$UTF-8$ccs
API String ID: 2257928776-3573488595
Opcode ID: ef2e9d2d983669ea52276e9fe8d460b65e15e0b1b85cc890f862e3e6d2ec1324
Instruction ID: 5aad022cd5797970d73d74b23c068ef7bf450eea586958eb0d2bb1dc79de920f
Opcode Fuzzy Hash: ef2e9d2d983669ea52276e9fe8d460b65e15e0b1b85cc890f862e3e6d2ec1324
Instruction Fuzzy Hash: E6517D73E49201DAF710CEE98400FA57FA89F3631EF28416AECA196F9EE274C543C655

Function 6C44A7CF Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6C44A866
DName::DName.LIBCMT ref: 6C44A909
DName::DName.LIBCMT ref: 6C47C7CF

Strings

`non-type-template-parameter, xrefs: 6C47C7BA

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: NameName::
String ID: `non-type-template-parameter
API String ID: 1333004437-4247534891
Opcode ID: 5b7a2cf050458626ffd19078dbbb77aba7599e813366dddd8e05f751ee0aa05e
Instruction ID: 6d76324b13015803a0c74f043adf7285f476a825228b810829e7c7152b87b246
Opcode Fuzzy Hash: 5b7a2cf050458626ffd19078dbbb77aba7599e813366dddd8e05f751ee0aa05e
Instruction Fuzzy Hash: FA415A71A481469EE718DF28C880EE97BB5EF86348F25817EE8459BB40CB30D847C7E0

Function 6C48EEBE Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,6C500AA4,?,00000000,6C447B2D,0000FFFF,6C4725E8,?,00000000,00000000,?,?,?,?,6C4458C9,00000004), ref: 6C48EECD
GetLastError.KERNEL32(?,00000000,6C447B2D,0000FFFF,6C4725E8,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E), ref: 6C48EED9
GetLastError.KERNEL32(?,00000000,6C447B2D,0000FFFF,6C4725E8,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E), ref: 6C48EEE0
malloc.MSVCR120(?,00000000,6C447B2D,0000FFFF,6C4725E8,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E), ref: 6C48EEEE
std::exception::exception.LIBCMT(00000000,00000001,00000000,6C447B2D,0000FFFF,6C4725E8,?,00000000), ref: 6C48EF0A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E,?,00000000,?,6C4469B0,00000002), ref: 6C48EF4C
_CxxThrowException.MSVCR120(6C4FCF40,6C4FCF40,?,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E,?,00000000), ref: 6C48EF5A

Strings

%Gl, xrefs: 6C48EF16
%Gl, xrefs: 6C48EF07

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionInformationLogicalProcessorThrowmallocstd::exception::exception
String ID: %Gl$%Gl
API String ID: 1610761817-3840821153
Opcode ID: 9d8f084ee18dd636de995e31a458b4535dc3bcf5bf27b2cf68681044c8198313
Instruction ID: 9ddf1b80aeb13f773a1d8b9ce5b4a6f8a422d977c34238ed069c11bd81d1ca10
Opcode Fuzzy Hash: 9d8f084ee18dd636de995e31a458b4535dc3bcf5bf27b2cf68681044c8198313
Instruction Fuzzy Hash: 6B01C839B06156A6D700EB65CC81F9F7778EF83209F54095AF940E2E80DB70D90987E5

Function 6C44250B Relevance: 18.4, APIs: 12, Instructions: 373COMMON

Download Yara Rule

APIs

_calloc_crt.MSVCR120(00000001,00000050), ref: 6C442532
_malloc_crt.MSVCR120(00000004), ref: 6C442548

Part of subcall function 6C432226: malloc.MSVCR120(6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C432237

_malloc_crt.MSVCR120(00000004), ref: 6C44256D

Part of subcall function 6C441BFC: __crtGetLocaleInfoEx.MSVCR120(?,00001004,00000000,00000000,?,?,00000000), ref: 6C441C46
Part of subcall function 6C441BFC: _calloc_crt.MSVCR120(00000000,00000002,?,?,?,00000000), ref: 6C441C5B
Part of subcall function 6C441BFC: __crtGetLocaleInfoEx.MSVCR120(?,00001004,00000000,00000000,?,?,?,00000000), ref: 6C441C77

free.MSVCR120(00000000), ref: 6C480155
free.MSVCR120(00000000), ref: 6C48015E
free.MSVCR120(00000000,00000000), ref: 6C480164
___free_lconv_mon.LIBCMT ref: 6C480170
free.MSVCR120(?,?), ref: 6C480176
free.MSVCR120(?,?,?), ref: 6C48017F
free.MSVCR120(?,?,?,?), ref: 6C480188
free.MSVCR120(?), ref: 6C480198
free.MSVCR120(?,?), ref: 6C4801A0

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$InfoLocale__crt_calloc_crt_malloc_crt$___free_lconv_monmalloc
String ID:
API String ID: 1790976588-0
Opcode ID: 24eb4c3dc43089dc4f56442d86e355850d534f9a28a0f503a3366d98fb08e218
Instruction ID: 0a654fe7695f80caa12c956cf17c0d8d00efdca84f213c9bcba3b00d4a7e07f3
Opcode Fuzzy Hash: 24eb4c3dc43089dc4f56442d86e355850d534f9a28a0f503a3366d98fb08e218
Instruction Fuzzy Hash: E2C14376940205AFEB20CFA8CC85FDA7BE8EB09755F148529FE04FB781E670D94487A0

Function 6C4EAF0A Relevance: 18.3, APIs: 12, Instructions: 293COMMONLIBRARYCODE

Download Yara Rule

APIs

__FDunscale.LIBCPMT ref: 6C4EAF2F
_fdtest.MSVCR120(?,?,00000001,?,?,6C4EB3BE,?,?,?,?,00000004,?,00000002,?,?,6C4EB606), ref: 6C4EAF49
__fperrraise.LIBCMT ref: 6C4EAF78

Part of subcall function 6C4DFFA8: fesetexceptflag.MSVCR120(00000004,0000001F,?,?,?,?,6C4EF227,00000004), ref: 6C4DFFFD
Part of subcall function 6C4DFFA8: _errno.MSVCR120(?,?,?,6C4EF227,00000004), ref: 6C4E0009

__FDunscale.LIBCPMT ref: 6C4EAFD0

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Dunscale$__fperrraise_errno_fdtestfesetexceptflag
String ID:
API String ID: 3384718034-0
Opcode ID: 57c0e3928e7f8e31432e269706c8c16d2588d79a3ab21d06faa86a6af385274c
Instruction ID: 35fd6730345181dceaf84bc5f458400bd282fd5e3d0e361ada5b8f6532c62618
Opcode Fuzzy Hash: 57c0e3928e7f8e31432e269706c8c16d2588d79a3ab21d06faa86a6af385274c
Instruction Fuzzy Hash: C591F67160520AEBDB00EF50C984EFEBBB4FF49392F52458DE5E166580E7309665CB48

Function 6C4EA762 Relevance: 18.3, APIs: 12, Instructions: 284COMMONLIBRARYCODE

Download Yara Rule

APIs

__Dunscale.LIBCPMT ref: 6C4EA787
_dtest.MSVCR120(?,?,00000001,?,?,?,?,6C4EAB9A,?,?,?,00000004,?,00000002), ref: 6C4EA7A1
__fperrraise.LIBCMT ref: 6C4EA7D0

Part of subcall function 6C4DFFA8: fesetexceptflag.MSVCR120(00000004,0000001F,?,?,?,?,6C4EF227,00000004), ref: 6C4DFFFD
Part of subcall function 6C4DFFA8: _errno.MSVCR120(?,?,?,6C4EF227,00000004), ref: 6C4E0009

__Dunscale.LIBCPMT ref: 6C4EA828

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Dunscale$__fperrraise_dtest_errnofesetexceptflag
String ID:
API String ID: 3316142991-0
Opcode ID: bee99e43d7c0c33c61904453f9215ffcb7e84407e3036934e1b220c4ed6ee042
Instruction ID: b72eb0fc7aa569d11969d3b2dc4cc3ffa89b3224cd3dece92f3d29fda8430e77
Opcode Fuzzy Hash: bee99e43d7c0c33c61904453f9215ffcb7e84407e3036934e1b220c4ed6ee042
Instruction Fuzzy Hash: 79915575500A0AE6CF00EF50D980EFE7FB8FF49352F62859DEAD196580EB30856B8780

Function 6C4379B3 Relevance: 18.3, APIs: 12, Instructions: 255stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strncnt.LIBCMT(?,00000000,00000000,7FFFFFFF,00000000,?,6C437BC1,?,014281C0,?,00000000,?,?,?,?,00000000), ref: 6C4379EB
strncnt.LIBCMT(?,014281C0,00000000,7FFFFFFF,00000000,?,6C437BC1,?,014281C0,?,00000000,?,?,?,?,00000000), ref: 6C437A04
MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,00000000,?,6C437BC1,?,014281C0,?,00000000,?,?,?,?), ref: 6C437A38
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,00000000,?,6C437BC1,?,014281C0,?,00000000,?,?,?,?), ref: 6C437AA2
MultiByteToWideChar.KERNEL32(?,00000009,?,014281C0,00000000,00000000,?,6C437BC1,?,014281C0,?,00000000,?,?,?,?), ref: 6C437ABB
MultiByteToWideChar.KERNEL32(?,00000001,?,014281C0,00000000,00000000,?,6C437BC1,?,014281C0,?,00000000,?,?,?,?), ref: 6C437B2C
__crtCompareStringEx.MSVCR120(?,?,00000000,014281C0,00000000,?,?,6C437BC1,?,014281C0,?,00000000,?,?,?,?), ref: 6C437B46
_freea_s.MSVCR120(00000000,?,6C437BC1,?,014281C0,?,00000000,?,?,?,?,00000000,?,014281C0,00000000,014281C0), ref: 6C437B52
_freea_s.MSVCR120(00000000,?,6C437BC1,?,014281C0,?,00000000,?,?,?,?,00000000,?,014281C0,00000000,014281C0), ref: 6C437B59
malloc.MSVCR120(014281C0,?,6C437BC1,?,014281C0,?,00000000,?,?,?,?,00000000,?,014281C0,00000000,014281C0), ref: 6C47FB80

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ByteCharMultiWide$_freea_sstrncnt$CompareString__crtmalloc
String ID:
API String ID: 934863277-0
Opcode ID: a5edcbc60c6e5d0dc0e34576ea57ba239424dc619716c246857e5dc2ddc9c730
Instruction ID: f16a63fc41507f38f83890560b712596988640572aa97376445b336254505003
Opcode Fuzzy Hash: a5edcbc60c6e5d0dc0e34576ea57ba239424dc619716c246857e5dc2ddc9c730
Instruction Fuzzy Hash: 1981C531E06169DBEF20CF69C991EEE7BF5DF8D329B240119EC58E7B40D72598058BA0

Function 6C4ABCA6 Relevance: 18.3, APIs: 12, Instructions: 253stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4ABCDF
_invalid_parameter_noinfo.MSVCR120 ref: 6C4ABCE9
strncat_s.MSVCR120(?,?,?,?,?), ref: 6C4ABD12
_errno.MSVCR120(?), ref: 6C4ABD39
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4ABD62
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4ABDFE
_errno.MSVCR120(?), ref: 6C4ABE2F
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4ABE58
_errno.MSVCR120(?), ref: 6C4ABE85
_invalid_parameter_noinfo.MSVCR120(?), ref: 6C4ABE8F
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4ABEAF
_errno.MSVCR120(?), ref: 6C4ABED8

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_ismbblead_l$_invalid_parameter_noinfo$strncat_s
String ID:
API String ID: 1948258708-0
Opcode ID: e51706c755dd3bcdc8b3bcb7b75625f862735d44e085a963a7ae6cbf63f62664
Instruction ID: 792eeffa0f5748cb19cd378070c6bfb592e940f28b27215bf7dcad28fd6e6e66
Opcode Fuzzy Hash: e51706c755dd3bcdc8b3bcb7b75625f862735d44e085a963a7ae6cbf63f62664
Instruction Fuzzy Hash: E081E731A0925E9FCB01CFE9C890EAE77B1BF66359B24415DE9509BB48DB31C843C791

Function 6C453B20 Relevance: 18.1, APIs: 12, Instructions: 102COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 6C453B52
GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 6C453B6C
towupper.MSVCR120(0000003D), ref: 6C453B9C
SetEnvironmentVariableW.KERNEL32(?,?), ref: 6C453BB8
GetLastError.KERNEL32 ref: 6C453BEC
__doserrno.MSVCR120 ref: 6C474759
_errno.MSVCR120 ref: 6C474761
_invalid_parameter_noinfo.MSVCR120 ref: 6C47476C
_calloc_crt.MSVCR120(00000001,00000002), ref: 6C47477C
GetCurrentDirectoryW.KERNEL32(00000001,00000000), ref: 6C4747A4
__dosmaperr.LIBCMT(00000000), ref: 6C4747B2

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CurrentDirectory$EnvironmentErrorLastVariable__doserrno__dosmaperr_calloc_crt_errno_invalid_parameter_noinfotowupper
String ID:
API String ID: 3078873410-0
Opcode ID: 88550aee7505f1187cf51554de2607814aae45e79b42a3e416eb1a691e2012a8
Instruction ID: 59fd2c1541388c7d53a978d44572260d2bd3b8a4827805d00c627d6680a87e38
Opcode Fuzzy Hash: 88550aee7505f1187cf51554de2607814aae45e79b42a3e416eb1a691e2012a8
Instruction Fuzzy Hash: DA315935E05218AADB10CFB8CC48FEEB7B8AF05315F60455AE424DB680EB34D954CBE4

Function 6C431A8D Relevance: 18.1, APIs: 12, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.MSVCR120(0000000D,?,?,?,?,?,?,6C431B78,00000008,6C431BDC,?,?,?,6C431BEE,00000000,6C431A28), ref: 6C431AF9

Part of subcall function 6C42EDD7: EnterCriticalSection.KERNEL32(?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C42EDF3

_lock.MSVCR120(0000000C,?,?,?,?,?,?,6C431B78,00000008,6C431BDC,?,?,?,6C431BEE,00000000,6C431A28), ref: 6C431B25
free.MSVCR120(?,?,?,?,?,?,?,6C431B78,00000008,6C431BDC,?,?,?,6C431BEE,00000000,6C431A28), ref: 6C431B66
free.MSVCR120(00000000,6C431B78,00000008,6C431BDC,?,?,?,6C431BEE,00000000,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C44BE5A
free.MSVCR120(00000000,6C431B78,00000008,6C431BDC,?,?,?,6C431BEE,00000000,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C473C5E
free.MSVCR120(00000000,6C431B78,00000008,6C431BDC,?,?,?,6C431BEE,00000000,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C473C6C
free.MSVCR120(00000000,6C431B78,00000008,6C431BDC,?,?,?,6C431BEE,00000000,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C473C7A
free.MSVCR120(00000000,6C431B78,00000008,6C431BDC,?,?,?,6C431BEE,00000000,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C473C88
free.MSVCR120(00000000,6C431B78,00000008,6C431BDC,?,?,?,6C431BEE,00000000,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C473C96
free.MSVCR120(?,6C431B78,00000008,6C431BDC,?,?,?,6C431BEE,00000000,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C473CA4
free.MSVCR120(6C431900,?,?,?,?,?,?,6C431B78,00000008,6C431BDC,?,?,?,6C431BEE,00000000,6C431A28), ref: 6C473CB2
free.MSVCR120(?,?,?,?,?,?,?,6C431B78,00000008,6C431BDC,?,?,?,6C431BEE,00000000,6C431A28), ref: 6C473CCA

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$_lock$CriticalEnterSection
String ID:
API String ID: 4014792109-0
Opcode ID: 3ae36f5c24eb947f79fa5ec883995997333a299af4949388f6b06a0f2b1c3d02
Instruction ID: 58c75cc7a7676daec9cf8cfdc25842dec750cd2d533f90ae9fbd8d0d858fb82e
Opcode Fuzzy Hash: 3ae36f5c24eb947f79fa5ec883995997333a299af4949388f6b06a0f2b1c3d02
Instruction Fuzzy Hash: 7631E132442710CFDB20DB678942F8977B06F8576BF242A1DD85916EA0DB39D089CAD4

Function 6C49DBCF Relevance: 18.1, APIs: 12, Instructions: 98fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(00000000,?), ref: 6C49DBF1
_invalid_parameter_noinfo.MSVCR120(00000000,?), ref: 6C49DBFC

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

FindNextFileW.KERNEL32(?,?,00000000,?), ref: 6C49DC1F
GetLastError.KERNEL32 ref: 6C49DC29
_errno.MSVCR120 ref: 6C49DC45
_errno.MSVCR120 ref: 6C49DC52
_errno.MSVCR120 ref: 6C49DC5F
___time64_t_from_ft.LIBCMT ref: 6C49DC84

Part of subcall function 6C49D51D: FileTimeToSystemTime.KERNEL32(6C49DB61,?,?,?,?,?,?,?,?,6C49DB61,?), ref: 6C49D540
Part of subcall function 6C49D51D: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C49DB61,?), ref: 6C49D554

___time64_t_from_ft.LIBCMT ref: 6C49DC96
___time64_t_from_ft.LIBCMT ref: 6C49DCA8
wcscpy_s.MSVCR120(?,00000104,?,?,?,?), ref: 6C49DCDC
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C49DCF1

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Time_errno$___time64_t_from_ft$FileSystem$ErrorFindLastLocalNextSpecific_invalid_parameter_invalid_parameter_noinfo_invoke_watsonwcscpy_s
String ID:
API String ID: 2524732462-0
Opcode ID: 55593f427ea14650a8808fce34a504664f0342378370d2794f797b655c3b686b
Instruction ID: 725cb011b64175aa24e38487e42661eae95344c670b989c4dec7db4f08650169
Opcode Fuzzy Hash: 55593f427ea14650a8808fce34a504664f0342378370d2794f797b655c3b686b
Instruction Fuzzy Hash: DF318475A016248BDB20DFA5CC44EEEBBF4AF89319F00065ED459C7B50D774D5888F91

Function 6C49DE1E Relevance: 18.1, APIs: 12, Instructions: 90fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(?), ref: 6C49DE3D
_invalid_parameter_noinfo.MSVCR120(?), ref: 6C49DE48

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

FindNextFileW.KERNEL32(?,?,?), ref: 6C49DE6B
GetLastError.KERNEL32 ref: 6C49DE75
_errno.MSVCR120 ref: 6C49DE91
_errno.MSVCR120 ref: 6C49DE9E
_errno.MSVCR120 ref: 6C49DEAB
___time64_t_from_ft.LIBCMT ref: 6C49DED0

Part of subcall function 6C49D51D: FileTimeToSystemTime.KERNEL32(6C49DB61,?,?,?,?,?,?,?,?,6C49DB61,?), ref: 6C49D540
Part of subcall function 6C49D51D: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C49DB61,?), ref: 6C49D554

___time64_t_from_ft.LIBCMT ref: 6C49DEE2
___time64_t_from_ft.LIBCMT ref: 6C49DEF4
wcscpy_s.MSVCR120(?,00000104,?,?,?,?), ref: 6C49DF18
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C49DF2F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Time_errno$___time64_t_from_ft$FileSystem$ErrorFindLastLocalNextSpecific_invalid_parameter_invalid_parameter_noinfo_invoke_watsonwcscpy_s
String ID:
API String ID: 2524732462-0
Opcode ID: d17dcbe8236d79ca545bc21f8d5878427f2fb20ee958a9c09c422b0ae5262592
Instruction ID: d623181727e991f84907c6eb09e10821c22a67e7d260ad39b3400c504c395fad
Opcode Fuzzy Hash: d17dcbe8236d79ca545bc21f8d5878427f2fb20ee958a9c09c422b0ae5262592
Instruction Fuzzy Hash: B7317F75901A288BCB20DFB4CC44EEABBF8AF49719F100A5AE469C7B50D734D9488F91

Function 6C49D98D Relevance: 18.1, APIs: 12, Instructions: 87fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(?), ref: 6C49D9AC
_invalid_parameter_noinfo.MSVCR120(?), ref: 6C49D9B7

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

FindNextFileW.KERNEL32(?,?,?), ref: 6C49D9DA
GetLastError.KERNEL32 ref: 6C49D9E4
_errno.MSVCR120 ref: 6C49DA00
_errno.MSVCR120 ref: 6C49DA0D
_errno.MSVCR120 ref: 6C49DA1A
___time64_t_from_ft.LIBCMT ref: 6C49DA3F

Part of subcall function 6C49D1A9: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,6C49D935,?), ref: 6C49D1CC
Part of subcall function 6C49D1A9: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,?,6C49D935,?), ref: 6C49D1E0
Part of subcall function 6C49D1A9: ___loctotime32_t.LIBCMT ref: 6C49D20A

___time64_t_from_ft.LIBCMT ref: 6C49DA4E
___time64_t_from_ft.LIBCMT ref: 6C49DA5D
wcscpy_s.MSVCR120(?,00000104,?,?,?,?), ref: 6C49DA7E
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C49DA95

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Time_errno$___time64_t_from_ft$FileSystem$ErrorFindLastLocalNextSpecific___loctotime32_t_invalid_parameter_invalid_parameter_noinfo_invoke_watsonwcscpy_s
String ID:
API String ID: 2841192990-0
Opcode ID: 71e8eabea5edc29406914584c6feb8c8133f61c9ce00537bd3f5c35881d6b9ff
Instruction ID: a6d7149bc72fada168cbbee8ed9dae3990e426680264a4dce643a3ef258288c7
Opcode Fuzzy Hash: 71e8eabea5edc29406914584c6feb8c8133f61c9ce00537bd3f5c35881d6b9ff
Instruction Fuzzy Hash: 5421A5729016288BDB10EFB4CC44EDEBBF8AF45715F00065ED415C7B40D734D5848B95

Function 6C453FF7 Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000,?,6C4542D0,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C453FFF
free.MSVCR120(00000000,?,6C4542D0,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C454018

Part of subcall function 6C42ECE0: HeapFree.KERNEL32(00000000,00000000,?,6C473D3A,00000000,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C42ECF4

free.MSVCR120(00000000,?,?,6C4542D0,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C45402B
free.MSVCR120(014281C0,?,?,6C4542D0,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C454049
free.MSVCR120(014281C0,?,?,6C4542D0,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C45405B
free.MSVCR120(014281C0,?,?,6C4542D0,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C45406C
free.MSVCR120(014281C0,?,?,6C4542D0,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C454077
free.MSVCR120(00000000), ref: 6C45409B
EncodePointer.KERNEL32(014281C0), ref: 6C4540A2
free.MSVCR120(01427F98), ref: 6C4540E3

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$Pointer$DecodeEncodeFreeHeap
String ID:
API String ID: 2148159843-0
Opcode ID: fdc511fd6fe7cd0120cbe282fe67075bb0b32bd5dceac0593bd565dda89a3fcd
Instruction ID: 5bb781a87f2cdd8e11f4bb3d1186557184799ad3e514aa514bff7579a10c0ca3
Opcode Fuzzy Hash: fdc511fd6fe7cd0120cbe282fe67075bb0b32bd5dceac0593bd565dda89a3fcd
Instruction Fuzzy Hash: C3219931B021109BEF10EF65E882D8D33B0B782BBA765152DEC109BB50CB395876CAD8

Function 6C435F93 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.MSVCR120(?,00000190,00000190,00000000,?,?), ref: 6C436067
_get_dstbias.MSVCR120(?,00000190,00000190,00000000,?,?), ref: 6C436079
_get_timezone.MSVCR120(?,00000190,00000190,00000000,?,?), ref: 6C43608B
_errno.MSVCR120(00000000,?,?,?,?,?,?,?,?,?,?,6C474437,000007BC,00000001,00000001,00000000), ref: 6C436195
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,00000190,00000190,00000000,?,?), ref: 6C4769D6
_errno.MSVCR120(00000000,00000000,00000000,00000000,00000000,00000190,00000190,00000000,?,?), ref: 6C4769DC
_invalid_parameter_noinfo.MSVCR120(00000000,00000000,00000000,00000000,00000000,00000190,00000190,00000000,?,?), ref: 6C4769E6

Part of subcall function 6C435BB2: _lock.MSVCR120(00000006,6C435BF0,0000000C,6C436173,?,00000000,?,0000003C,00000000,00000000,?,0000003C,00000000,-FFFFF984,?,00000018), ref: 6C435BC4

Strings

d, xrefs: 6C43601B
;, xrefs: 6C435FF5
;, xrefs: 6C435FEB

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_get_daylight_get_dstbias_get_timezone_invalid_parameter_noinfo_invoke_watson_lock
String ID: ;$;$d
API String ID: 106357551-2894727285
Opcode ID: 0dd814382d30af7b418e0c1845617d49f914be8fda77b9ebc8a25f5f3117137c
Instruction ID: f56cba0bd47d39cb23c5a7ece17a37509058acb441de5349471b95ca79495030
Opcode Fuzzy Hash: 0dd814382d30af7b418e0c1845617d49f914be8fda77b9ebc8a25f5f3117137c
Instruction Fuzzy Hash: 8071A4B1E016299BDB14CE7EC881FDD77F6BB8C364F185229E818E7784E73599048B90

Function 6C442FC3 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.MSVCR120(00000001,00000001,00000010,FFFFFEFF,?,00000000), ref: 6C47D947
DName::operator=.LIBCMT ref: 6C47D95D
DName::operator=.LIBCMT ref: 6C47D96C
DName::DName.LIBCMT ref: 6C47D97F
DName::operator+.LIBCMT ref: 6C47D986

Strings

generic-type-, xrefs: 6C443020, 6C443027
template-parameter-, xrefs: 6C443004, 6C44300B

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Name::operator=$NameName::Name::operator+atol
String ID: generic-type-$template-parameter-
API String ID: 1861674852-13229604
Opcode ID: 5635a455203800f4f36a4147fb7234a8e599402a4745e5c9524b1a2ec76b3bb3
Instruction ID: 9da14af0633db87acfda50d1e59b3baeb4af7c08e8fe595beb5941348da0aeb1
Opcode Fuzzy Hash: 5635a455203800f4f36a4147fb7234a8e599402a4745e5c9524b1a2ec76b3bb3
Instruction Fuzzy Hash: 57616EB1E012499FEB14DFA4D845EEDB7B8EF19705F20802EE411E7740EB349A09CBA4

Function 6C44C35B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR120(0]Gl,00000000,00000000,?,6C475D30,00000000,?), ref: 6C44C364
_write.MSVCR120(00000000,?,00000000,00000000,00000000,00000000,?,6C475D30,00000000,?), ref: 6C44C3D1
_errno.MSVCR120(00000000,00000000,?,6C475D30,00000000,?), ref: 6C44C4E0
__p__iob.MSVCR120(00000000,00000000,00000000,?,6C475D30,00000000,?), ref: 6C4513B7
__p__iob.MSVCR120(00000000,00000000,00000000,?,6C475D30,00000000,?), ref: 6C4513C7
_errno.MSVCR120(00000000,00000000,?,6C475D30,00000000,?), ref: 6C4751F6
__lseeki64.LIBCMT(00000000,00000000,00000000,00000002,00000000,00000000,00000000,?,6C475D30,00000000,?), ref: 6C475236
_write.MSVCR120(00000000,00000000,00000001,00000000,00000000,00000000,?,6C475D30,00000000,?), ref: 6C475257

Strings

0]Gl, xrefs: 6C44C35F, 6C44C3E3, 6C44C363, 6C4513D7

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __p__iob_errno_write$__lseeki64_fileno
String ID: 0]Gl
API String ID: 1504050362-1312255727
Opcode ID: 6131d3a661af35c71e34af2950cb9c6c62edb21fc32d9c6d998e36c77466ac6e
Instruction ID: c60d8b315a5ff995990cf86fb08ea2310fdb73d48d5e3d5f4996f1355b9e8c30
Opcode Fuzzy Hash: 6131d3a661af35c71e34af2950cb9c6c62edb21fc32d9c6d998e36c77466ac6e
Instruction Fuzzy Hash: EE4139715057009FE320DE69C840EA677E5EF46374B28C61DE4B98AFD0D734D445CB61

Function 6C444F0C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 6C4479E7
std::exception::exception.LIBCMT(pxHl), ref: 6C47291E
_CxxThrowException.MSVCR120(?,Function_000DCEE8,pxHl), ref: 6C472933

Part of subcall function 6C444EB3: __EH_prolog3.LIBCMT ref: 6C444EBA
Part of subcall function 6C444EB3: ??2@YAPAXI@Z.MSVCR120(000000D0), ref: 6C444ED9
Part of subcall function 6C444EB3: free.MSVCR120(00000000), ref: 6C444EFC

Strings

pScheduler, xrefs: 6C472910
pxHl, xrefs: 6C472917, 6C47291A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??2@CriticalExceptionH_prolog3LeaveSectionThrowfreestd::exception::exception
String ID: pScheduler$pxHl
API String ID: 2663953338-891355443
Opcode ID: a8761d9dfd384512f950b10f121d988b67fcdc238eb8d0d83b046179755f86e3
Instruction ID: 0319694cd128c2b7c13871158d631881777fa9844905c3d0e1049a4e11dde34d
Opcode Fuzzy Hash: a8761d9dfd384512f950b10f121d988b67fcdc238eb8d0d83b046179755f86e3
Instruction Fuzzy Hash: E9418DB0604206EFDB24CF65C485EA9BBB4FF05344F24812AE8599BB51DB30E955CFD4

Function 6C450B56 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBCMT ref: 6C450B91
operator+.LIBCMT ref: 6C47CB03

Strings

void , xrefs: 6C450B89
cli::array<, xrefs: 6C47CACD
void, xrefs: 6C47CA9E
cli::pin_ptr<, xrefs: 6C47CAF4

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: operator+
String ID: cli::array<$cli::pin_ptr<$void$void
API String ID: 3839230940-456688812
Opcode ID: 160f0ab23c20c512094decfa35e52be6e44afa0aeee024a411f9020a658c7c1b
Instruction ID: 3225e65aed8cc59b4d39afdfba71457cd224e789a1be68a29b6905a31ed7e568
Opcode Fuzzy Hash: 160f0ab23c20c512094decfa35e52be6e44afa0aeee024a411f9020a658c7c1b
Instruction Fuzzy Hash: 4F218D35A04249AFDF10DF94C881EEE3FB9EF05359F50845AFD18A7A41D730A954CBA0

Function 6C446951 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C446958
??2@YAPAXI@Z.MSVCR120(00000028,0000002C,6C4469D2,?,00000000,?,?,?,6C443D6E,6C4348CA,00000000,0000000C,6C443E4B,?,00000000,?), ref: 6C446961

Part of subcall function 6C42EE11: malloc.MSVCR120(?), ref: 6C42EE1A

memcpy.MSVCR120(00000000,6C500674,00000028,0000002C,6C4469D2,?,00000000,?,?,?,6C443D6E,6C4348CA,00000000,0000000C,6C443E4B,?), ref: 6C44697B
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000001), ref: 6C446990
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000002,00000001), ref: 6C44699B
std::exception::exception.LIBCMT(?), ref: 6C47336F
_CxxThrowException.MSVCR120(6C4876B4,6C4FD0A4), ref: 6C473384
std::exception::exception.LIBCMT(?,6C4876B4,6C4FD0A4), ref: 6C4733A1

Strings

tvHl, xrefs: 6C47337B

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Policy$Concurrency@@ElementKey@2@@Policy@SchedulerValue@std::exception::exception$??2@ExceptionH_prolog3_catchThrowmallocmemcpy
String ID: tvHl
API String ID: 1089537546-3921744971
Opcode ID: 27142a6442f1dbbceb5bbd7b8067bbbf015312ce21d889befa71f7b632990099
Instruction ID: 4880ea792b092c04fc36e434dbbc01bf8e693454e26f82255e1613cd2d8975c6
Opcode Fuzzy Hash: 27142a6442f1dbbceb5bbd7b8067bbbf015312ce21d889befa71f7b632990099
Instruction Fuzzy Hash: F921BF719012149BDF10DFA8C881FDCBBB4AF45359F20866DE524ABB80DB30954ACBF2

Function 6C437888 Relevance: 16.8, APIs: 11, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

memset.MSVCR120(?,000000FF,00000024), ref: 6C4378AF
_get_daylight.MSVCR120(?), ref: 6C4378EA
_get_dstbias.MSVCR120(?), ref: 6C4378FC
_get_timezone.MSVCR120(?), ref: 6C43790E
_gmtime64_s.MSVCR120(?,?), ref: 6C437942
_gmtime64_s.MSVCR120(?,?), ref: 6C43796C
_gmtime64_s.MSVCR120(?,?), ref: 6C437989

Part of subcall function 6C4376C5: memset.MSVCR120(?,000000FF,00000024), ref: 6C4376E3

_errno.MSVCR120 ref: 6C476A84
_invalid_parameter_noinfo.MSVCR120 ref: 6C476A8E
_errno.MSVCR120 ref: 6C476A9A
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C476C07

Part of subcall function 6C4C469B: IsProcessorFeaturePresent.KERNEL32(00000017,6C4C466F,?,?,?,?,?,?,6C4C467C,00000000,00000000,00000000,00000000,00000000,6C49B412), ref: 6C4C469D
Part of subcall function 6C4C469B: __crtTerminateProcess.MSVCR120(C0000417,00000002,C0000417,00000001,?,00000017,6C4C466F,?,?,?,?,?,?,6C4C467C,00000000,00000000), ref: 6C4C46BC

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _gmtime64_s$_errnomemset$FeaturePresentProcessProcessorTerminate__crt_get_daylight_get_dstbias_get_timezone_invalid_parameter_noinfo_invoke_watson
String ID:
API String ID: 2714158224-0
Opcode ID: 3ec8e3e4a560eb1711b817554574e81bdaf72ebdba6a9da9e7fbee5e7d11d69b
Instruction ID: 2702b63a69bd400fa50fe4e758c82190468d81d04a277f32f36aeb8312e67f6e
Opcode Fuzzy Hash: 3ec8e3e4a560eb1711b817554574e81bdaf72ebdba6a9da9e7fbee5e7d11d69b
Instruction Fuzzy Hash: 8681F671A04726EBE714CE7ECC40FD9B7A9AF45368F14422AE858D6B80E770D9048BE0

Function 6C4AC2D8 Relevance: 16.7, APIs: 11, Instructions: 227stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4AC311
_invalid_parameter_noinfo.MSVCR120 ref: 6C4AC31B
strncat_s.MSVCR120(?,?,?,?,?), ref: 6C4AC344
_errno.MSVCR120(?), ref: 6C4AC36B
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4AC394
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4AC3FA
_errno.MSVCR120(?), ref: 6C4AC479
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4AC4A2
_errno.MSVCR120(?), ref: 6C4AC4CF
_invalid_parameter_noinfo.MSVCR120(?), ref: 6C4AC4D9
_errno.MSVCR120(?), ref: 6C4AC4E6

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_ismbblead_l$_invalid_parameter_noinfo$strncat_s
String ID:
API String ID: 1948258708-0
Opcode ID: 4a93b4245a008af915d8153ed93840cd5733da35edd02bff04b0f78a44aa04a2
Instruction ID: 346ee13e3ae77a543eb56e3b3d280dc75a006c340a7ad63c33a50d22466ad477
Opcode Fuzzy Hash: 4a93b4245a008af915d8153ed93840cd5733da35edd02bff04b0f78a44aa04a2
Instruction Fuzzy Hash: 2881063190924A9FCF41DFE8C480EAE7BB1BF65319F24415AD4649BB88D732C947CB91

Function 6C492305 Relevance: 16.6, APIs: 11, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C49230C
free.MSVCR120(000000FF,?,00000024,000000FF,6C488C43,00000008,6C4900EC), ref: 6C49234D

Part of subcall function 6C42ECE0: HeapFree.KERNEL32(00000000,00000000,?,6C473D3A,00000000,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C42ECF4

free.MSVCR120(000000FF,?,00000028,000000FF,6C48F81C,00000008,6C4900EC), ref: 6C49237C
free.MSVCR120(?,00000008,6C4900EC), ref: 6C492385
VirtualFree.KERNEL32(?,00000000,00008000,00000008,6C4900EC), ref: 6C49239D
CloseHandle.KERNEL32(?,00000008,6C4900EC), ref: 6C4923AC
free.MSVCR120(?), ref: 6C4923B1
CloseHandle.KERNEL32(00000000), ref: 6C4923C0
free.MSVCR120(?), ref: 6C4923C5
free.MSVCR120(?,?), ref: 6C4923CD
DeleteCriticalSection.KERNEL32(?), ref: 6C4923E4

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$CloseFreeHandle$CriticalDeleteH_prolog3HeapSectionVirtual
String ID:
API String ID: 3338787333-0
Opcode ID: 1c46b2bc62e60ef5d9cca70ac1315239736bd2297e920a75780c6ebcda7df7fb
Instruction ID: 911c6feda56698b84fa3ac2a095edb30d50a50ef4a40558678de00cdceb91596
Opcode Fuzzy Hash: 1c46b2bc62e60ef5d9cca70ac1315239736bd2297e920a75780c6ebcda7df7fb
Instruction Fuzzy Hash: 7E21A130601612ABDB18DF76DC8AF8DBBB0BF04319F10441DE604A7A90CB35B558CBD4

Function 6C4500A6 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 209COMMONLIBRARYCODE

Download Yara Rule

Strings

void, xrefs: 6C4504BB
..., xrefs: 6C47D12F
`template-parameter, xrefs: 6C47D0B1, 6C47D0F4

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID: ...$`template-parameter$void
API String ID: 0-2152273162
Opcode ID: 7a12955e3e5852fcd650b0240bd0ff4a540774e0072d2b469e5a8fe7c164d8c8
Instruction ID: 4b0974271f66f8734992d841a1237647ad6e15b83ec929f4089244d6e255b089
Opcode Fuzzy Hash: 7a12955e3e5852fcd650b0240bd0ff4a540774e0072d2b469e5a8fe7c164d8c8
Instruction Fuzzy Hash: 8B71BE74A05289DFDF14CFA8C894EEDB7B5BB4A309FA4402ED442E7B41DB319806CB65

Function 6C43BDFC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 155stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

strcpy_s.MSVCR120(00000000,00000000,e+000,?), ref: 6C43BE93
_errno.MSVCR120(?,?,00000000,00000000,0000002D,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000002), ref: 6C480F33
_errno.MSVCR120(?,?,00000000,00000000), ref: 6C480F43
_invalid_parameter_noinfo.MSVCR120(?,?,00000000,00000000,0000002D,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000002), ref: 6C480F4D
memmove.MSVCR120(00000002,00000003,00000003,?,00000000,00000000), ref: 6C480F9F

Strings

e+000, xrefs: 6C43BE8C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_getptd_invalid_parameter_noinfomemmovestrcpy_s
String ID: e+000
API String ID: 586226928-1027065040
Opcode ID: 39c94d99c056ac5289a50e5185c6661bd329649227a0238b71635bde514f72cd
Instruction ID: 4a95a842a766170535d00947afea62b768ee4c48b324cb66e22e6498520785a1
Opcode Fuzzy Hash: 39c94d99c056ac5289a50e5185c6661bd329649227a0238b71635bde514f72cd
Instruction Fuzzy Hash: EF41693071A7A58FD701CE2E8C41F9A3BA59FCA318F08E15DE9588BB81D374C806CB91

Function 6C43619F Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

wcsrchr.MSVCR120(6C435ECA,0000002E,00000000,?,?,6C435ECA,00000400,?), ref: 6C4361FA
_wcsicmp.MSVCR120(00000000,.exe,00000000,?,?,6C435ECA,00000400,?), ref: 6C43620D
_wcsicmp.MSVCR120(00000000,.cmd,00000000,?,?,6C435ECA,00000400,?), ref: 6C43621E
_wcsicmp.MSVCR120(00000000,.bat,00000000,?,?,6C435ECA,00000400,?), ref: 6C43622F
_wcsicmp.MSVCR120(00000000,.com,00000000,?,?,6C435ECA,00000400,?), ref: 6C436240

Strings

.exe, xrefs: 6C436207
.bat, xrefs: 6C436229
.cmd, xrefs: 6C436218
.com, xrefs: 6C43623A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _wcsicmp$wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 2496260227-4019086052
Opcode ID: ecb54e562c1713f2062b3115810cedca14e6b128e026ac2852194255e75b76a8
Instruction ID: 913294dd1fa94e5761c611d3c7c4b29f6d1db05b0e1d80cd7bb2ed9a71e14d25
Opcode Fuzzy Hash: ecb54e562c1713f2062b3115810cedca14e6b128e026ac2852194255e75b76a8
Instruction Fuzzy Hash: 6611382350563310BB04E1179842EE6B3B4FFCE7AAB26652EE81CE6EC2EF58D44541D8

Function 6C44029C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.MSVCR120(6C440338,00000010,6C47525C,00000000,00000000,00000001,00000000,00000000,00000000,?,6C475D30,00000000,?), ref: 6C44035C
__doserrno.MSVCR120(6C440338,00000010,6C47525C,00000000,00000000,00000001,00000000,00000000,00000000,?,6C475D30,00000000,?), ref: 6C47E7D9
_errno.MSVCR120(6C440338,00000010,6C47525C,00000000,00000000,00000001,00000000,00000000,00000000,?,6C475D30,00000000,?), ref: 6C47E7E0
__doserrno.MSVCR120(6C440338,00000010,6C47525C,00000000,00000000,00000001,00000000,00000000,00000000,?,6C475D30,00000000,?), ref: 6C47E7ED

Part of subcall function 6C434206: EnterCriticalSection.KERNEL32(-0000000C,6C434260,00000008,6C4402F5,00000000,6C440338,00000010,6C47525C,00000000,00000000,00000001,00000000,00000000,00000000,?,6C475D30), ref: 6C43424C

_errno.MSVCR120(6C440338,00000010,6C47525C,00000000,00000000,00000001,00000000,00000000,00000000,?,6C475D30,00000000), ref: 6C47E7F7
__doserrno.MSVCR120(6C440338,00000010,6C47525C,00000000,00000000,00000001,00000000,00000000,00000000,?,6C475D30,00000000), ref: 6C47E802

Part of subcall function 6C440189: _isatty.MSVCR120(?,00000000,00000000,00000000), ref: 6C440222
Part of subcall function 6C440189: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 6C440263

Part of subcall function 6C440354: __unlock_fhandle.LIBCMT ref: 6C440355

_errno.MSVCR120(6C440338,00000010,6C47525C,00000000,00000000,00000001,00000000,00000000,00000000,?,6C475D30,00000000,?), ref: 6C47E81F
_invalid_parameter_noinfo.MSVCR120(6C440338,00000010,6C47525C,00000000,00000000,00000001,00000000,00000000,00000000,?,6C475D30,00000000,?), ref: 6C47E82A

Strings

0]Gl, xrefs: 6C44030F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __doserrno$_errno$CriticalEnterFileSectionWrite__unlock_fhandle_invalid_parameter_noinfo_isatty
String ID: 0]Gl
API String ID: 2104561730-1312255727
Opcode ID: e94d50c3a0e6e22ad746593fed6cc56c48210f4cbe2ca6da2bf0fa18f03dd0fe
Instruction ID: 0b2575117b945ef9d6712d46196bb1df41ca0a4963bdb7aa61a29d7f90dd6c6c
Opcode Fuzzy Hash: e94d50c3a0e6e22ad746593fed6cc56c48210f4cbe2ca6da2bf0fa18f03dd0fe
Instruction Fuzzy Hash: 3921D2318026609FE711DF6888C0FEC3AA1AF96329F294258C4741FBF0CB7889158BE1

Function 6C44FA4C Relevance: 15.3, APIs: 10, Instructions: 265COMMON

Download Yara Rule

APIs

_fileno.MSVCR120(?,?,?,?,?,6C44FA11,?,?,?,?,?,?,?,6C44FA30,0000000C), ref: 6C44FA78
_lseek.MSVCR120(00000000,00000000,00000001,?,?,?,?,6C44FA11,?,?,?,?,?,?,?,6C44FA30), ref: 6C44FA95
_lseek.MSVCR120(?,00000000,00000002), ref: 6C451B0C
_errno.MSVCR120(?,?,6C44FA11,?,?,?,?,?,?,?,6C44FA30,0000000C), ref: 6C475699
_invalid_parameter_noinfo.MSVCR120(?,?,6C44FA11,?,?,?,?,?,?,?,6C44FA30,0000000C), ref: 6C4756A4
_errno.MSVCR120 ref: 6C4757D9

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_lseek$_fileno_invalid_parameter_noinfo
String ID:
API String ID: 904722208-0
Opcode ID: 13a5965a359da1e9cfc16f4be1da9d9b2731085d4c177e67fca662193187dbf6
Instruction ID: 639434e786d21d8d57a2c63fb8b0efb37a5e0ca29f559949ac893d960cc80b73
Opcode Fuzzy Hash: 13a5965a359da1e9cfc16f4be1da9d9b2731085d4c177e67fca662193187dbf6
Instruction Fuzzy Hash: 64B1CF35E052949BFB21CF18C980ED8BBB1AB45319F2482D8D9989BB91D370DDD2CF90

Function 6C440D5C Relevance: 15.2, APIs: 10, Instructions: 208COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000003,00000000,00000004,?,?,?,6C440F30,00000000,00000000,00000000), ref: 6C440D9F
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,?,6C440F30,00000000,00000000,00000000,00000000,?,?), ref: 6C440E14
__crtLCMapStringEx.MSVCR120(?,?,00000000,?,00000000,00000000,?,?,?,6C440F30,00000000,00000000,00000000,00000000,?,?), ref: 6C440E31
__crtLCMapStringEx.MSVCR120(?,00000400,00000000,?,?,00000000,?,?), ref: 6C440EAD
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 6C440ED2
_freea_s.MSVCR120(?,?,?,?,?,?,?,?,?), ref: 6C440EDB
_freea_s.MSVCR120(00000000,?,?,?,6C440F30,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 6C440EE2

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ByteCharMultiWide$String__crt_freea_s
String ID:
API String ID: 2471089800-0
Opcode ID: 262f06042333ead08c31fd9d6261685e97dbc7782f5925b2c15226da3f67c0c0
Instruction ID: 8dacef521b0f001230c71c71c9dd1bffc80c6e69c64bb855996a9097404ed79b
Opcode Fuzzy Hash: 262f06042333ead08c31fd9d6261685e97dbc7782f5925b2c15226da3f67c0c0
Instruction Fuzzy Hash: 6151F171A0115AAFFF10CE68CC40EAE3BA9EB89356F308119FD0997A50D771DC6587A0

Function 6C4ABA07 Relevance: 15.2, APIs: 10, Instructions: 170stringCOMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4ABA27
_invalid_parameter_noinfo.MSVCR120 ref: 6C4ABA31
strcat_s.MSVCR120(?,?,00000000,?), ref: 6C4ABA59
_errno.MSVCR120(?), ref: 6C4ABA7E
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4ABAA3
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4ABAFE
_errno.MSVCR120(?), ref: 6C4ABB1F
_invalid_parameter_noinfo.MSVCR120(?), ref: 6C4ABB29
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4ABB44
_errno.MSVCR120(?), ref: 6C4ABB6D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_ismbblead_l$_invalid_parameter_noinfo$strcat_s
String ID:
API String ID: 2457174781-0
Opcode ID: c20dc1d872c4f7bd5e6ce91623f2600e713448f792287dd6e33e3832ab264743
Instruction ID: 7034605230769599182cfe7bb269bdb801023cb98191074eb329fb7e9b73acf0
Opcode Fuzzy Hash: c20dc1d872c4f7bd5e6ce91623f2600e713448f792287dd6e33e3832ab264743
Instruction Fuzzy Hash: C2510371A0934D9FCB02CEE98890FAD7BA0AF65359F24416DD8948BB89D7318983C750

Function 6C432E3F Relevance: 15.1, APIs: 10, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,?,?,?,?,00000000,?,?), ref: 6C432E94

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 937099c454ab3a4415c61960927c9f38364e2c265464824234f682e4bc94fabf
Instruction ID: a657274bd42eca1fc4aef8263c7e85ab2f9846ad87ee9b894ba09bd016c7a4c1
Opcode Fuzzy Hash: 937099c454ab3a4415c61960927c9f38364e2c265464824234f682e4bc94fabf
Instruction Fuzzy Hash: D641A430A05226AFDB21CF2ACC49FEB7BB5AF4A725F201159E469D7691DB30D800C7B1

Function 6C434321 Relevance: 15.1, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,?,00000000,?,?), ref: 6C43437E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: b5f72bb291e3026a0a1ad61529145a1947947b62758cdbc55440ec1214054bb8
Instruction ID: 58ee32fa84c1e2c02986910d46c11eed14e844e807a477851871414fe2a40110
Opcode Fuzzy Hash: b5f72bb291e3026a0a1ad61529145a1947947b62758cdbc55440ec1214054bb8
Instruction Fuzzy Hash: 3831F5317056259BDB22CF66C884FEA3F74DF85769F506519E8288BB90DB31C411CBB1

Function 6C49A19D Relevance: 15.1, APIs: 10, Instructions: 104COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000), ref: 6C49A1E1
GetLastError.KERNEL32 ref: 6C49A217

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: EncodeErrorLastPointer
String ID:
API String ID: 688273888-0
Opcode ID: c171c260f6f655a743c78d29dd8e59f0ba06ab69c5d876c0ae487f2d5f2c57ad
Instruction ID: 637ff092bef0a7ad4b4048d5bb0cad9a75e2ec8cd882a14cc6fb1429ddeeb255
Opcode Fuzzy Hash: c171c260f6f655a743c78d29dd8e59f0ba06ab69c5d876c0ae487f2d5f2c57ad
Instruction Fuzzy Hash: 13319870B402559FDB00CF69CC80E8A3FB5FF5A351B92022EE918D7791E7319901CBAA

Function 6C43E123 Relevance: 15.1, APIs: 10, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C43E155
_errno.MSVCR120 ref: 6C452614
_errno.MSVCR120 ref: 6C45261E
_errno.MSVCR120 ref: 6C45262D
_errno.MSVCR120 ref: 6C475DC9
_invalid_parameter_noinfo.MSVCR120 ref: 6C475DD4
_errno.MSVCR120 ref: 6C475DFE
_errno.MSVCR120 ref: 6C475E0C
_errno.MSVCR120 ref: 6C475E29
_invalid_parameter_noinfo.MSVCR120 ref: 6C475E3C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 94aa7fe983042cbebbf864a100ede3c7a1299a21a2da05dc4da03f771e0150ce
Instruction ID: 45299e60f58c2e5dd083dbfc401fee05697b54404ca5d2a4cc150ad3b606ee4d
Opcode Fuzzy Hash: 94aa7fe983042cbebbf864a100ede3c7a1299a21a2da05dc4da03f771e0150ce
Instruction Fuzzy Hash: 1A21B4319052259ACB31DFB6C844DEE32659F8A37DF15135AD9384BBE0DB308811CAF2

Function 6C4407AF Relevance: 15.1, APIs: 10, Instructions: 71COMMON

Download Yara Rule

APIs

__p__iob.MSVCR120(6C440850,00000010), ref: 6C4407D5

Part of subcall function 6C4342FC: _lock.MSVCR120(?,?,6C435810,00000000,01428870,6C4358A0,00000010,6C43639E,6C4363D0,00000008), ref: 6C43430F

__p__iob.MSVCR120(6C440850,00000010), ref: 6C4407EB

Part of subcall function 6C440477: _fileno.MSVCR120(?,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C44047F
Part of subcall function 6C440477: _isatty.MSVCR120(00000000,?,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C440485
Part of subcall function 6C440477: __p__iob.MSVCR120(0000FFFF,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C440491
Part of subcall function 6C440477: __p__iob.MSVCR120(0000FFFF,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C4404A1

__p__iob.MSVCR120(6C440850,00000010), ref: 6C44080D
_fputwc_nolock.MSVCR120(-00000020,-00000020,6C440850,00000010), ref: 6C440817
__p__iob.MSVCR120(6C440850,00000010), ref: 6C440823
__ftbuf.LIBCMT ref: 6C44082F
__p__iob.MSVCR120(6C440850,00000010), ref: 6C44086C
_fputwc_nolock.MSVCR120(0000000A,-00000020,6C440850,00000010), ref: 6C440877
_errno.MSVCR120(6C440850,00000010), ref: 6C4758B3
_invalid_parameter_noinfo.MSVCR120(6C440850,00000010), ref: 6C4758BE

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __p__iob$_fputwc_nolock$__ftbuf_errno_fileno_invalid_parameter_noinfo_isatty_lock
String ID:
API String ID: 120561791-0
Opcode ID: 5df69e9d56517ced497fbefa0df52941116820ef2f333317ff2b3e22145dd53a
Instruction ID: 4c99b0a4f946e69f4bcc6029327216bc215c1f5928c42ee17a3bf79f2961de18
Opcode Fuzzy Hash: 5df69e9d56517ced497fbefa0df52941116820ef2f333317ff2b3e22145dd53a
Instruction Fuzzy Hash: 541108729442155EFB10DBF69C41FFD36E4DF683E8F24501DD4049ABC0DF29848546E9

Function 6C432273 Relevance: 15.1, APIs: 10, Instructions: 69memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,?,6C43FF84,?,00000001,00000000,00000000,?,6C47F128,00000000,00000010), ref: 6C4322AA
malloc.MSVCR120(00000001,?,6C43FF84,?,00000001,00000000,00000000,?,6C47F128,00000000,00000010,?,?,?,?,6C44BE8C), ref: 6C43F47B
free.MSVCR120(00000000,00000000,?,6C43FF84,?,00000001,00000000,00000000,?,6C47F128,00000000,00000010), ref: 6C47DBCB
_callnewh.MSVCR120(00000001,?,6C43FF84,?,00000001,00000000,00000000,?,6C47F128,00000000,00000010,?,?,?,?,6C44BE8C), ref: 6C47DBE7
_callnewh.MSVCR120(00000001,00000000,00000000,?,6C43FF84,?,00000001,00000000,00000000,?,6C47F128,00000000,00000010), ref: 6C47DBF8
_errno.MSVCR120(00000000,00000000,?,6C43FF84,?,00000001,00000000,00000000,?,6C47F128,00000000,00000010), ref: 6C47DBFE
_errno.MSVCR120(?,6C43FF84,?,00000001,00000000,00000000,?,6C47F128,00000000,00000010,?,?,?,?,6C44BE8C,?), ref: 6C47DC10
GetLastError.KERNEL32(?,6C43FF84,?,00000001,00000000,00000000,?,6C47F128,00000000,00000010,?,?,?,?,6C44BE8C,?), ref: 6C47DC17
_errno.MSVCR120(?,6C43FF84,?,00000001,00000000,00000000,?,6C47F128,00000000,00000010,?,?,?,?,6C44BE8C,?), ref: 6C47DC28
GetLastError.KERNEL32(?,6C43FF84,?,00000001,00000000,00000000,?,6C47F128,00000000,00000010,?,?,?,?,6C44BE8C,?), ref: 6C47DC2F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$ErrorLast_callnewh$AllocHeapfreemalloc
String ID:
API String ID: 2627451454-0
Opcode ID: 7c45c81d5d194539040ac80e3c363ec4514f90d8edb5360dd94aa1a31c7608e4
Instruction ID: 2055ed46fdc09736af04a9bedca37e29fbf2ccca425b6dbbc416e617d507a66f
Opcode Fuzzy Hash: 7c45c81d5d194539040ac80e3c363ec4514f90d8edb5360dd94aa1a31c7608e4
Instruction Fuzzy Hash: 68110832516231ABDB309E79DC08EC93B94AB5D35AF205529E81996F50DB30C44586E8

Function 6C44AA6B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6C44AA90
DName::DName.LIBCMT ref: 6C47C0CD

Strings

,<ellipsis>, xrefs: 6C47C0F0, 6C47C0F5
,..., xrefs: 6C47C0E9
void, xrefs: 6C44AA88
<ellipsis>, xrefs: 6C47C145, 6C47C14A
..., xrefs: 6C47C13E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: NameName::
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1333004437-2211150622
Opcode ID: d567a7352d3a95250a35a2a7451bc78538580bb25f9daebbf9923ec784ab8273
Instruction ID: 6d8497c2b633438ee9bb36d6747f9fb7856cea5e9baf81703ce2c91a722d3bf4
Opcode Fuzzy Hash: d567a7352d3a95250a35a2a7451bc78538580bb25f9daebbf9923ec784ab8273
Instruction Fuzzy Hash: 332178747042468FDB14DF5CC8A2EEA7BB4EB4A345F10816EE959DBB02CB31D901CBA0

Function 6C446ABC Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 6C446B3D
GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 6C446B48
GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentProcessorNumberEx,?,?,?,?,?,6C446C5D), ref: 6C446B77
GetProcAddress.KERNEL32(00000000), ref: 6C446B7E

Strings

GetThreadGroupAffinity, xrefs: 6C446B3F
kernel32.dll, xrefs: 6C446B66
GetCurrentProcessorNumberEx, xrefs: 6C446B5D
]lDl, xrefs: 6C446B4A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$]lDl$kernel32.dll
API String ID: 667068680-3949792032
Opcode ID: 5d6bd463aabaef701a36f01a1ffc1d66e38fcb4596a8f33901c20bd797024280
Instruction ID: df16338669713f49d2af6ebed9e82313b4f8895c1d4023d4ac9dbf26a751b4fa
Opcode Fuzzy Hash: 5d6bd463aabaef701a36f01a1ffc1d66e38fcb4596a8f33901c20bd797024280
Instruction Fuzzy Hash: DF011B707127A59FEB34CF268855E9BBFF4EB85700B11C92ED586C7A00C73199058F86

Function 6C44C784 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.MSVCR120(?,00000000,?), ref: 6C44C7A0

Part of subcall function 6C432226: malloc.MSVCR120(6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C432237

std::exception::exception.LIBCMT(?,00000001,00000000), ref: 6C473A67
std::exception::exception.LIBCMT(?,00000000), ref: 6C473A88
_CxxThrowException.MSVCR120(6C48176C,6C4FCE18,?), ref: 6C473A9D
std::exception::exception.LIBCMT(?,00000001), ref: 6C473AB3
_CxxThrowException.MSVCR120(6C48176C,6C4FCE18,?), ref: 6C473AE9
free.MSVCR120(00000000), ref: 6C473AF0

Strings

_DebugMallocator<T>::allocate() - Integer overflow., xrefs: 6C473A7D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: std::exception::exception$ExceptionThrow$_malloc_crtfreemalloc
String ID: _DebugMallocator<T>::allocate() - Integer overflow.
API String ID: 2405410681-3293063709
Opcode ID: 10952856b63778c1624ee1dc2a7b67adfb0d601c93019fcfc7a4977db7d5ecf6
Instruction ID: 78ab81a749f7fab76b3682667ba5dcb9fc95fb4e19f96f53933922f8de7f0c35
Opcode Fuzzy Hash: 10952856b63778c1624ee1dc2a7b67adfb0d601c93019fcfc7a4977db7d5ecf6
Instruction Fuzzy Hash: D9113076C00209BADF10EEA5D882FCEBB6CEB10654F60C55AEC14A7E51DB35D658CAE0

Function 6C43D8E9 Relevance: 13.9, APIs: 9, Instructions: 443COMMON

Download Yara Rule

APIs

_isleadbyte_l.MSVCR120(?,?), ref: 6C43DCAD
free.MSVCR120(?), ref: 6C43DFCD

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _isleadbyte_lfree
String ID:
API String ID: 3852065960-0
Opcode ID: b68446f5bec2002070ff0509b248d06ac17ad88f497537eea3216050d939ded4
Instruction ID: b8084d88087824f6ff6faa12d483f1020483e430c6c421e53747de04f166ba81
Opcode Fuzzy Hash: b68446f5bec2002070ff0509b248d06ac17ad88f497537eea3216050d939ded4
Instruction Fuzzy Hash: 4FF1A5F1A152398AEB20CB16CC40F99B7B4AFC9319F1451E9D61CA7B80D7349AC58F98

Function 6C435C0C Relevance: 13.7, APIs: 9, Instructions: 232stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.MSVCR120(?,-FFFFF894,00000006,?,6C435BD6,00000000,6C435BF0,0000000C,6C436173,?,00000000,?,0000003C,00000000,00000000), ref: 6C435C1A
__timezone.MSVCR120 ref: 6C448EE3
__daylight.MSVCR120 ref: 6C448EED
__dstbias.MSVCR120 ref: 6C448EF7
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,-FFFFF894,00000006,?,6C435BD6,00000000,6C435BF0,0000000C,6C436173,?,00000000), ref: 6C47668C
strcmp.MSVCR120(00000000,00000000,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C4766A5
free.MSVCR120(00000000,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C4766BA
strlen.MSVCR120(00000000,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C4766C1
_malloc_crt.MSVCR120(00000001,00000000,6C448F20,00000030,6C44915C,6C435B70,00000008,6C436063,00000190,00000190,00000000,?,?), ref: 6C4766C8

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __daylight__dstbias__timezone_get_daylight_invoke_watson_malloc_crtfreestrcmpstrlen
String ID:
API String ID: 1461246701-0
Opcode ID: 918826c5d499fded5eebe69faa3e924942dededcf443f02aca7f2946f05f64b5
Instruction ID: f300eb9ed675ee26e9de741f577062672391baf783c655f56923ebb77a3b76d6
Opcode Fuzzy Hash: 918826c5d499fded5eebe69faa3e924942dededcf443f02aca7f2946f05f64b5
Instruction Fuzzy Hash: 0161C2A1700110ADFB24DFA68C81FBA73BDE79A719F24400FF944D6980E7659C85C7B4

Function 6C432781 Relevance: 13.7, APIs: 9, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,?), ref: 6C43281E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 8c1abe4e0dd263558801ee5e8108dd918b2723062af554d0ce6f9c0172f3f9be
Instruction ID: a26a52dcfe8a70a8ea8a23237d2fb7333c1fc6f313477166cc51b00d96054b31
Opcode Fuzzy Hash: 8c1abe4e0dd263558801ee5e8108dd918b2723062af554d0ce6f9c0172f3f9be
Instruction Fuzzy Hash: 6671DA30E05226DBEB31CF9AC848EAEBB75FF89355B748219D82497651DF708941C7E0

Function 6C4ABEF8 Relevance: 13.7, APIs: 9, Instructions: 201stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(6C503B90,00000000,6C503B90,00000001,00000000,00000001,?,00000000,00000000,6C503B90,6C49C0DE), ref: 6C4ABF33
_invalid_parameter_noinfo.MSVCR120(6C503B90,00000000,6C503B90,00000001,00000000,00000001,?,00000000,00000000,6C503B90,6C49C0DE), ref: 6C4ABF3D
strncpy_s.MSVCR120(00000001,00000000,00000000,6C503B90,00000000,00000001,6C503B90,00000000,6C503B90), ref: 6C4ABF68
_ismbblead_l.MSVCR120(6C503B90,6C503B90,00000000,00000001,6C503B90,00000000,6C503B90), ref: 6C4ABFE3
_ismbblead_l.MSVCR120(6C503B90,6C503B90,00000000,00000001,6C503B90,00000000,6C503B90), ref: 6C4AC030
_errno.MSVCR120(00000000,00000001,6C503B90,00000000,6C503B90), ref: 6C4AC05D
_invalid_parameter_noinfo.MSVCR120(00000000,00000001,6C503B90,00000000,6C503B90), ref: 6C4AC067

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_ismbblead_l$_invalid_parameterstrncpy_s
String ID:
API String ID: 757364618-0
Opcode ID: bb82d18724ea39fc0e1c34276c982e71bb1e222f83e3dba92fb601abe63c7432
Instruction ID: 93e9bc3815143ae271c69c44318cd03d499510daea91aec5e17bf9d237759ed5
Opcode Fuzzy Hash: bb82d18724ea39fc0e1c34276c982e71bb1e222f83e3dba92fb601abe63c7432
Instruction Fuzzy Hash: 0351FB3160924A8FCB01DEE98450F9E77B1AF6A359F184159F860DBB89D732C443CBA1

Function 6C442837 Relevance: 13.7, APIs: 9, Instructions: 195COMMON

Download Yara Rule

APIs

free.MSVCR120(?,00006A69), ref: 6C441A4A
free.MSVCR120(?,?,00006A69), ref: 6C441A55
_calloc_crt.MSVCR120(00000001,00000050), ref: 6C442860
_malloc_crt.MSVCR120(00000004), ref: 6C442881

Part of subcall function 6C432226: malloc.MSVCR120(6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C432237

_malloc_crt.MSVCR120(00000004), ref: 6C4428A4
free.MSVCR120(?), ref: 6C4801B6
___free_lconv_num.LIBCMT ref: 6C4801C7
free.MSVCR120(?), ref: 6C4801D4
free.MSVCR120(?,?), ref: 6C4801DD

Part of subcall function 6C441BFC: __crtGetLocaleInfoEx.MSVCR120(?,00001004,00000000,00000000,?,?,00000000), ref: 6C441C46
Part of subcall function 6C441BFC: _calloc_crt.MSVCR120(00000000,00000002,?,?,?,00000000), ref: 6C441C5B
Part of subcall function 6C441BFC: __crtGetLocaleInfoEx.MSVCR120(?,00001004,00000000,00000000,?,?,?,00000000), ref: 6C441C77

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$InfoLocale__crt_calloc_crt_malloc_crt$___free_lconv_nummalloc
String ID:
API String ID: 2413701623-0
Opcode ID: a0084404670cd1cf43de4fbaddcde206b5a84c00329d1987cc5cfbfe38dbb3b4
Instruction ID: 6f4c31827f5aa885e99ea5804e5a483968fcc84de71f2dcef2b9adc1efdbf730
Opcode Fuzzy Hash: a0084404670cd1cf43de4fbaddcde206b5a84c00329d1987cc5cfbfe38dbb3b4
Instruction Fuzzy Hash: 1961E432A05205AFEB10CF68C841F9ABBF5FB45354F248169ED54EB781EB30D941CB90

Function 6C4AC506 Relevance: 13.7, APIs: 9, Instructions: 190stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4AC542
_invalid_parameter_noinfo.MSVCR120 ref: 6C4AC54C
strncpy_s.MSVCR120(?,?,?,?,?), ref: 6C4AC576
_errno.MSVCR120(?), ref: 6C4AC5C8
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4AC5F5
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4AC626
_errno.MSVCR120(?), ref: 6C4AC6AF
_invalid_parameter_noinfo.MSVCR120(?), ref: 6C4AC6B9
_errno.MSVCR120(?), ref: 6C4AC6C4

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_ismbblead_l$strncpy_s
String ID:
API String ID: 3147246080-0
Opcode ID: 1c0fbf60ac6f5b5221559703d81f14d7736ad9bee9bda2808d980dc4d5500ba7
Instruction ID: 70176e35a5fc9f55f11a71b2423e4bb1e1a0a99c8f06b8cc7799dbe5754aa4d8
Opcode Fuzzy Hash: 1c0fbf60ac6f5b5221559703d81f14d7736ad9bee9bda2808d980dc4d5500ba7
Instruction Fuzzy Hash: 345157309052568FCB41EFACC550DAE7BB1EF66329B24425DE8605BB68D732C903CBA0

Function 6C43ED6E Relevance: 13.7, APIs: 9, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR120(?), ref: 6C475B90
_fileno.MSVCR120(?), ref: 6C475B9C
_fileno.MSVCR120(?), ref: 6C475BA8
_fileno.MSVCR120(?,?), ref: 6C475BB3
_fileno.MSVCR120(?), ref: 6C475BDE
_fileno.MSVCR120(?), ref: 6C475BEA
_fileno.MSVCR120(?), ref: 6C475BF6
_fileno.MSVCR120(?,?), ref: 6C475C01

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _fileno
String ID:
API String ID: 467780811-0
Opcode ID: 4039f27aa612163e123a3b141d12d239c89930063c2f5882c77a3a0420405de7
Instruction ID: d4eb5573552b0ad43b8f87052909e993c70291161e9e44e30ba5565853f5cf85
Opcode Fuzzy Hash: 4039f27aa612163e123a3b141d12d239c89930063c2f5882c77a3a0420405de7
Instruction Fuzzy Hash: 765106314062279FD711CB69C840FA9BBB0AF8A368B24935ED4389BBD1D734D856CBD1

Function 6C44FEA1 Relevance: 13.6, APIs: 9, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR120(?,?,00000000,?,?,6C44FEEC,?,?), ref: 6C44FEAB
_errno.MSVCR120(?,00000000,?,?,6C44FEEC,?,?), ref: 6C44FEC8
__p__iob.MSVCR120(6C4FF520,?,00000000,?,?,6C44FEEC,?,?), ref: 6C451427
__p__iob.MSVCR120(6C4FF520,?,00000000,?,?,6C44FEEC,?,?), ref: 6C451437
_errno.MSVCR120(?,00000000,?,?,6C44FEEC,?,?), ref: 6C475272

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __p__iob_errno$_fileno
String ID:
API String ID: 2686820381-0
Opcode ID: fab40bbb8def0fd8706ae67aa3b18035b9a1ea8f85cf812937f29eb66d64757c
Instruction ID: 0020bd0c2d18cf7c26bcc3f01b730e024131566231c6eaf7871f6c1a5cc46a3c
Opcode Fuzzy Hash: fab40bbb8def0fd8706ae67aa3b18035b9a1ea8f85cf812937f29eb66d64757c
Instruction Fuzzy Hash: C641D2715017059FE324CF59C841EAA77E4AF86368B14961DE4AA8FFD0D774D840CB61

Function 6C4921B9 Relevance: 13.6, APIs: 9, Instructions: 102COMMON

Download Yara Rule

APIs

__crtGetTickCount64.MSVCR120(5425FDEF), ref: 6C4921EA
WaitForSingleObjectEx.KERNEL32(?,00000064,00000000), ref: 6C492216
EnterCriticalSection.KERNEL32(?), ref: 6C492221
__crtGetTickCount64.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,6C4FB718,000000FF), ref: 6C49224E
Concurrency::details::ResourceManager::DiscardExistingSchedulerStatistics.LIBCMT ref: 6C49226C
Concurrency::details::ResourceManager::SendResourceNotifications.LIBCMT ref: 6C49227D
__crtGetTickCount64.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,6C4FB718,000000FF), ref: 6C492282
Concurrency::details::ResourceManager::SendResourceNotifications.LIBCMT ref: 6C49229E
LeaveCriticalSection.KERNEL32(?), ref: 6C4922C7

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Resource$Concurrency::details::Count64Manager::Tick__crt$CriticalNotificationsSectionSend$DiscardEnterExistingLeaveObjectSchedulerSingleStatisticsWait
String ID:
API String ID: 1553915505-0
Opcode ID: 0f4af84cacfe04232f6eb8c6422c5cd23a339221e2004975b2d766b91a395b28
Instruction ID: 0a7f0c7476e966a63dd84e13dbfec58ae02df6c3468494b9cb0c9361f383bd44
Opcode Fuzzy Hash: 0f4af84cacfe04232f6eb8c6422c5cd23a339221e2004975b2d766b91a395b28
Instruction Fuzzy Hash: B231E331A487219BC720CF28D888F59BBE5BB85769F10072EE455A6BD0CB709945CBC3

Function 6C454152 Relevance: 13.6, APIs: 9, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.MSVCR120(00000008,6C454238,0000001C,6C49BBC7,00000000,00000001,00000000,?,6C49BBA8,000000FF,?,6C473CEC,00000010,00000000,6C42F77F,00000001), ref: 6C454174
DecodePointer.KERNEL32(6C454238,0000001C,6C49BBC7,00000000,00000001,00000000,?,6C49BBA8,000000FF,?,6C473CEC,00000010,00000000,6C42F77F,00000001,00000000), ref: 6C4541B1
DecodePointer.KERNEL32(?,6C49BBA8,000000FF,?,6C473CEC,00000010,00000000,6C42F77F,00000001,00000000), ref: 6C4541C6
EncodePointer.KERNEL32(00000000,?,6C49BBA8,000000FF,?,6C473CEC,00000010,00000000,6C42F77F,00000001,00000000), ref: 6C4541DF
DecodePointer.KERNEL32(-00000004,?,6C49BBA8,000000FF,?,6C473CEC,00000010,00000000,6C42F77F,00000001,00000000), ref: 6C4541EF
EncodePointer.KERNEL32(00000000,?,6C49BBA8,000000FF,?,6C473CEC,00000010,00000000,6C42F77F,00000001,00000000), ref: 6C4541F9
DecodePointer.KERNEL32(?,6C49BBA8,000000FF,?,6C473CEC,00000010,00000000,6C42F77F,00000001,00000000), ref: 6C45420F
DecodePointer.KERNEL32(?,6C49BBA8,000000FF,?,6C473CEC,00000010,00000000,6C42F77F,00000001,00000000), ref: 6C45421A

Part of subcall function 6C454113: GetModuleHandleW.KERNEL32(00000000,6C45416A,6C454238,0000001C,6C49BBC7,00000000,00000001,00000000,?,6C49BBA8,000000FF,?,6C473CEC,00000010,00000000,6C42F77F), ref: 6C454115

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Pointer$Decode$Encode$HandleModule_lock
String ID:
API String ID: 184903718-0
Opcode ID: 506376527e34ae2b02de8a960bf8be4df6a53d5aed6eccc40ad91108f79a13a8
Instruction ID: 2546847c38170a4604e729aa312753ad7a256f4d4fddaafc9859f0b9a6a7e993
Opcode Fuzzy Hash: 506376527e34ae2b02de8a960bf8be4df6a53d5aed6eccc40ad91108f79a13a8
Instruction Fuzzy Hash: 81318C31A012199BDF00DFA5C844FCC7BB1AF8539AF95612EE910AB750DB748868DF98

Function 6C4340EC Relevance: 13.6, APIs: 9, Instructions: 86stringCOMMON

Download Yara Rule

APIs

__unDName.MSVCR120(00000000,?,00000000,?,?,00002800,6C434110,0000000C), ref: 6C443979
strlen.MSVCR120(00000000), ref: 6C44398C
_lock.MSVCR120(0000000E), ref: 6C4439A9
malloc.MSVCR120(00000008), ref: 6C4439BB
malloc.MSVCR120(-00000004), ref: 6C4439CC
strcpy_s.MSVCR120(00000000,-00000004,00000000), ref: 6C4439E0
free.MSVCR120(00000000), ref: 6C443A05

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: malloc$Name__un_lockfreestrcpy_sstrlen
String ID:
API String ID: 4210340334-0
Opcode ID: f37b3de0888c7201cbb3903ebb60e5e0b433bcafc67f172bf39c88d32b266fa2
Instruction ID: b444e297efaae1ced910dfff118956b92f98b1604a31d8dd4075db08a856958b
Opcode Fuzzy Hash: f37b3de0888c7201cbb3903ebb60e5e0b433bcafc67f172bf39c88d32b266fa2
Instruction Fuzzy Hash: 4521F8B1911612ABE711DB758D82F9AF7A4FF04759F20C56DE8189BF80DB38D405CAD0

Function 6C490007 Relevance: 13.6, APIs: 9, Instructions: 82threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C49A549: CreateThread.KERNEL32(00000000,00010000,6C487870,6C48754C,?,"Il), ref: 6C49A55C

GetLastError.KERNEL32(?,?,?,?,?,6C4729FC), ref: 6C49002F
SetThreadPriority.KERNEL32(00000000,0000000F,?,?,?,?,?,6C4729FC), ref: 6C49003E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?,?,?,?,?,?,6C4729FC), ref: 6C49005D
_CxxThrowException.MSVCR120(?,6C4FCF40,?,?,?,?,?,?,6C4729FC), ref: 6C49006B
EnterCriticalSection.KERNEL32(?), ref: 6C4900BA
LeaveCriticalSection.KERNEL32(?), ref: 6C4900C8
SetEvent.KERNEL32(?), ref: 6C4900D1
WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000), ref: 6C4900DE
free.MSVCR120 ref: 6C4900ED

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalSectionThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateEnterErrorEventExceptionLastLeaveObjectPrioritySingleThrowWaitfree
String ID:
API String ID: 1704029421-0
Opcode ID: a67d4b73ebfeabb89b0403b75945d49755629fe4308dbb6081e7f78cc750edd4
Instruction ID: a7c1c94c4c9d9738bf37f2b5ad617c1513af0e5e08a9bee27af8632e2a0d07c3
Opcode Fuzzy Hash: a67d4b73ebfeabb89b0403b75945d49755629fe4308dbb6081e7f78cc750edd4
Instruction Fuzzy Hash: ED21F831701161ABDB14EF76DC49FAE7BB8FF46325F11021EF505D6A80DB6494048BE9

Function 6C44E415 Relevance: 13.6, APIs: 9, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.MSVCR120(00000007,6C44E490,00000010), ref: 6C44E428

Part of subcall function 6C42EDD7: EnterCriticalSection.KERNEL32(?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C42EDF3

wcslen.MSVCR120(00000000,6C44E490,00000010), ref: 6C44E7B6
calloc.MSVCR120(00000001,00000002,00000000,6C44E490,00000010), ref: 6C44E7C1
wcscpy_s.MSVCR120(00000000,00000001,?), ref: 6C44E7DB
_errno.MSVCR120(6C44E490,00000010), ref: 6C47F4D5
_invalid_parameter_noinfo.MSVCR120(6C44E490,00000010), ref: 6C47F4DF
_errno.MSVCR120 ref: 6C47F4F0
_errno.MSVCR120 ref: 6C47F4FB

Part of subcall function 6C449555: wcslen.MSVCR120(00000000,?,00000000,?,6C4496C4,?,?,?,?,6C4496E8,0000000C), ref: 6C449571
Part of subcall function 6C449555: wcslen.MSVCR120(00000000,?,00000000,?,6C4496C4,?,?,?,?,6C4496E8,0000000C), ref: 6C449580
Part of subcall function 6C449555: _wcsnicoll.MSVCR120(00000000,00000000,00000000,?,00000000,?,6C4496C4,?,?,?,?,6C4496E8,0000000C), ref: 6C44959D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errnowcslen$CriticalEnterSection_invalid_parameter_noinfo_lock_wcsnicollcallocwcscpy_s
String ID:
API String ID: 505790351-0
Opcode ID: 4e585fe7d3866008f0b1205e36bc9ac042ef94ddfb854d78f08f87568123be39
Instruction ID: d7710a08278cee73ae6644ac4fb5ed023a53a3c492138ae592e2d2de4a556ff5
Opcode Fuzzy Hash: 4e585fe7d3866008f0b1205e36bc9ac042ef94ddfb854d78f08f87568123be39
Instruction Fuzzy Hash: 7F21D170A012169BEB01DF75CC44EED7774AF44758F248158E818ABB90DB34C5068BE5

Function 6C444749 Relevance: 13.6, APIs: 9, Instructions: 80COMMON

Download Yara Rule

APIs

memset.MSVCR120(00000000,00000000,00000000,00000000,?,6C447A32,00000000,?,?,?,?,6C4478EE,?,00000000), ref: 6C444766
free.MSVCR120(00000000,?,00000000,?,6C447A32,00000000,?,?,?,?,6C4478EE,?,00000000,?,?,?), ref: 6C472BED
free.MSVCR120(?,00000000,?,00000000,?,6C447A32,00000000,?,?,?,?,6C4478EE,?,00000000), ref: 6C472BF5
free.MSVCR120(00000000,?,00000000,?,00000000,?,6C447A32,00000000,?,?,?,?,6C4478EE,?,00000000), ref: 6C472BFD
??_U@YAPAXI@Z.MSVCR120(00000000,00000000,?,00000000,?,00000000,?,6C447A32,00000000,?,?,?,?,6C4478EE,?,00000000), ref: 6C472C14
??_U@YAPAXI@Z.MSVCR120(00000000,00000000,?,?,?), ref: 6C472C33
??_U@YAPAXI@Z.MSVCR120(00000000,00000000,00000000,?,?,?), ref: 6C472C4A
memset.MSVCR120(?,00000000,00000000,?,?,?), ref: 6C472C65
memset.MSVCR120(?,00000000,00000000,?,00000000,00000000,?,?,?), ref: 6C472C75

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: freememset
String ID:
API String ID: 2499939622-0
Opcode ID: 2902b45434b6715a689a25d5e0cf82e1bf17e329d42e4f64c1065a4f278fef0f
Instruction ID: d62335bc71ae770e88fb306b9c33b8960718b515b8655ee6ca20ab4136dab805
Opcode Fuzzy Hash: 2902b45434b6715a689a25d5e0cf82e1bf17e329d42e4f64c1065a4f278fef0f
Instruction Fuzzy Hash: D4216D71500B409FD734DB3AD886D6BB7E4EF843583148D2EE45BC6E60DB75F8458AA0

Function 6C492F46 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedFlushSList.KERNEL32(?,?,?,?,6C492CBA,00000004,6C49249A), ref: 6C492F52
free.MSVCR120(-00000004,?,?,?,6C492CBA,00000004,6C49249A), ref: 6C492F5E
InterlockedFlushSList.KERNEL32(?,?,?,?,6C492CBA,00000004,6C49249A), ref: 6C492F6C
free.MSVCR120(-00000004,?,?,?,6C492CBA,00000004,6C49249A), ref: 6C492F78

Part of subcall function 6C42ECE0: HeapFree.KERNEL32(00000000,00000000,?,6C473D3A,00000000,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C42ECF4

free.MSVCR120(00000000,?,?,?,6C492CBA,00000004,6C49249A), ref: 6C492F8D
free.MSVCR120(00000000,?,?,?,6C492CBA,00000004,6C49249A), ref: 6C492FAA
free.MSVCR120(?,?,?,?,6C492CBA,00000004,6C49249A), ref: 6C492FBB
free.MSVCR120(?,?,?,?,?,6C492CBA,00000004,6C49249A), ref: 6C492FC1
free.MSVCR120(?,?,?,?,6C492CBA,00000004,6C49249A), ref: 6C492FD1

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$FlushInterlockedList$FreeHeap
String ID:
API String ID: 4002485106-0
Opcode ID: e3a53a0777106f1f659fa219c70754ac1b63d86f286b8cfee7a32e10e2218ca8
Instruction ID: 80d3d8e94b15fafd40ce5ab8d09ce4a4b4742bcfbcf30b9875473bc5421b1764
Opcode Fuzzy Hash: e3a53a0777106f1f659fa219c70754ac1b63d86f286b8cfee7a32e10e2218ca8
Instruction Fuzzy Hash: 4111BF36900632AFC735CAA6C586E4AF7A4BF093B6319095EEC4167F00CF20EC44DAD4

Function 6C44BF39 Relevance: 13.6, APIs: 9, Instructions: 62threadCOMMON

Download Yara Rule

APIs

_calloc_crt.MSVCR120(00000001,000003BC), ref: 6C44BF53
_getptd.MSVCR120 ref: 6C44BF64
_initptd.MSVCR120(00000000,?), ref: 6C44BF6D

Part of subcall function 6C431BFD: _lock.MSVCR120(0000000D), ref: 6C431C41
Part of subcall function 6C431BFD: _lock.MSVCR120(0000000C), ref: 6C431C62

CreateThread.KERNEL32(?,?,6C44BFB4,00000000,?,?), ref: 6C44BF9B
_errno.MSVCR120 ref: 6C473EAF
_invalid_parameter_noinfo.MSVCR120 ref: 6C473EBA
free.MSVCR120(00000000), ref: 6C473ECF
__dosmaperr.LIBCMT(00000000), ref: 6C473EDA

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _lock$CreateThread__dosmaperr_calloc_crt_errno_getptd_initptd_invalid_parameter_noinfofree
String ID:
API String ID: 1715317214-0
Opcode ID: ecbf7c1ca00c2fca3b1f8d82b84a2471e49110b56397998957589245b65cf41c
Instruction ID: bf6ae6a95b3029480c639973793583436e19935c9faa9b120159eccee947bdb4
Opcode Fuzzy Hash: ecbf7c1ca00c2fca3b1f8d82b84a2471e49110b56397998957589245b65cf41c
Instruction Fuzzy Hash: B91106322056066FE710DEA6DC41EDF3BA4EF496B9720411DF928C7A50DB31D40587B4

Function 6C43EE42 Relevance: 13.6, APIs: 9, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,?), ref: 6C43EE72
GetLastError.KERNEL32 ref: 6C43EE7C
__dosmaperr.LIBCMT(00000000), ref: 6C43EE83

Part of subcall function 6C43E4A7: __doserrno.MSVCR120(00000000,?,6C47EE56,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C43E4AB
Part of subcall function 6C43E4A7: _errno.MSVCR120(00000000,?,6C47EE56,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C43E4BE

_errno.MSVCR120 ref: 6C43EE89
__doserrno.MSVCR120 ref: 6C4742A2
_errno.MSVCR120 ref: 6C4742AA
_invalid_parameter_noinfo.MSVCR120 ref: 6C4742B4
__doserrno.MSVCR120 ref: 6C4742C0
_errno.MSVCR120 ref: 6C4742CB

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$__doserrno$AttributesErrorFileLast__dosmaperr_invalid_parameter_noinfo
String ID:
API String ID: 2636503730-0
Opcode ID: 315a4a6a9e28c948d4424604989d0d1f6642852a2f382933222d46ca22345621
Instruction ID: 3bb261c3b5c9037f6ff3ba9ea03306a8dbfe7ba81c744d52e205b4f7e3dabde1
Opcode Fuzzy Hash: 315a4a6a9e28c948d4424604989d0d1f6642852a2f382933222d46ca22345621
Instruction Fuzzy Hash: 3B11E334A062289BD710DBB6CC85FED7BA49F8E369F00214CE9189ABD0D77489448BF5

Function 6C436419 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 483COMMON

Download Yara Rule

Strings

g, xrefs: 6C43BDD4
+, xrefs: 6C4369FC

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID: +$g
API String ID: 0-3915867470
Opcode ID: 72f7d39f022a9a4ba18bb8b93c884bf4588c7dff2b180048b64e1163fc9244fe
Instruction ID: ccc7b99c7d7b4f303c52b959c54354258ed3a8bdc64973f7c9239d1d9e94e2dc
Opcode Fuzzy Hash: 72f7d39f022a9a4ba18bb8b93c884bf4588c7dff2b180048b64e1163fc9244fe
Instruction Fuzzy Hash: DC02E471D4523A9AEB21CB56CC88FE9B7B4BB8D319F2461D9D80CE7A40D7348A85CF40

Function 6C4C8546 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 6C42F720: GetLastError.KERNEL32(?,?,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E), ref: 6C42F722
Part of subcall function 6C42F720: __crtFlsGetValue.MSVCR120(?,?,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E), ref: 6C42F730
Part of subcall function 6C42F720: SetLastError.KERNEL32(00000000,?,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E), ref: 6C42F741

_calloc_crt.MSVCR120(00000086,00000002), ref: 6C4C856D
__get_sys_err_msg.LIBCMT ref: 6C4C8590

Part of subcall function 6C4C6394: __sys_nerr.MSVCR120(00000086,?,6C4C627A,00000000), ref: 6C4C639F
Part of subcall function 6C4C6394: __sys_nerr.MSVCR120(00000086,?,6C4C627A,00000000), ref: 6C4C63A8
Part of subcall function 6C4C6394: __sys_errlist.MSVCR120(00000086,?,6C4C627A,00000000), ref: 6C4C63AF

_mbstowcs_s.LIBCMT(00000000,?,00000086,00000000,00000085), ref: 6C4C859A

Part of subcall function 6C432F50: _mbstowcs_s_l.MSVCR120(?,?,?,?,?,00000000), ref: 6C432F64

_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C4C85AF
_errno.MSVCR120(00000000,?,6C4C637F,00000000,00000000,00000000,00000000,?,00000086,?,00000000,00000000), ref: 6C4C8642
_invalid_parameter_noinfo.MSVCR120(00000000,?,6C4C637F,00000000,00000000,00000000,00000000,?,00000086,?,00000000,00000000), ref: 6C4C864C

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 6C4C85B8, 6C4C8555, 6C4C857B

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ErrorLast__sys_nerr$Value__crt__get_sys_err_msg__sys_errlist_calloc_crt_errno_invalid_parameter_noinfo_invoke_watson_mbstowcs_s_mbstowcs_s_l
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 2345991744-798102604
Opcode ID: bcc5ee36b30bbae2a24f3f86cb0369ce58511aef96b0b481b93e9792a65d5b26
Instruction ID: 42f5320a168e60763d2289d73eac95608ccac46a43b8f80f03dac3e914fb891e
Opcode Fuzzy Hash: bcc5ee36b30bbae2a24f3f86cb0369ce58511aef96b0b481b93e9792a65d5b26
Instruction Fuzzy Hash: 8431BC6A64D3E41FC313C6718C69D95BF246B53268B0D83CFD8898BEA3D794980183A7

Function 6C4BDEDC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.MSVCR120(?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C4BDEF3
EncodePointer.KERNEL32(00000000,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C4BDF06
_getptd.MSVCR120(?,?,?,00000000,00000000), ref: 6C4BDF0E
_CallSETranslator.LIBCMT ref: 6C4BDF3C
?_inconsistency@@YAXXZ.MSVCR120(?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C4BDF52

Strings

MOC, xrefs: 6C4BDF1B
RCC, xrefs: 6C4BDF23

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _getptd$?_inconsistency@@CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2381479982-2084237596
Opcode ID: 4fd721d00d529c9870e6966262712770058b8792d961091ac05688fad5c3292e
Instruction ID: 01cf89b4a69ee068796fdaf40d2fa500a422dfae6fced6b866cefc53bb124153
Opcode Fuzzy Hash: 4fd721d00d529c9870e6966262712770058b8792d961091ac05688fad5c3292e
Instruction Fuzzy Hash: 50416732508109AFDB01CF84C880FAEB7B6EF88319F288198E91567755C335A961DBA0

Function 6C44CB83 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C44CB8A
__ExceptionPtr::__ExceptionPtr.LIBCMT ref: 6C44CC10
_Ptr_base.LIBCMT ref: 6C44CC36

Strings

csm, xrefs: 6C44CC0A, 6C44CC0D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Exception$H_prolog3_catchPtr::__Ptr_base
String ID: csm
API String ID: 3931061724-1018135373
Opcode ID: 000811fda2fec8da648f4010261539a90c8998b729c72681b5a8741b49d684c6
Instruction ID: 71285d185aeabba43ec42cbf25a474dc7397167122bb8da3fd5ea301925ce2fe
Opcode Fuzzy Hash: 000811fda2fec8da648f4010261539a90c8998b729c72681b5a8741b49d684c6
Instruction Fuzzy Hash: 8D316FB0E05249DAEB05DFA9D940FDEBFF4AF45308F24805EE815A7740DB748A09CBA1

Function 6C45442B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C475985
_invalid_parameter_noinfo.MSVCR120 ref: 6C475990
_errno.MSVCR120 ref: 6C47599D
_invalid_parameter_noinfo.MSVCR120 ref: 6C4759A8

Strings

B, xrefs: 6C45445E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: f599f8dd930afddf615a9613d1c0dc3c28fdefa2acbfd1d9a17acd7e1b43ae95
Instruction ID: f4500def1757736b30ecea92c85230eafe8b65c0267556b960be0ec2c8d07155
Opcode Fuzzy Hash: f599f8dd930afddf615a9613d1c0dc3c28fdefa2acbfd1d9a17acd7e1b43ae95
Instruction Fuzzy Hash: 60216272D052199FDF01DFA8CC40DEE77B8FB09364F54021AE824AB680E73898158BB1

Function 6C43E1D6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C475D8D
_invalid_parameter_noinfo.MSVCR120 ref: 6C475D98
_errno.MSVCR120 ref: 6C475DA5
_invalid_parameter_noinfo.MSVCR120 ref: 6C475DB0

Strings

B, xrefs: 6C43E209

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 3597054232ebe8e9be101bd05bcfa064ecb828ff52cdefea82de048b8e576a24
Instruction ID: 20a212f1d73d533ef28f0ce92d0d520e1bdece6a092e3f3668e3d7c55d1480d5
Opcode Fuzzy Hash: 3597054232ebe8e9be101bd05bcfa064ecb828ff52cdefea82de048b8e576a24
Instruction Fuzzy Hash: 5A216272D05229CEDF01DFA9CC80DEE77B4FB49324F14021AE528A7690D77498058BF5

Function 6C4BE9F4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCompleteObject.LIBCMT ref: 6C4BEA15
FindMITargetTypeInstance.LIBCMT ref: 6C4BEA4E

Part of subcall function 6C4BE634: strcmp.MSVCR120(?,-00000008,?,00000000,00000000), ref: 6C4BE686
Part of subcall function 6C4BE634: strcmp.MSVCR120(?,?,?,00000000,00000000), ref: 6C4BE6B4
Part of subcall function 6C4BE634: PMDtoOffset.LIBCMT ref: 6C4BE6C6

FindVITargetTypeInstance.LIBCMT ref: 6C4BEA55
PMDtoOffset.LIBCMT ref: 6C4BEA66
std::bad_exception::bad_exception.LIBCMT(Bad dynamic_cast!,?,?,?,?,?,6C4BEAE8,00000018), ref: 6C4BEA8F
_CxxThrowException.MSVCR120(?,6C4BEB04,Bad dynamic_cast!,?,?,?,?,?,6C4BEAE8,00000018), ref: 6C4BEA9D

Strings

Bad dynamic_cast!, xrefs: 6C4BEA87

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Find$InstanceOffsetTargetTypestrcmp$CompleteExceptionObjectThrowstd::bad_exception::bad_exception
String ID: Bad dynamic_cast!
API String ID: 3548542081-2956939130
Opcode ID: b3bcefc74147a079751cf5f6bfe2ba3b179eaf120cdfb57b146ca330cef869b5
Instruction ID: 8a599e5a7391bd0a4b911ee6ee9773c662bbcbaf07a623ecb2b190b5b97af51b
Opcode Fuzzy Hash: b3bcefc74147a079751cf5f6bfe2ba3b179eaf120cdfb57b146ca330cef869b5
Instruction Fuzzy Hash: 91218C72A002059FCB00CFA9C8C4E9E7BB8BB8A355F14449DE815B7B40DB359A09DBF1

Function 6C48C7F5 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 6C48C812
??0exception@std@@QAE@XZ.MSVCR120 ref: 6C48C82A
std::exception::exception.LIBCMT(?), ref: 6C48C864
_CxxThrowException.MSVCR120(LuHlpxHl,Function_000DCEE8,?), ref: 6C48C879
std::exception::exception.LIBCMT(?,?,?,LuHlpxHl,Function_000DCEE8,?), ref: 6C48C888

Strings

LuHlpxHl, xrefs: 6C48C875, 6C48C878
pScheduler, xrefs: 6C48C859

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: std::exception::exception$??0exception@std@@ExceptionThrowValue
String ID: LuHlpxHl$pScheduler
API String ID: 3255388332-2283447266
Opcode ID: cce636adfe212a75d9575637321a88dcc0a08589c2de65ce835ad56e3a8f31da
Instruction ID: c755f6ab96c7a2478eb00d8c7cbedd3abe36259e3d06b787b6429a99b7ada024
Opcode Fuzzy Hash: cce636adfe212a75d9575637321a88dcc0a08589c2de65ce835ad56e3a8f31da
Instruction Fuzzy Hash: 0A112932A41208ABC710EFAAD840DCAFB78EF44275B50866EF96497F10DB31D905CBD4

Function 6C4469D9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000002,00000180,6C4348CA), ref: 6C4469E4
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000008,00000002,00000180,6C4348CA), ref: 6C4469F5
std::exception::exception.LIBCMT(00000001,00000002,00000180,6C4348CA), ref: 6C47345B
_CxxThrowException.MSVCR120(6C4348CA,6C4FD088,00000001,00000002,00000180), ref: 6C473470
GetCurrentThread.KERNEL32 ref: 6C473476
GetThreadPriority.KERNEL32(00000000), ref: 6C47347D

Strings

4zHlLzHl`zHlSchedulerKind, xrefs: 6C473445

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Policy$Concurrency@@ElementKey@2@@Policy@SchedulerThreadValue@$CurrentExceptionPriorityThrowstd::exception::exception
String ID: 4zHlLzHl`zHlSchedulerKind
API String ID: 4031781369-359997921
Opcode ID: 1e2356389aaefe1f10dcb87c1405a7edf60e454b94f54b81e9839fe879b488d4
Instruction ID: 0dc6afd98f937a888b74701c1109385fe1b804096bb67f62ca72e9a8f7267adb
Opcode Fuzzy Hash: 1e2356389aaefe1f10dcb87c1405a7edf60e454b94f54b81e9839fe879b488d4
Instruction Fuzzy Hash: 0BF0C271B0221AEBEF14EFB48845EEE77B8BB01244F100999EC24A3B41DB34D50587E4

Function 6C4C78D4 Relevance: 12.2, APIs: 8, Instructions: 222stringCOMMON

Download Yara Rule

APIs

strncpy_s.MSVCR120(?,?,?,00000002), ref: 6C4C7968
_ismbblead.MSVCR120(00000001), ref: 6C4C7992
strncpy_s.MSVCR120(?,?,00000000,00000000), ref: 6C4C79DF
strncpy_s.MSVCR120(00000000,?,?,00000000), ref: 6C4C7A14
strncpy_s.MSVCR120(00000000,?,00000000,?), ref: 6C4C7A30
strncpy_s.MSVCR120(00000000,?,?,?), ref: 6C4C7A4E
_errno.MSVCR120 ref: 6C4C7AB2
_invalid_parameter_noinfo.MSVCR120 ref: 6C4C7AC0

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: strncpy_s$_errno_invalid_parameter_noinfo_ismbblead
String ID:
API String ID: 519590025-0
Opcode ID: 9c353a184572e0facde5fd778c95f8e970b50d570a1baa377f4b5500e9aeb446
Instruction ID: 085c789ea10656e58685f837937f1040587e494776e6e434ba74f47eab95d481
Opcode Fuzzy Hash: 9c353a184572e0facde5fd778c95f8e970b50d570a1baa377f4b5500e9aeb446
Instruction Fuzzy Hash: 6771C33870D3499BFF21CE25C480FAA3BA5AF4535AF25015DEC54A6B60D335DA41C7A3

Function 6C435938 Relevance: 12.2, APIs: 8, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

_filbuf.MSVCR120(?,00000000), ref: 6C435905
memcpy_s.MSVCR120(?,?,?,?,00000000), ref: 6C4359E0
_fileno.MSVCR120(?,?,?,00000000), ref: 6C435F46
_errno.MSVCR120 ref: 6C475577
_invalid_parameter_noinfo.MSVCR120 ref: 6C475582
memset.MSVCR120(?,00000000,000000FF), ref: 6C475598
memset.MSVCR120(?,00000000,000000FF,00000000), ref: 6C4755E7
_errno.MSVCR120 ref: 6C4755EF

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errnomemset$_filbuf_fileno_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 4246007277-0
Opcode ID: 57bad2a4ea697ecff6aff00c7a9e90cf418f640a5f96defc0ab8a533490cb8c9
Instruction ID: e9a6f71663045cc6bec22666b510d7d3619ac55f34f8806d9ccdc6ab24cdfcef
Opcode Fuzzy Hash: 57bad2a4ea697ecff6aff00c7a9e90cf418f640a5f96defc0ab8a533490cb8c9
Instruction Fuzzy Hash: B851C330A053159BDB14DFAAC880E9E77B1AF89335F20972DE83D86BD0D7709955CB90

Function 6C494DA7 Relevance: 12.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR120 ref: 6C494DEA
List.LIBCMT ref: 6C494E52
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 6C494E69
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 6C494E7C
List.LIBCMT ref: 6C494EC8
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 6C494EDF
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 6C494EF2
List.LIBCMT ref: 6C494F3B

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::details::FindGroupRing::ScheduleSchedulingSegment$List$AcquireConcurrency@@Lock@details@ReaderWrite@_Writer
String ID:
API String ID: 230955726-0
Opcode ID: 266e769967685039b14a5621c483210179a375d5f116787b4f7c2708b98a48a2
Instruction ID: 160ffe01f2421391570dbcde52185860e6d2e53da8747c52db71ad9019d635b5
Opcode Fuzzy Hash: 266e769967685039b14a5621c483210179a375d5f116787b4f7c2708b98a48a2
Instruction Fuzzy Hash: C8517271A04229AFDB08CF55C894FEEBBB8FF45359F14826DE51A97B40C734AA04CB90

Function 6C4A7B69 Relevance: 12.1, APIs: 8, Instructions: 135timeCOMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4A7B8D
_invalid_parameter_noinfo.MSVCR120 ref: 6C4A7B97

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_get_timezone.MSVCR120(?), ref: 6C4A7BBA
GetSystemTimeAsFileTime.KERNEL32(?), ref: 6C4A7BE0
GetTimeZoneInformation.KERNEL32(?,?,?,23C34600,00000000), ref: 6C4A7C2D
__aullrem.LIBCMT ref: 6C4A7C99
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C4A7CCE
_gmtime64_s.MSVCR120(00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C4A7CE7

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Time$FileInformationSystemZone__aullrem_errno_get_timezone_gmtime64_s_invalid_parameter_invalid_parameter_noinfo_invoke_watson
String ID:
API String ID: 2378273451-0
Opcode ID: 07bc5acd656ee03db0f575178b3c2c271689ece5bbfc149b16d622f350b72889
Instruction ID: 2626aea71c1dafabfe8c80060279c78db9c93bc02c252ea8bf1b278353dc2af5
Opcode Fuzzy Hash: 07bc5acd656ee03db0f575178b3c2c271689ece5bbfc149b16d622f350b72889
Instruction Fuzzy Hash: 47410272B08318ABDB20DFB5DC80F9A77B9EB49708F11059DE109E7B84DB309941CBA5

Function 6C43EB8E Relevance: 12.1, APIs: 8, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(?,00000000,6C4FF520,?,?,6C43EBC6,?), ref: 6C47504D
_invalid_parameter_noinfo.MSVCR120(?,00000000,6C4FF520,?,?,6C43EBC6,?), ref: 6C475058

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: a5f99d07e2f8ab59a228e7ab14dfbe3fdd7ec4ceebecfd45c0956ee5189843bb
Instruction ID: 3c2b25ad9ede22da3e96937c095a6b71c85094cd8850320e41a8190c7f13b4ac
Opcode Fuzzy Hash: a5f99d07e2f8ab59a228e7ab14dfbe3fdd7ec4ceebecfd45c0956ee5189843bb
Instruction Fuzzy Hash: BE416731401227AAD311CB6AC440EE5FBB4FF4A36AB249359D4B98AFD0E724D456CBE0

Function 6C451980 Relevance: 12.1, APIs: 8, Instructions: 127COMMON

Download Yara Rule

APIs

wcsncmp.MSVCR120 ref: 6C451991
_wcscspn.LIBCMT(?,Function_00021268), ref: 6C4519BD
wcsncpy_s.MSVCR120(?,00000083,?,00000000), ref: 6C4519F5
_wcspbrk.LIBCMT(00000000,6C451AA4,00000000,00000000,00000000), ref: 6C451A61

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _wcscspn_wcspbrkwcsncmpwcsncpy_s
String ID:
API String ID: 4220790964-0
Opcode ID: 60b18a24c814b697e92592e1c23df1e1a5aaa7db93aa1a7cdf3c3f66a254cad6
Instruction ID: 1258352e04987d336f702db2f1b329cc11afb46621066896b35580c37eec0ea4
Opcode Fuzzy Hash: 60b18a24c814b697e92592e1c23df1e1a5aaa7db93aa1a7cdf3c3f66a254cad6
Instruction Fuzzy Hash: E041B3759052249BEB26DF64CC40ED973B4FF19309F60459AD808A3B80E771D995CED1

Function 6C4ABB8D Relevance: 12.1, APIs: 8, Instructions: 122stringCOMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4ABBAC
_invalid_parameter_noinfo.MSVCR120 ref: 6C4ABBB6
strcpy_s.MSVCR120(?,00000000,?,?), ref: 6C4ABBDE
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4ABC1E
_errno.MSVCR120(?), ref: 6C4ABC3B
_invalid_parameter_noinfo.MSVCR120(?), ref: 6C4ABC45
_ismbblead_l.MSVCR120(?,?,?), ref: 6C4ABC60
_errno.MSVCR120(?), ref: 6C4ABC87

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_ismbblead_l$strcpy_s
String ID:
API String ID: 3622607720-0
Opcode ID: 85bf035d633759d88bb0443cdc004d8021ee442f166485e5e65b0d74e8587b79
Instruction ID: cb48992626616785851982a319dfe4aa2d9a854059011d9a9e1e1e911c625dff
Opcode Fuzzy Hash: 85bf035d633759d88bb0443cdc004d8021ee442f166485e5e65b0d74e8587b79
Instruction Fuzzy Hash: 44415731A0521EAFCB01CFA8C890EAD7B65EF55759F24416DE8809BB88DB30C987C7D1

Function 6C449461 Relevance: 12.1, APIs: 8, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

__crtCompareStringW.MSVCR120(?,00001001,00000000,?,?,?,?), ref: 6C449826
_errno.MSVCR120 ref: 6C47AD93
_invalid_parameter_noinfo.MSVCR120 ref: 6C47AD9E
_errno.MSVCR120 ref: 6C47ADAD
_invalid_parameter_noinfo.MSVCR120 ref: 6C47ADB8
_errno.MSVCR120 ref: 6C47ADC7
_invalid_parameter_noinfo.MSVCR120 ref: 6C47ADD2

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$CompareString__crt_getptd
String ID:
API String ID: 205171049-0
Opcode ID: 512b92ecc41c4cb1a5fc088d37a09f5313db0adf3bff1bf01c29d3b1fcd92bc6
Instruction ID: ebbf68040995491f08aab1e27058a66cda0788c32ed6c667999c12d7abcdc64f
Opcode Fuzzy Hash: 512b92ecc41c4cb1a5fc088d37a09f5313db0adf3bff1bf01c29d3b1fcd92bc6
Instruction Fuzzy Hash: B4314936B011159AFB20DE68CD40FF633A8EF5536AF708115E8648BB90D735C84197A1

Function 6C434C47 Relevance: 12.1, APIs: 8, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR120(?,?,?), ref: 6C434C90
_read.MSVCR120(00000000,?,?), ref: 6C434C97
_fileno.MSVCR120(?), ref: 6C434CBA
_fileno.MSVCR120(?), ref: 6C434CCA
_fileno.MSVCR120(?), ref: 6C434CDB
_fileno.MSVCR120(?,?), ref: 6C434CE6

Part of subcall function 6C4358BC: _malloc_crt.MSVCR120(00001000,0]Gl,?,6C4513DD,0]Gl,00000000,00000000,00000000,?,6C475D30,00000000,?), ref: 6C4358C6

_errno.MSVCR120 ref: 6C474FFE
_invalid_parameter_noinfo.MSVCR120 ref: 6C475009

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _fileno$_errno_invalid_parameter_noinfo_malloc_crt_read
String ID:
API String ID: 1828220225-0
Opcode ID: cd45b14ced5d903ed5d13ea32fe076988b57ab9e63794f668a72010499f3ffcf
Instruction ID: 5038e123e5fb3bbaade4dd6c4da869e7cfe00a2014e3b97acbb6c8d481024068
Opcode Fuzzy Hash: cd45b14ced5d903ed5d13ea32fe076988b57ab9e63794f668a72010499f3ffcf
Instruction Fuzzy Hash: B831C6310046266AE701DA7BD440FE5BFA0AFCA3B9B24B309D87C85F91D725E056DBD1

Function 6C452ECC Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000001,00000000,00000001,00000002,?,00000000,?), ref: 6C452F3A
_get_osfhandle.MSVCR120(?,00000000), ref: 6C452F40
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 6C452F47
DuplicateHandle.KERNEL32(00000000), ref: 6C452F4A

Part of subcall function 6C434DF1: _get_osfhandle.MSVCR120(?,?,?,?,6C434F10,?,6C434F30,00000010), ref: 6C434DFA
Part of subcall function 6C434DF1: _get_osfhandle.MSVCR120(?), ref: 6C434E1D
Part of subcall function 6C434DF1: CloseHandle.KERNEL32(00000000), ref: 6C434E24

_errno.MSVCR120(?), ref: 6C47F075
__doserrno.MSVCR120(?), ref: 6C47F080

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _get_osfhandle$CurrentHandleProcess$CloseDuplicate__doserrno_errno
String ID:
API String ID: 4219055303-0
Opcode ID: de700ca2bf9f3ee95b59f3da0ccabde3b5e89340b35411ad0e427688397a5dc3
Instruction ID: ce62c1c7d22f537c5652fa89e22ba86a66dc35fcd66d8d48b676a4c64b46a197
Opcode Fuzzy Hash: de700ca2bf9f3ee95b59f3da0ccabde3b5e89340b35411ad0e427688397a5dc3
Instruction Fuzzy Hash: C231E931A06250BBEB11DF38D884E9E7FF4AF4A314F654299E5648F792CB31D911CB90

Function 6C4F069F Relevance: 12.1, APIs: 8, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

fegetround.MSVCR120(?,6C4EFC0F,?,?,?,6C4EEF58,?,?), ref: 6C4F06A8

Part of subcall function 6C4EA5DC: __getfpcontrolword.LIBCMT ref: 6C4EA5DC

__Dint.LIBCPMT ref: 6C4F06CC
__Dint.LIBCPMT ref: 6C4F06DE
__Dint.LIBCPMT ref: 6C4F0703
__Dint.LIBCPMT ref: 6C4F072B
__Dint.LIBCPMT ref: 6C4F073D
__Dint.LIBCPMT ref: 6C4F074F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Dint$__getfpcontrolwordfegetround
String ID:
API String ID: 3049488995-0
Opcode ID: dc0efd4783d7122efc78d4613e2f11cf60552f3c17407f7c01c1d7dc97160ae3
Instruction ID: 11e36751b4e6709947b8d608d6661a1adcd4731febb22cf9b870885f31fcb42d
Opcode Fuzzy Hash: dc0efd4783d7122efc78d4613e2f11cf60552f3c17407f7c01c1d7dc97160ae3
Instruction Fuzzy Hash: D421A22550A65DA6FF00DE11E910FEE3BA8EBC57A5F60404AFC6899DC0DF34D296C680

Function 6C44CDB0 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON

Download Yara Rule

APIs

strlen.MSVCR120(00000000,00000000,?,6C44CD86), ref: 6C44CDCA
_calloc_crt.MSVCR120(00000001,00000004,00000000,?,6C44CD86), ref: 6C44CDE0
strlen.MSVCR120(00000000,?,00000000,?,6C44CD86), ref: 6C44CE00
_calloc_crt.MSVCR120(00000001,00000001,?,00000000,?,6C44CD86), ref: 6C44CE11
strcpy_s.MSVCR120(00000000,00000001,00000000,?,00000000,?,6C44CD86), ref: 6C44CE25
free.MSVCR120(00000000,?,00000000,?,6C44CD86), ref: 6C44CE46

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _calloc_crtstrlen$freestrcpy_s
String ID:
API String ID: 1244768049-0
Opcode ID: 518c85a73f3d35b14a1ab34eadb898a7d717151a829c3edbba2f650341d328b0
Instruction ID: 0f7591cfad0b4105d56a71699da0cf95a4d31d9f78ba15e66860cf64ca53acae
Opcode Fuzzy Hash: 518c85a73f3d35b14a1ab34eadb898a7d717151a829c3edbba2f650341d328b0
Instruction Fuzzy Hash: B4214CB3A062211EF720DE749C45F863B95DF8227AF38051AD460D3A80EF359409C3E4

Function 6C440C5E Relevance: 12.1, APIs: 8, Instructions: 86COMMON

Download Yara Rule

APIs

_lock_file.MSVCR120(?,6C440D40,0000000C), ref: 6C440C95

Part of subcall function 6C434B96: _lock.MSVCR120(?), ref: 6C434BC1

_fileno.MSVCR120(?,?,?,6C440D40,0000000C), ref: 6C440CA5
__output_l.LIBCMT ref: 6C440D16
__ftbuf.LIBCMT ref: 6C440D22
_errno.MSVCR120(6C440D40,0000000C), ref: 6C475539
_invalid_parameter_noinfo.MSVCR120(6C440D40,0000000C), ref: 6C475544
_errno.MSVCR120(?,?,?,?,?,?,?,?,6C440D40,0000000C), ref: 6C475551
_invalid_parameter_noinfo.MSVCR120(?,?,?,?,?,?,?,?,6C440D40,0000000C), ref: 6C47555C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$__ftbuf__output_l_fileno_lock_lock_file
String ID:
API String ID: 3923144078-0
Opcode ID: d04eed5bc17e292b3c5c9d81b88a0975ab6c8d1bd87300a0b320afdab17aedee
Instruction ID: e3ee424846bc262ab53927165a620629deb17ed2ca85fc420d0df0fc7fd33fac
Opcode Fuzzy Hash: d04eed5bc17e292b3c5c9d81b88a0975ab6c8d1bd87300a0b320afdab17aedee
Instruction Fuzzy Hash: CA21A7A16012559BF700DFB99C80EAE3AA1EFD537DB24C32CE4384ABD5DB38C51A8751

Function 6C445C41 Relevance: 12.1, APIs: 8, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C445C48
??0_ReentrantBlockingLock@details@Concurrency@@QAE@XZ.MSVCR120(00000014,6C4723E5,0000000C,6C44500E,5425FDEF,?,00000180,?), ref: 6C445C73

Part of subcall function 6C445C29: __crtInitializeCriticalSectionEx.MSVCR120(?,00000000,00000180,6C444ACC,?,?,?,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C445C35

??0_ReentrantBlockingLock@details@Concurrency@@QAE@XZ.MSVCR120(00000014,6C4723E5,0000000C,6C44500E,5425FDEF,?,00000180,?), ref: 6C445CA4

Part of subcall function 6C446F10: TlsAlloc.KERNEL32 ref: 6C446F16

Part of subcall function 6C445760: Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 6C445829

Concurrency::details::ResourceManager::DetermineTopology.LIBCMT ref: 6C445CC2

Part of subcall function 6C445A97: ??_U@YAPAXI@Z.MSVCR120(00000000,?,6C443A7E,00000000,0000000C,6C44500E,5425FDEF,?,00000180,?), ref: 6C445ACF
Part of subcall function 6C445A97: memset.MSVCR120(00000000,00000000,?,00000000,?,6C443A7E,00000000,0000000C,6C44500E,5425FDEF,?,00000180,?), ref: 6C445AE0
Part of subcall function 6C445A97: ??_U@YAPAXI@Z.MSVCR120(00000000,00000000,00000000,?,00000000,?,6C443A7E,00000000,0000000C,6C44500E,5425FDEF,?,00000180,?), ref: 6C445B05
Part of subcall function 6C445A97: memset.MSVCR120(00000000,00000000,?,?,?,?,6C443A7E,00000000,0000000C,6C44500E,5425FDEF,?,00000180,?), ref: 6C445B24
Part of subcall function 6C445A97: Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 6C445B75

??_U@YAPAXI@Z.MSVCR120(00000000,00000014,6C4723E5,0000000C,6C44500E,5425FDEF,?,00000180,?), ref: 6C445CF4
VirtualAlloc.KERNEL32(00000000,00001000,00003000,00000004,00000014,6C4723E5,0000000C,6C44500E,5425FDEF,?,00000180,?), ref: 6C472413
std::exception::exception.LIBCMT(6C4348CA,00000001,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6C4FBB86), ref: 6C472433
_CxxThrowException.MSVCR120(00000000,6C44C7FC,6C4348CA,00000001), ref: 6C472448

Part of subcall function 6C443C0B: __crtCreateEventExW.MSVCR120(00000000,00000000,00000000,001F0002), ref: 6C443C1B

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::details::Manager::ResourceTopology$??0_AllocBlockingCleanupConcurrency@@InformationLock@details@Reentrant__crtmemset$CreateCriticalDetermineEventExceptionH_prolog3InitializeSectionThrowVirtualstd::exception::exception
String ID:
API String ID: 3903250442-0
Opcode ID: 8d9c9aae051a184c49582b4e0e5046827c76a76a6f171837bd5418d8d190d6cc
Instruction ID: 128113ffce78e87586e536ed3b95aebd83a5a62c2f587e35a0783a1cdcf4c052
Opcode Fuzzy Hash: 8d9c9aae051a184c49582b4e0e5046827c76a76a6f171837bd5418d8d190d6cc
Instruction Fuzzy Hash: 7E31E2B0A01B56EBDB14DF6AC880EC9FBA0FF08308B50892ED44997B40CB74A158CFD0

Function 6C44BEC4 Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000,?,?,?,?,6C44BE8C,?,6C44BEA8,0000000C,6C44CCD6,?,?,6C44CD0C,6C471BD1,?,6C44CD94), ref: 6C44BED7
DecodePointer.KERNEL32(?,?,?,?,6C44BE8C,?,6C44BEA8,0000000C,6C44CCD6,?,?,6C44CD0C,6C471BD1,?,6C44CD94,00000000), ref: 6C44BEE2
_msize.MSVCR120(00000000,?,?,?,?,6C44BE8C,?,6C44BEA8,0000000C,6C44CCD6,?,?,6C44CD0C,6C471BD1,?,6C44CD94), ref: 6C44BF02

Part of subcall function 6C43CA0E: HeapSize.KERNEL32(00000000,00000000,?,6C44BF07,00000000,?,?,?,?,6C44BE8C,?,6C44BEA8,0000000C,6C44CCD6,?), ref: 6C43CA26

EncodePointer.KERNEL32(?,?,?,?,?,6C44BE8C,?,6C44BEA8,0000000C,6C44CCD6,?,?,6C44CD0C,6C471BD1,?,6C44CD94), ref: 6C44BF18
EncodePointer.KERNEL32(00000000,?,?,?,?,6C44BE8C,?,6C44BEA8,0000000C,6C44CCD6,?,?,6C44CD0C,6C471BD1,?,6C44CD94), ref: 6C44BF24
_realloc_crt.MSVCR120(00000000,00000800,?,?,?,?,6C44BE8C,?,6C44BEA8,0000000C,6C44CCD6,?,?,6C44CD0C,6C471BD1), ref: 6C44DBFF
EncodePointer.KERNEL32(00000000,?,?,?,?,6C44BE8C,?,6C44BEA8,0000000C,6C44CCD6,?,?,6C44CD0C,6C471BD1,?,6C44CD94), ref: 6C44DC15

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Pointer$Encode$Decode$HeapSize_msize_realloc_crt
String ID:
API String ID: 765448609-0
Opcode ID: e0075382ba6570ca2ae0a76a792a5b3ee443a872050308209bdb643af1793dc2
Instruction ID: 80c4ead0b8c661639e40b2aa635e531a9290e72feb6d5fca5791ccc21a30d893
Opcode Fuzzy Hash: e0075382ba6570ca2ae0a76a792a5b3ee443a872050308209bdb643af1793dc2
Instruction Fuzzy Hash: 7521B771705215AFAB11DF38DC88E9AB7F9EB453D5B61456AE806C3A00FB31EC048BD4

Function 6C4985DA Relevance: 12.1, APIs: 8, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C4985E1
free.MSVCR120(00000000,00000014,6C489B1B,00000000,00000000,?,6C497B9B,00000001,00000000,?,00000000,6C489323,?,6C489323,?,6C49881D), ref: 6C498631
free.MSVCR120(?,00000014,6C489B1B,00000000,00000000,?,6C497B9B,00000001,00000000,?,00000000,6C489323,?,6C489323,?,6C49881D), ref: 6C498638
?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR120(?,00000014,6C489B1B,00000000,00000000,?,6C497B9B,00000001,00000000,?,00000000,6C489323,?,6C489323,?,6C49881D), ref: 6C49864C
free.MSVCR120(?,00000014,6C489B1B,00000000,00000000,?,6C497B9B,00000001,00000000,?,00000000,6C489323,?,6C489323,?,6C49881D), ref: 6C498653
??0exception@std@@QAE@XZ.MSVCR120(00000014,6C489B1B,00000000,00000000,?,6C497B9B,00000001,00000000,?,00000000,6C489323,?,6C489323,?,6C49881D), ref: 6C498671
_CxxThrowException.MSVCR120(?,6C4FCE94,00000014,6C489B1B,00000000,00000000,?,6C497B9B,00000001,00000000,?,00000000,6C489323,?,6C489323), ref: 6C498686
??1event@Concurrency@@QAE@XZ.MSVCR120(00000014,6C489B1B,00000000,00000000,?,6C497B9B,00000001,00000000,?,00000000,6C489323,?,6C489323,?,6C49881D), ref: 6C498692

Part of subcall function 6C498582: __uncaught_exception.MSVCR120(?,?,?,?,6C48923C,00000001), ref: 6C498595

Part of subcall function 6C498792: ??1_TaskCollection@details@Concurrency@@QAE@XZ.MSVCR120(?,?,?,6C49861B,00000000,00000014,6C489B1B,00000000,00000000,?,6C497B9B,00000001,00000000,?,00000000,6C489323), ref: 6C4987BD
Part of subcall function 6C498792: free.MSVCR120(?,?,?,?,6C49861B,00000000,00000014,6C489B1B,00000000,00000000,?,6C497B9B,00000001,00000000,?,00000000), ref: 6C4987C3

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$Concurrency@@Exception$??0exception@std@@??1_??1event@Collection@details@Destroy@@H_prolog3TaskThrow__uncaught_exception
String ID:
API String ID: 721984979-0
Opcode ID: 867eb73f6834cba2a0d33602090d7b4cfecc8dfaf35155c1484e463c55fc33c4
Instruction ID: facfd2dd14ab73c8a933f4afd445a2e537ef7f1025338961419bbe29bdf5d10f
Opcode Fuzzy Hash: 867eb73f6834cba2a0d33602090d7b4cfecc8dfaf35155c1484e463c55fc33c4
Instruction Fuzzy Hash: 0E11D2319026229ACF05DB6AC442EED7B20AF4136DF24195ED8616BF90CB34AD4AC6D4

Function 6C44F894 Relevance: 12.1, APIs: 8, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_get_osfhandle.MSVCR120(?,?,?), ref: 6C44F8A0
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?), ref: 6C44F8C3
SetFilePointerEx.KERNEL32(00000000,?,?,?,?), ref: 6C44F8DB
_errno.MSVCR120(?,?), ref: 6C47EEB7
GetLastError.KERNEL32 ref: 6C47EEC9
__dosmaperr.LIBCMT(00000000), ref: 6C47EED0
SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,?,?,?), ref: 6C47EEE3
_errno.MSVCR120(?,?,?), ref: 6C47EEE5

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: FilePointer$_errno$ErrorLast__dosmaperr_get_osfhandle
String ID:
API String ID: 2017882077-0
Opcode ID: a08ee6becac046c572c6ea3060e4048fa75d2109d0ece911ce9fe5df01bf5dad
Instruction ID: ded683917a60d79a3661f63427ca77dec05755c5d88e3a7c2997fafc05c3102a
Opcode Fuzzy Hash: a08ee6becac046c572c6ea3060e4048fa75d2109d0ece911ce9fe5df01bf5dad
Instruction Fuzzy Hash: 9F11E732601219BFEB11DAA9CC80FEE3778AB86725F100758F9249B6D0EB70D80187A4

Function 6C48EC43 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

Concurrency::details::HillClimbing::GetHistory.LIBCMT ref: 6C48EC4E
Concurrency::details::HillClimbing::GetHistory.LIBCMT ref: 6C48EC59
Concurrency::details::HillClimbing::MeasuredHistory::Mean.LIBCMT ref: 6C48EC62
Concurrency::details::HillClimbing::MeasuredHistory::Mean.LIBCMT ref: 6C48EC6C
Concurrency::details::HillClimbing::MeasuredHistory::Variance.LIBCMT ref: 6C48ECC1
Concurrency::details::HillClimbing::MeasuredHistory::Variance.LIBCMT ref: 6C48ECCC
_CIsqrt.MSVCR120(?,?,?,?), ref: 6C48ECD7
_CIexp.MSVCR120(?,?,?,?), ref: 6C48ECE3

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Climbing::Concurrency::details::Hill$History::Measured$HistoryMeanVariance$IexpIsqrt
String ID:
API String ID: 3578402837-0
Opcode ID: 8046cd6afe10749b73f3506cf01e6ff4f10ee94cc347cb9fe38ad4b9a61a3c93
Instruction ID: f4607c80aff72adbf743485cb594e3e3f172e4fc58856091af353920511e699b
Opcode Fuzzy Hash: 8046cd6afe10749b73f3506cf01e6ff4f10ee94cc347cb9fe38ad4b9a61a3c93
Instruction Fuzzy Hash: A4116D35E01509E6CF11BFA1E9848EDBF74FF84351F214894D89031654EF328AB98BC5

Function 6C44F910 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

__doserrno.MSVCR120(6C44F9A8,00000010), ref: 6C44F9CC
__doserrno.MSVCR120(6C44F9A8,00000010), ref: 6C47EE59
_errno.MSVCR120(6C44F9A8,00000010), ref: 6C47EE60
__doserrno.MSVCR120(6C44F9A8,00000010), ref: 6C47EE6D

Part of subcall function 6C434206: EnterCriticalSection.KERNEL32(-0000000C,6C434260,00000008,6C4402F5,00000000,6C440338,00000010,6C47525C,00000000,00000000,00000001,00000000,00000000,00000000,?,6C475D30), ref: 6C43424C

_errno.MSVCR120(6C44F9A8,00000010), ref: 6C47EE77
__doserrno.MSVCR120(6C44F9A8,00000010), ref: 6C47EE82

Part of subcall function 6C44F894: _get_osfhandle.MSVCR120(?,?,?), ref: 6C44F8A0
Part of subcall function 6C44F894: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?), ref: 6C44F8C3
Part of subcall function 6C44F894: SetFilePointerEx.KERNEL32(00000000,?,?,?,?), ref: 6C44F8DB

Part of subcall function 6C44F9C4: __unlock_fhandle.LIBCMT ref: 6C44F9C5

_errno.MSVCR120(6C44F9A8,00000010), ref: 6C47EE9F
_invalid_parameter_noinfo.MSVCR120(6C44F9A8,00000010), ref: 6C47EEAA

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __doserrno$_errno$FilePointer$CriticalEnterSection__unlock_fhandle_get_osfhandle_invalid_parameter_noinfo
String ID:
API String ID: 2332042503-0
Opcode ID: 3de488f2d9826bda87210a6ed3a7f81cc11655da20a8f5d925021ec5e4b65f3c
Instruction ID: ae78df2598f625bd17f0b084538ba1dc0a20edfea736643e4553e7efdf5db805
Opcode Fuzzy Hash: 3de488f2d9826bda87210a6ed3a7f81cc11655da20a8f5d925021ec5e4b65f3c
Instruction Fuzzy Hash: 3E21B7719026609FE711DF698880FED3AA0AF86369F255749C4741FBE0CB7889058BE1

Function 6C4C1C68 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

_errno.MSVCR120(6C4C1D58,00000014,6C475502,00000000,?), ref: 6C4C1C81
_get_osfhandle.MSVCR120(?,6C4C1D58,00000014,6C475502,00000000,?), ref: 6C4C1CE2
FlushFileBuffers.KERNEL32(00000000,6C4C1D58,00000014,6C475502,00000000,?), ref: 6C4C1CE9
GetLastError.KERNEL32 ref: 6C4C1CF3
__doserrno.MSVCR120 ref: 6C4C1D02
_errno.MSVCR120(6C4C1D58,00000014,6C475502,00000000,?), ref: 6C4C1D09

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno_get_osfhandle
String ID:
API String ID: 3142512953-0
Opcode ID: a6aa9a3883ae90a53f841f6c7abb821e7241af0d8a01ba94639aa82376efe306
Instruction ID: 56b855808bc4de5ee79e4ddc9bc57190a7acc46fbc12f15f69b09661b4102bd9
Opcode Fuzzy Hash: a6aa9a3883ae90a53f841f6c7abb821e7241af0d8a01ba94639aa82376efe306
Instruction Fuzzy Hash: 6311B439B112208BCB01DF68C840E9D7BB09F8A765F550349E8349F7B1CB78D8418BE6

Function 6C4960FA Relevance: 12.0, APIs: 8, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedFlushSList.KERNEL32(?,?,00000000,?,6C493443,00000004,6C493384,00000004,6C49334D), ref: 6C496106
ListArray.LIBCMT ref: 6C496109
InterlockedFlushSList.KERNEL32(?,00000000,?,00000000,?,6C493443,00000004,6C493384,00000004,6C49334D), ref: 6C496112
ListArray.LIBCMT ref: 6C496115
ListArray.LIBCMT ref: 6C49611D
free.MSVCR120(?,?,00000000,?,00000000,?,6C493443,00000004,6C493384,00000004,6C49334D), ref: 6C49614A
free.MSVCR120(?,?,?,00000000,?,00000000,?,6C493443,00000004,6C493384,00000004,6C49334D), ref: 6C496150
free.MSVCR120(?,?,00000000,?,00000000,?,6C493443,00000004,6C493384,00000004,6C49334D), ref: 6C496160

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: List$Arrayfree$FlushInterlocked
String ID:
API String ID: 1505039951-0
Opcode ID: 4d94d43c01d6ab853ce4e820893bbd27a48be86a072f88756b08bfea0ed09198
Instruction ID: 798e4bb800cde0e7bfa838c00b92960f8a03b46c0592d1c3ff6db3b958378d9f
Opcode Fuzzy Hash: 4d94d43c01d6ab853ce4e820893bbd27a48be86a072f88756b08bfea0ed09198
Instruction Fuzzy Hash: D1017C32600A31AFDB45EBA5C886DDABB68FF05266300046DE900A7E11CB24B815CBD4

Function 6C4962B6 Relevance: 12.0, APIs: 8, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedFlushSList.KERNEL32(?,?,00000000,?,6C49348C,00000004,6C493384,00000004,6C49334D), ref: 6C4962C2
ListArray.LIBCMT ref: 6C4962C5
InterlockedFlushSList.KERNEL32(?,00000000,?,00000000,?,6C49348C,00000004,6C493384,00000004,6C49334D), ref: 6C4962CE
ListArray.LIBCMT ref: 6C4962D1
ListArray.LIBCMT ref: 6C4962D9
free.MSVCR120(?,?,00000000,?,00000000,?,6C49348C,00000004,6C493384,00000004,6C49334D), ref: 6C496306
free.MSVCR120(?,?,?,00000000,?,00000000,?,6C49348C,00000004,6C493384,00000004,6C49334D), ref: 6C49630C
free.MSVCR120(?,?,00000000,?,00000000,?,6C49348C,00000004,6C493384,00000004,6C49334D), ref: 6C49631C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: List$Arrayfree$FlushInterlocked
String ID:
API String ID: 1505039951-0
Opcode ID: d5dfa58cf824cfbef71699f452b33349e8b8f49c4721a0d224d190f721f7d41e
Instruction ID: 7117dd9a14bfbe03f1cd97ad9e1c724607abe5e2cc529aba0c91b0be8c3a278f
Opcode Fuzzy Hash: d5dfa58cf824cfbef71699f452b33349e8b8f49c4721a0d224d190f721f7d41e
Instruction Fuzzy Hash: 21018F32600631ABDB55EFE1C886DDABF68FF05366310046DE500D7E10CB25E815CBD4

Function 6C432495 Relevance: 10.7, APIs: 7, Instructions: 220COMMON

Download Yara Rule

APIs

wcsncpy_s.MSVCR120(?,?,?,00000000), ref: 6C432596
wcsncpy_s.MSVCR120(?,?,00000000,?), ref: 6C4325BB
wcsncpy_s.MSVCR120(?,?,?,00000002), ref: 6C43261B
wcsncpy_s.MSVCR120(?,?,?,?), ref: 6C432642
_errno.MSVCR120 ref: 6C48001D
_invalid_parameter_noinfo.MSVCR120 ref: 6C48002B

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: wcsncpy_s$_errno_invalid_parameter_noinfo
String ID:
API String ID: 4201559322-0
Opcode ID: 11c479ff120d8dfbf7ebacdc4b4c2743f2ec1ef3bd6698d0bf42d4c2c83870d1
Instruction ID: ab31db1cd2b36eca9cb12b2e12ae81514a5140769ae672d83b3d18dd3a2384d5
Opcode Fuzzy Hash: 11c479ff120d8dfbf7ebacdc4b4c2743f2ec1ef3bd6698d0bf42d4c2c83870d1
Instruction Fuzzy Hash: 4161E830606216DBEF34CE1A8894FAB3264EF8936EB55522EFD1857B41DB30C951C6E1

Function 6C4C88C1 Relevance: 10.7, APIs: 7, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

APIs

wcsncpy_s.MSVCR120(?,000000FF,?,00000002,?,?,?,?,6C4C88BC,?,?,?,?,?,?,?), ref: 6C4C894A
wcsncpy_s.MSVCR120(?,000000FF,?,?,?,?,?,?,6C4C88BC,?,?,?,?,?,?,?), ref: 6C4C89B7
wcsncpy_s.MSVCR120(?,000000FF,?,00000000,?,?,?,?,6C4C88BC,?,?,?,?,?,?,?), ref: 6C4C89F1
wcsncpy_s.MSVCR120(?,000000FF,00000000,?,?,?,?,?,6C4C88BC,?,?,?,?,?,?,?), ref: 6C4C8A11
wcsncpy_s.MSVCR120(?,000000FF,?,?,?,?,?,?,6C4C88BC,?,?,?,?,?,?,?), ref: 6C4C8A30
_errno.MSVCR120(?,?,?,?,6C4C88BC,?,?,?,?,?,?,?,?,?), ref: 6C4C8A8F
_invalid_parameter_noinfo.MSVCR120(?,?,?,?,6C4C88BC,?,?,?,?,?,?,?,?,?), ref: 6C4C8A9D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: wcsncpy_s$_errno_invalid_parameter_noinfo
String ID:
API String ID: 4201559322-0
Opcode ID: c9ef516c6702ad622d6d6640c02258283ebc54bc3a3d96c164f5196a919972a6
Instruction ID: 7ebf5f7fe6d77137a644d66d50d8b18b9dc023a90ad80199c252e2c433611880
Opcode Fuzzy Hash: c9ef516c6702ad622d6d6640c02258283ebc54bc3a3d96c164f5196a919972a6
Instruction Fuzzy Hash: 8061953DB053169BDF14CE198890EAB36A4AF4535EF25462FEC2896FA0D731C841C797

Function 6C464220 Relevance: 10.7, APIs: 7, Instructions: 187COMMON

Download Yara Rule

APIs

__ctrlfp.LIBCMT ref: 6C4F6F36
__ctrlfp.LIBCMT ref: 6C4F6F49

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __ctrlfp
String ID:
API String ID: 1574075368-0
Opcode ID: df2cd93cdcce92da9b2968f102f0589194d755cc5abe2b6e41d84488f7107281
Instruction ID: 8e6024a001fcd0fcc02a4f29ab3ba5527efdbaaf0618fa20d551fa2cb46bf689
Opcode Fuzzy Hash: df2cd93cdcce92da9b2968f102f0589194d755cc5abe2b6e41d84488f7107281
Instruction Fuzzy Hash: F0516630908A05EADB11EF35D800EAEBBB4EFC2385F10C799F4D855694EF3094A6D392

Function 6C453D38 Relevance: 10.7, APIs: 7, Instructions: 157sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

?_SpinOnce@?$_SpinWait@$0A@@details@Concurrency@@QAE_NXZ.MSVCR120(6C453D10,00000030,6C492C37,?,?,-00000004,?,6C48DEB3,-00000004,00000006,?,00000000,?,6C47311E,00000003), ref: 6C471C65
Concurrency::details::ContextBase::ClearAliasTable.LIBCMT ref: 6C471C77
?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR120(6C453D10,00000030,6C492C37,?,?,-00000004,?,6C48DEB3,-00000004,00000006,?,00000000,?,6C47311E,00000003), ref: 6C471CA1
?_TryAcquireWrite@_ReaderWriterLock@details@Concurrency@@QAE_NXZ.MSVCR120(6C453D10,00000030,6C492C37,?,?,-00000004,?,6C48DEB3,-00000004,00000006,?,00000000,?,6C47311E,00000003), ref: 6C471CE9
Sleep.KERNEL32(00000001,6C453D10,00000030,6C492C37,?,?,-00000004,?,6C48DEB3,-00000004,00000006,?,00000000,?,6C47311E,00000003), ref: 6C471D09
List.LIBCMT ref: 6C471D3D
List.LIBCMT ref: 6C471D4C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency@@$AcquireListLock@details@ReaderSpinWrite@_Writer$A@@details@AliasBase::ClearConcurrency::details::ContextOnce@?$_SleepTableWait@$0
String ID:
API String ID: 2118211163-0
Opcode ID: 11468982ff57797b271e7fa1ae787a07cb638b53ad8785d8fdefc9ceaa85a3bb
Instruction ID: 37d942bb5ab71c9969a6fa493eb85b9aff3619e6f4284b7ea29235ba4830da20
Opcode Fuzzy Hash: 11468982ff57797b271e7fa1ae787a07cb638b53ad8785d8fdefc9ceaa85a3bb
Instruction Fuzzy Hash: 4B5199319066469FDB25CFA8C5A0EDDBBB0BF01319F54416ED8456BB40CB71E909CBE0

Function 6C44CE5C Relevance: 10.6, APIs: 7, Instructions: 126COMMON

Download Yara Rule

APIs

_getptd.MSVCR120(6C44CF58,00000010,6C44CFF4,000000FD,6C44CD81), ref: 6C44CE6B

Part of subcall function 6C43F81C: _getptd.MSVCR120(6C43F8A8,0000000C,6C43F8E3,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C43F82D
Part of subcall function 6C43F81C: _lock.MSVCR120(0000000D,6C43F8A8,0000000C,6C43F8E3,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C43F845

_malloc_crt.MSVCR120(00000220,6C44CF58,00000010,6C44CFF4,000000FD,6C44CD81), ref: 6C44CE97

Part of subcall function 6C432226: malloc.MSVCR120(6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C432237

Part of subcall function 6C448C4C: IsValidCodePage.KERNEL32(-00000030,00000000,00000000,00000000), ref: 6C448CAC
Part of subcall function 6C448C4C: GetCPInfo.KERNEL32(00000000,?), ref: 6C448CBB
Part of subcall function 6C448C4C: memset.MSVCR120(00000019,00000000,00000101), ref: 6C448CD3

_lock.MSVCR120(0000000D), ref: 6C44CF16
free.MSVCR120(?,6C44CF58,00000010,6C44CFF4,000000FD,6C44CD81), ref: 6C47759E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _getptd_lock$CodeInfoPageValid_malloc_crtfreemallocmemset
String ID:
API String ID: 1238899101-0
Opcode ID: 500550b96d310abb64585f0fa5692ab6d1ccc81baf5d3cfb0b108764f3908b95
Instruction ID: dec1e8c0095aedd9b92e861cf35ebe525011e59235bf2d8d72821730735484fb
Opcode Fuzzy Hash: 500550b96d310abb64585f0fa5692ab6d1ccc81baf5d3cfb0b108764f3908b95
Instruction Fuzzy Hash: E641D731A052408FEB05EF68C481F9977F0EB46325B39816DE8649BBD1DB389846CBD4

Function 6C4482DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

memset.MSVCR120(?,00000000,000001CA,20FB68CF,00000000,00000055,00000000,?,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C4482EF
_wcscspn.LIBCMT(6C4481B3,_.,,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C44831B
wcsncpy_s.MSVCR120(?,00000040,6C4481B3,00000000,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C448367
wcsncpy_s.MSVCR120(?,00000010,6C4481B5,0000000F,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C4483B0
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,?,?,?,?,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C47F768

Strings

_.,, xrefs: 6C448315

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: wcsncpy_s$_invoke_watson_wcscspnmemset
String ID: _.,
API String ID: 1770680180-2709443920
Opcode ID: c2e525c43be9ed16da6ae72588113bfe5e4e24d4a9e77e3c7ce51e6874452e1d
Instruction ID: c00c51c2d1e9baf68fc4e11c876f3e8e0d7aebdceaed8776d0429d73caaf97fb
Opcode Fuzzy Hash: c2e525c43be9ed16da6ae72588113bfe5e4e24d4a9e77e3c7ce51e6874452e1d
Instruction Fuzzy Hash: 65313931A4521579F724D62A4C90FF6326CEF01769F70891BFE18D7E81EF61994182E4

Function 6C48B922 Relevance: 10.6, APIs: 7, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C48B929
??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR120(?,00000044,6C498727,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215), ref: 6C48B950

Part of subcall function 6C48F6A1: __EH_prolog3.LIBCMT ref: 6C48F6A8

malloc.MSVCR120(00000000,?,00000044,6C498727,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?), ref: 6C48B9AA
std::exception::exception.LIBCMT(?,00000001,?,00000044,6C498727,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?), ref: 6C48B9D7
_CxxThrowException.MSVCR120(?,6C44C7FC,?,00000001,?,00000044,6C498727,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?), ref: 6C48B9EC
?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR120(?,00000044,6C498727,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215), ref: 6C48BA39
_freea_s.MSVCR120(?,?,00000044,6C498727,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?), ref: 6C48BA50

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency@@$??0scoped_lock@critical_section@?unlock@critical_section@ExceptionH_prolog3H_prolog3_ThrowV12@@_freea_smallocstd::exception::exception
String ID:
API String ID: 2302070164-0
Opcode ID: 3c023d5caa0e33b414fe5f01b41b8f9fcf1470c6a111097c7d30b8190d14fdc1
Instruction ID: d5aa640573074084abfd2956a4147a30d78f19c51e7df6492038d7b8225f73a1
Opcode Fuzzy Hash: 3c023d5caa0e33b414fe5f01b41b8f9fcf1470c6a111097c7d30b8190d14fdc1
Instruction Fuzzy Hash: 09418B71A02216CFEB05CFA9C891EAEBBB5EF85319F24412DD844ABB50DB74DD05CB90

Function 6C4A6F6D Relevance: 10.6, APIs: 7, Instructions: 107timeCOMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4A6F91
_invalid_parameter_noinfo.MSVCR120 ref: 6C4A6F9B

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_get_timezone.MSVCR120(?), ref: 6C4A6FBE
GetSystemTimeAsFileTime.KERNEL32(?), ref: 6C4A6FE4
GetTimeZoneInformation.KERNEL32(?,?,?,23C34600,00000000), ref: 6C4A7018
__aullrem.LIBCMT ref: 6C4A707E
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C4A70B0

Part of subcall function 6C4C469B: IsProcessorFeaturePresent.KERNEL32(00000017,6C4C466F,?,?,?,?,?,?,6C4C467C,00000000,00000000,00000000,00000000,00000000,6C49B412), ref: 6C4C469D
Part of subcall function 6C4C469B: __crtTerminateProcess.MSVCR120(C0000417,00000002,C0000417,00000001,?,00000017,6C4C466F,?,?,?,?,?,?,6C4C467C,00000000,00000000), ref: 6C4C46BC

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Time$FeatureFileInformationPresentProcessProcessorSystemTerminateZone__aullrem__crt_errno_get_timezone_invalid_parameter_invalid_parameter_noinfo_invoke_watson
String ID:
API String ID: 1117467957-0
Opcode ID: 9e3e6e639d392f673e18f245b317640d852a7c09e6cbfd64c5ac8fdf9b7f21e0
Instruction ID: c11db15fb1c4e1c125e2526decd1e117ba50400bdd2af4a59fa85b1b3596c214
Opcode Fuzzy Hash: 9e3e6e639d392f673e18f245b317640d852a7c09e6cbfd64c5ac8fdf9b7f21e0
Instruction Fuzzy Hash: 9C310371B083149BDB20DFA5CC80FDAB3B8EB49704F11049EE109E7780D7709985CBA5

Function 6C48C8B8 Relevance: 10.6, APIs: 7, Instructions: 92threadCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C48C8BF
GetCurrentThread.KERNEL32 ref: 6C48C90D

Part of subcall function 6C48F8AE: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,00000000,.iDl,?,6C472519,00000000,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E), ref: 6C48F8BD

Part of subcall function 6C48F904: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,?,6C48C958,00000000,00000000,?,?,?,?,?,?,?,?,?,?,6C44793F), ref: 6C48F90A

Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCMT ref: 6C48C95F

Part of subcall function 6C495CEF: SetEvent.KERNEL32(00000000,?,6C48C964,?,00000000,00000000), ref: 6C495D3D

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,6C44793F,00000000), ref: 6C48C96E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C44793F,00000000), ref: 6C48C99C
TlsGetValue.KERNEL32(00000000,?,00000024,6C473640,00000000,?), ref: 6C48C9BA
TlsSetValue.KERNEL32(00000000,?,?,00000024,6C473640,00000000,?), ref: 6C48C9C5

Part of subcall function 6C495773: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCMT ref: 6C4957C1

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Version@$Concurrency::details::Concurrency@@CriticalManager@1@Proxy::ResourceSchedulerSectionValue$BorrowedCoreCurrentEnterEventH_prolog3_IncrementLeaveStateSubscriptionThreadToggle
String ID:
API String ID: 1834826012-0
Opcode ID: 56fad275ac5a7d53f52848310d73f3180c67bd511aa5ba6f11ad93b5a937bf9f
Instruction ID: 6f5220ad79025402e3959bf030f2ddc11fcbaa06cb29f47a3d06a3ab83cf7324
Opcode Fuzzy Hash: 56fad275ac5a7d53f52848310d73f3180c67bd511aa5ba6f11ad93b5a937bf9f
Instruction Fuzzy Hash: F831AE70A01105DFCF08DFA4C884DAEBBB5FF48304B158299E906AB356D734E845CBE5

Function 6C488FB1 Relevance: 10.6, APIs: 7, Instructions: 88COMMON

Download Yara Rule

APIs

malloc.MSVCR120(00000008,00000000), ref: 6C488FBC

Part of subcall function 6C42ED30: HeapAlloc.KERNEL32(01410000,00000000,6C49C0AD,00000000,?,00000000,?,6C43223C,6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000), ref: 6C42ED5D

std::exception::exception.LIBCMT(?,00000001,00000000), ref: 6C488FFA
_CxxThrowException.MSVCR120(?,6C44C7FC,?,00000001,00000000), ref: 6C48900F
__EH_prolog3.LIBCMT ref: 6C48901C
??2@YAPAXI@Z.MSVCR120(0000001C,0000001C,6C497D40,6C497DB6), ref: 6C489025
??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR120(?,0000001C,6C497D40,6C497DB6), ref: 6C48907E
?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR120(?,0000001C,6C497D40,6C497DB6), ref: 6C4890A0

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency@@$??0scoped_lock@critical_section@??2@?unlock@critical_section@AllocExceptionH_prolog3HeapThrowV12@@mallocstd::exception::exception
String ID:
API String ID: 3930479332-0
Opcode ID: 69f8dd212fb26ec7240b62358f32b0e8a65eca073df26885811dc19ea960ce2d
Instruction ID: 44affe7d380824d19b6bbba208a207ab0e3226a83927e4c9197b4ce4366f68b3
Opcode Fuzzy Hash: 69f8dd212fb26ec7240b62358f32b0e8a65eca073df26885811dc19ea960ce2d
Instruction Fuzzy Hash: 6D319C71902B06DBD714DF65C481E8ABBB4FF51714F20852EE9555BB40DB32D549CBC0

Function 6C4988EB Relevance: 10.6, APIs: 7, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C4988F2
malloc.MSVCR120(?,00000020,6C49921D,?,?,?), ref: 6C49895D

Part of subcall function 6C42ED30: HeapAlloc.KERNEL32(01410000,00000000,6C49C0AD,00000000,?,00000000,?,6C43223C,6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000), ref: 6C42ED5D

std::exception::exception.LIBCMT(00000000,00000001,00000020,6C49921D,?,?,?), ref: 6C498989
_CxxThrowException.MSVCR120(?,6C44C7FC,00000000,00000001,00000020,6C49921D,?,?,?), ref: 6C49899E
?wait_for_multiple@event@Concurrency@@SAIPAPAV12@I_NI@Z.MSVCR120(00000000,00000002,00000001,000000FF,00000020,6C49921D,?,?,?), ref: 6C4989CE
_freea_s.MSVCR120(00000000,00000000,00000002,00000001,000000FF,00000020,6C49921D,?,?,?), ref: 6C4989D4
?wait@event@Concurrency@@QAEII@Z.MSVCR120(000000FF,00000020,6C49921D,?,?,?), ref: 6C4989E3

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency@@$?wait@event@?wait_for_multiple@event@AllocExceptionH_prolog3_HeapThrowV12@_freea_smallocstd::exception::exception
String ID:
API String ID: 559173246-0
Opcode ID: 4346f16dbb0ae600a4e5cad6248c1b31699dba04d040f6c558216abf61c4d934
Instruction ID: 1f4518be1d2eaece5447aa112fcc086ac65bab695f3dda33ec3aeb5edcb4924e
Opcode Fuzzy Hash: 4346f16dbb0ae600a4e5cad6248c1b31699dba04d040f6c558216abf61c4d934
Instruction Fuzzy Hash: DE31BFB2D012268BDB10DF98C881E9EBBB8EF45715F60411AE945ABB54D730CA46CBD1

Function 6C440969 Relevance: 10.6, APIs: 7, Instructions: 83stringCOMMON

Download Yara Rule

APIs

_errno.MSVCR120(?,?,?,?,?,?,6C440A40,00000010), ref: 6C440951
_fileno.MSVCR120(?,?,?,?,?,?,?,6C440A40,00000010), ref: 6C44099A
strlen.MSVCR120(?,?,?,?,?,?,?,6C440A40,00000010), ref: 6C4409ED
_lock_file.MSVCR120(?,?,?,?,?,?,?,?,6C440A40,00000010), ref: 6C4409F8
_fwrite_nolock.MSVCR120(?,00000001,00000000,?,?,?,?,?,?,?,?,6C440A40,00000010), ref: 6C440A12
__ftbuf.LIBCMT ref: 6C440A1C
_invalid_parameter_noinfo.MSVCR120(?,?,?,?,?,?,6C440A40,00000010), ref: 6C474F91

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __ftbuf_errno_fileno_fwrite_nolock_invalid_parameter_noinfo_lock_filestrlen
String ID:
API String ID: 2817190391-0
Opcode ID: fb1439a7c0648d16a0bbbf8611072810b14ed5b17ec752aaed9ad9b260bf2765
Instruction ID: 158a84c43abafe649aca651e247addd82b0b0637fc7bb07c10dbc0796cd7f396
Opcode Fuzzy Hash: fb1439a7c0648d16a0bbbf8611072810b14ed5b17ec752aaed9ad9b260bf2765
Instruction Fuzzy Hash: F621F632A052455BFB00DA758C41FAE39A1EBE537DF34C31CE4349ABD1CB78C5668681

Function 6C4508EE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

__fltout2.LIBCMT ref: 6C450917

Part of subcall function 6C43B131: $I10_OUTPUT.MSVCR120(?,?,?,?,?,?,6C4A92B2,?,?,?,?,00000016,?,0000015D,?), ref: 6C43B170
Part of subcall function 6C43B131: strcpy_s.MSVCR120(6C4A92B2,?,?,?,?,?,?,?,?,6C4A92B2,?,?,?,?,00000016), ref: 6C43B190

_errno.MSVCR120(?,?,?,?,?,?,?,?,6C4A94D6,00000000,?,6C4A94D6,?,?,?,?), ref: 6C481087
_invalid_parameter_noinfo.MSVCR120(?,?,?,?,?,?,?,?,6C4A94D6,00000000,?,6C4A94D6,?,?,?,?), ref: 6C48108E
_errno.MSVCR120(?,?,?,?,?,?,?,?,?,6C4A94D6,00000000,?,6C4A94D6,?,?,?), ref: 6C48109A
_invalid_parameter_noinfo.MSVCR120(?,?,?,?,?,?,?,?,?,6C4A94D6,00000000,?,6C4A94D6,?,?,?), ref: 6C4810A1

Strings

-, xrefs: 6C450956

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$I10___fltout2strcpy_s
String ID: -
API String ID: 2050506888-2547889144
Opcode ID: 6efb5e7cbf1259a8eb928a44202ef136c32da93f4a6129e27615275c1a13fb3b
Instruction ID: b296874101f9aef3f65ef969addcf2ded54772667a973500a5679111fd9773c2
Opcode Fuzzy Hash: 6efb5e7cbf1259a8eb928a44202ef136c32da93f4a6129e27615275c1a13fb3b
Instruction Fuzzy Hash: F421C2B6A01149AFDB04DF79CC80EEEB7B8EF49258F044169E925A7750E734D8148BA1

Function 6C452E0C Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

__doserrno.MSVCR120(6C452EB0,00000010), ref: 6C452E02
__doserrno.MSVCR120(6C452EB0,00000010), ref: 6C47F011
_errno.MSVCR120(6C452EB0,00000010), ref: 6C47F018
_errno.MSVCR120(6C452EB0,00000010), ref: 6C47F05D
_invalid_parameter_noinfo.MSVCR120(6C452EB0,00000010), ref: 6C47F068

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: d5ac7410ae3659979873adee64aa1209fcb635395bfa0bb999822cc116545923
Instruction ID: 8f45d4cdf3a03cde5dd8c2d25ae7a4a39b90efff254e82c599a422e7b94dae75
Opcode Fuzzy Hash: d5ac7410ae3659979873adee64aa1209fcb635395bfa0bb999822cc116545923
Instruction Fuzzy Hash: 8E2146316022215AE731DF388888EED36B09F86368FA4121ED0746BFE0CF34881686E1

Function 6C433E6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C475CF5
_invalid_parameter_noinfo.MSVCR120 ref: 6C475D00
_errno.MSVCR120(?), ref: 6C475D0D
_invalid_parameter_noinfo.MSVCR120(?), ref: 6C475D18

Strings

B, xrefs: 6C433EB3

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 41eae63a9d4462465d4519238392044cd4c182868a480cdf31359df9f0fb5fa0
Instruction ID: 474b3c39077ae5219c775791e5883bca8ec805eb4cbddf9e5f52cdaf289fd3aa
Opcode Fuzzy Hash: 41eae63a9d4462465d4519238392044cd4c182868a480cdf31359df9f0fb5fa0
Instruction Fuzzy Hash: 0D21B2319042298EDB10CEB9D805FEF7BB4EB48328F104219E924A76D0D779C4018BA1

Function 6C436F4B Relevance: 10.6, APIs: 7, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

__crtCompareStringA.MSVCR120(014281C0,?,00001001,00000000,014281C0,014281C0,014281C0,?,00000000,00000000,7FFFFFFF,00000000,014281C0,014281C0,00000000,014281C0), ref: 6C436FAF
_strnicmp_l.MSVCR120(00000000,014281C0,014281C0,014281C0,00000000,00000000,7FFFFFFF,00000000,014281C0,014281C0,00000000,014281C0,00000000,00000000,00000000,00000000), ref: 6C44E3F6
_errno.MSVCR120(00000000,00000000,7FFFFFFF,00000000,014281C0,014281C0,00000000,014281C0,00000000,00000000,00000000,00000000,00000000), ref: 6C47AB98
_invalid_parameter_noinfo.MSVCR120(00000000,00000000,7FFFFFFF,00000000,014281C0,014281C0,00000000,014281C0,00000000,00000000,00000000,00000000,00000000), ref: 6C47ABA3
_errno.MSVCR120(00000000,00000000,7FFFFFFF,00000000,014281C0,014281C0,00000000,014281C0,00000000,00000000,00000000,00000000,00000000), ref: 6C47ABB2
_invalid_parameter_noinfo.MSVCR120(00000000,00000000,7FFFFFFF,00000000,014281C0,014281C0,00000000,014281C0,00000000,00000000,00000000,00000000,00000000), ref: 6C47ABBD
_errno.MSVCR120(?,?,?,?,00000000,00000000,7FFFFFFF,00000000,014281C0,014281C0,00000000,014281C0,00000000,00000000,00000000,00000000), ref: 6C47ABC7

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$CompareString__crt_getptd_strnicmp_l
String ID:
API String ID: 535387727-0
Opcode ID: 8343183528071228cd948c9da2a8cc03f2dbce6e916447550be9f97a05173cab
Instruction ID: 02553b2fa55e35637e4efa49bce395acbec3fadebbff3b6b46f26fb12a62a96c
Opcode Fuzzy Hash: 8343183528071228cd948c9da2a8cc03f2dbce6e916447550be9f97a05173cab
Instruction Fuzzy Hash: D421C271A01225ABEB10DE96CC40EFAB769FF85366F14165CA92497BA0DB30DC0587F1

Function 6C44CABB Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,?,?,6C44CAB6), ref: 6C44CAC0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,6C44CAB6), ref: 6C44CAF4
_malloc_crt.MSVCR120(00000000,?,?,?,?,6C44CAB6), ref: 6C44CB02
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00000000,00000000,?,?,?,?,6C44CAB6), ref: 6C44CB1A
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,6C44CAB6), ref: 6C44CB29
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,6C44CAB6), ref: 6C44CB39

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$_malloc_crt
String ID:
API String ID: 3279498665-0
Opcode ID: f3b9660918aa17864853ace3fc6a0997c8bc1d99c9f0bc35d88909d7c46ac493
Instruction ID: d46fb714d81c25addb6027cc791e4a66041fa9aa715992162b408ebfd67798ce
Opcode Fuzzy Hash: f3b9660918aa17864853ace3fc6a0997c8bc1d99c9f0bc35d88909d7c46ac493
Instruction Fuzzy Hash: 41110C62B052527BBB20AAB55C4CC3B7B7CEE42259369842EFC05D3600EB608C0481F4

Function 6C434DF1 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

_get_osfhandle.MSVCR120(?,?,?,?,6C434F10,?,6C434F30,00000010), ref: 6C434DFA
_get_osfhandle.MSVCR120(?), ref: 6C434E1D

Part of subcall function 6C434D4B: __doserrno.MSVCR120(?,6C437FEE,00000000,00000000,00000000,00000000,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C434D84
Part of subcall function 6C434D4B: _errno.MSVCR120(?,6C437FEE,00000000,00000000,00000000,00000000,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C47EFE6
Part of subcall function 6C434D4B: _invalid_parameter_noinfo.MSVCR120(?,6C437FEE,00000000,00000000,00000000,00000000,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C47EFF1

CloseHandle.KERNEL32(00000000), ref: 6C434E24
_get_osfhandle.MSVCR120(00000002), ref: 6C452A17
_get_osfhandle.MSVCR120(00000001,00000002), ref: 6C452A20
GetLastError.KERNEL32 ref: 6C47E211

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _get_osfhandle$CloseErrorHandleLast__doserrno_errno_invalid_parameter_noinfo
String ID:
API String ID: 1012986785-0
Opcode ID: 75fdda106664206d1bdeb30e5c67fd6e12f11d9527eafd41198117f3cd90cc0c
Instruction ID: 20b561600a871e3ab3696e9fa3b6043e5a721e6e736a02a4b827a3aa7fe91a36
Opcode Fuzzy Hash: 75fdda106664206d1bdeb30e5c67fd6e12f11d9527eafd41198117f3cd90cc0c
Instruction Fuzzy Hash: 2611253228617016D632D2769859FEE3F554BCA7B9F25621DD92C8BBC0DF22884281A1

Function 6C443960 Relevance: 10.6, APIs: 7, Instructions: 62stringCOMMON

Download Yara Rule

APIs

__unDName.MSVCR120(00000000,?,00000000,?,?,00002800,6C434110,0000000C), ref: 6C443979

Part of subcall function 6C4438B1: _lock.MSVCR120(00000005,6C443948,00000064,6C44397E,00000000,?,00000000,?,?,00002800,6C434110,0000000C), ref: 6C4438D7

strlen.MSVCR120(00000000), ref: 6C44398C
_lock.MSVCR120(0000000E), ref: 6C4439A9
malloc.MSVCR120(00000008), ref: 6C4439BB
malloc.MSVCR120(-00000004), ref: 6C4439CC
strcpy_s.MSVCR120(00000000,-00000004,00000000), ref: 6C4439E0
free.MSVCR120(00000000), ref: 6C443A05

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _lockmalloc$Name__unfreestrcpy_sstrlen
String ID:
API String ID: 3329257654-0
Opcode ID: bf3858c23e084f904364ffd0009e4cb8c988c3202629067c995dff901fe6c758
Instruction ID: bea8f70bf78d9226b2accc601195d8690de76796451ba4650cd4f7e51dc6a005
Opcode Fuzzy Hash: bf3858c23e084f904364ffd0009e4cb8c988c3202629067c995dff901fe6c758
Instruction Fuzzy Hash: 7E11E7B29117127BE710CB759C41F9AF7E4BF04319F24C519E818A7B81EB38D804CAD0

Function 6C42ED30 Relevance: 10.6, APIs: 7, Instructions: 61memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(01410000,00000000,6C49C0AD,00000000,?,00000000,?,6C43223C,6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000), ref: 6C42ED5D
__NMSG_WRITE.LIBCMT ref: 6C47DA8F
_callnewh.MSVCR120(6C49C0AD,00000000,?,00000000,?,6C43223C,6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000,00000000,00000000), ref: 6C47DAB3
_callnewh.MSVCR120(6C49C0AD,00000000,?,6C43223C,6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000,00000000,00000000,00000000,00000000), ref: 6C47DAD6
_errno.MSVCR120(00000000,?,6C43223C,6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000,00000000,00000000,00000000,00000000), ref: 6C47DADC

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _callnewh$AllocHeap_errno
String ID:
API String ID: 3215684309-0
Opcode ID: 20ef7e64a686d52e79745a9813cdb5382b45a4bfd50663ae2fa235be82ee7625
Instruction ID: 5e3f0390c6f0982d9bd8ec7f7d31ff50a3cace5671554e5c35f5f70516ff9b62
Opcode Fuzzy Hash: 20ef7e64a686d52e79745a9813cdb5382b45a4bfd50663ae2fa235be82ee7625
Instruction Fuzzy Hash: 4D012B353652115AEB20DB399C45FAA3758DBC2A6AF14012DD9149BFD0DF74D80486F0

Function 6C434EA2 Relevance: 10.6, APIs: 7, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.MSVCR120(6C434F30,00000010), ref: 6C434E98
__doserrno.MSVCR120(6C434F30,00000010), ref: 6C47E1BB
_errno.MSVCR120(6C434F30,00000010), ref: 6C47E1C2
_errno.MSVCR120(6C434F30,00000010), ref: 6C47E1F9
_invalid_parameter_noinfo.MSVCR120(6C434F30,00000010), ref: 6C47E204

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 430a991fb19287ab8263f1c3e2e9238a5288ef627a66442989b6bf13d0a051f9
Instruction ID: 49cdd1af77431fdf40bf4a52a99085748afbffde87950c836c2a53c92d096a66
Opcode Fuzzy Hash: 430a991fb19287ab8263f1c3e2e9238a5288ef627a66442989b6bf13d0a051f9
Instruction Fuzzy Hash: D611B9319126305FD312DF698881FDD3AA0AFCA369F152748D4785BBF1CB7888058BE1

Function 6C43CBBC Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

memcpy.MSVCR120(?,?), ref: 6C43CBF1
_errno.MSVCR120 ref: 6C47645D
_invalid_parameter_noinfo.MSVCR120 ref: 6C476467
_wmemset.LIBCMT ref: 6C476479
_errno.MSVCR120 ref: 6C476485
_errno.MSVCR120 ref: 6C476493
_invalid_parameter_noinfo.MSVCR120 ref: 6C47649D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_wmemsetmemcpy
String ID:
API String ID: 1830569105-0
Opcode ID: d466e86d94f8c8e3f76ff28f24f5c7603f8faac23cd4054913c42b66cff7b720
Instruction ID: 130bf74067eb29d502116f08c55c28667df633e464ce710337e196ccf37078c6
Opcode Fuzzy Hash: d466e86d94f8c8e3f76ff28f24f5c7603f8faac23cd4054913c42b66cff7b720
Instruction Fuzzy Hash: 6B01D231745234ABC632EE69AC00FDE37298F89B65F04441AF808EAB00D775C85086F9

Function 6C48B45B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 6C434872: TlsGetValue.KERNEL32(?,6C4348CA,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C43488E

??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR120(?), ref: 6C48B4CF

Part of subcall function 6C48F6A1: __EH_prolog3.LIBCMT ref: 6C48F6A8

?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR120(?), ref: 6C48B4EE
?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C48B4FC

Part of subcall function 6C48F4D7: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCMT ref: 6C48F540

?Block@Context@Concurrency@@SAXXZ.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C48B501
?lock@critical_section@Concurrency@@QAEXXZ.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C48B509

Strings

luHl, xrefs: 6C48B4AB

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency@@$?unlock@critical_section@$??0scoped_lock@critical_section@?lock@critical_section@Block@Concurrency::details::Context@DerefH_prolog3LockNodeNode::QueueTimerV12@@Value
String ID: luHl
API String ID: 3879525386-2116736354
Opcode ID: 49f8c4dfeb4ad5e4edad45e0abc0880339651d95662115506eb9007f44505500
Instruction ID: b7ade5722e7edb3bd0f08ec0ae49466062e6902a152f7d25f89bcbe2953f2834
Opcode Fuzzy Hash: 49f8c4dfeb4ad5e4edad45e0abc0880339651d95662115506eb9007f44505500
Instruction Fuzzy Hash: CA214DB15093849FC310DF69C490D8AFBE4FB85664F404A2EF8A583790DB31E504CF86

Function 6C48CBA7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C443AF4: TlsGetValue.KERNEL32(6C443DF7,00000000,00000000,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C443AFA

SetEvent.KERNEL32(?,00000004,?,00000000), ref: 6C48CBE0
??0exception@std@@QAE@XZ.MSVCR120 ref: 6C48CBF8
??0exception@std@@QAE@XZ.MSVCR120(00000004,?,00000000), ref: 6C48CC0E
_CxxThrowException.MSVCR120(twHl,6C4FCF5C), ref: 6C48CC23
std::exception::exception.LIBCMT(6C4FCF5C,?,?,twHl,6C4FCF5C), ref: 6C48CC32

Strings

twHl, xrefs: 6C48CC1F, 6C48CC22

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??0exception@std@@$EventExceptionThrowValuestd::exception::exception
String ID: twHl
API String ID: 4125633965-3892543100
Opcode ID: bac294f00c9e5182d2eb46fe8febc37732bd8ea305d0befc15d0e8e77e198f28
Instruction ID: cc702e1d50d6c4eb4f44b6f387952ef84df9e3c25e3b1dba9795efd2f964bb19
Opcode Fuzzy Hash: bac294f00c9e5182d2eb46fe8febc37732bd8ea305d0befc15d0e8e77e198f28
Instruction Fuzzy Hash: CD112531A05208ABC710EF68C801DC9FB68EF01624B00869DF968A7EA0DB31E908CBD4

Function 6C4444FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,6C445034,5425FDEF,?,00000180,?), ref: 6C444509
GetLastError.KERNEL32(?,6C4FCF40,?,?,?,?,?,?,6C446C5D), ref: 6C4720C9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C446C5D), ref: 6C4720DF
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C4720ED
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,6C4FCF40,00000000,?,?,?,?,?,6C446C5D), ref: 6C4720F3

Strings

]lDl, xrefs: 6C4720FD

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Version@$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConcurrency@@ErrorExceptionHighestLastManager@1@NodeNumaNumberResourceThrow
String ID: ]lDl
API String ID: 2376245552-2315230549
Opcode ID: 459ed69fb077246de1f589b75a9d07eb7dcf565180cba069c20137072dc99032
Instruction ID: 6de31a01bd467c1225e20e5bcc4556aa877a8fdd4808320135df605e79cc3e3e
Opcode Fuzzy Hash: 459ed69fb077246de1f589b75a9d07eb7dcf565180cba069c20137072dc99032
Instruction Fuzzy Hash: B7014C35702049A79A30EAA69C48EEB77ACEB45155B200559FD04D6B04EF21C90882F4

Function 6C44AACE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6C47D440
DName::operator+.LIBCMT ref: 6C47D447
DName::DName.LIBCMT ref: 6C47D469
DName::operator+.LIBCMT ref: 6C47D470
DName::operator+.LIBCMT ref: 6C47D477

Strings

throw(, xrefs: 6C47D438, 6C47D461

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: d9af342e31bf1e2d8f36e54d3298268d01a19f52c14539fdcf61538cc841e6db
Instruction ID: 8617195e5f58c1f83503edc9628112d3d3a1a067889f1734c93128282c47a765
Opcode Fuzzy Hash: d9af342e31bf1e2d8f36e54d3298268d01a19f52c14539fdcf61538cc841e6db
Instruction Fuzzy Hash: 3F016D30650209AFDF14CFA4CC56EFE3BB9EF01348F10846DE905AB690DB34A9588BD0

Function 6C45201F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

__wcenvarg.LIBCMT ref: 6C452048

Part of subcall function 6C451E4B: wcslen.MSVCR120(00000000,?,00000000,00000000,?,?,?,LGl,6C45204D,?,LGl,00000000,?,00000000,?,?), ref: 6C451EA4
Part of subcall function 6C451E4B: _calloc_crt.MSVCR120(00000002,00000002,?,00000000,00000000,?,?,?,LGl,6C45204D,?,LGl,00000000,?,00000000,?), ref: 6C451EBC
Part of subcall function 6C451E4B: _wdupenv_s.MSVCR120(?,00000000,?,?,00000000,00000000,?,?,?,LGl,6C45204D,?,LGl,00000000,?,00000000), ref: 6C451EDB
Part of subcall function 6C451E4B: wcslen.MSVCR120(?,?,00000000,00000000,?,?,?,LGl,6C45204D,?,LGl,00000000,?,00000000,?,?), ref: 6C451EEF
Part of subcall function 6C451E4B: wcslen.MSVCR120(?,?,00000000,00000000,?,?,?,LGl,6C45204D,?,LGl,00000000,?,00000000,?,?), ref: 6C451F03
Part of subcall function 6C451E4B: wcscpy_s.MSVCR120(00000000,?,00000000,?,00000000,00000000,?,?,?,LGl,6C45204D,?,LGl,00000000,?,00000000), ref: 6C451F3B

free.MSVCR120(000000FF,?,00000000,000000FF,?,6C474CE2), ref: 6C452069

Part of subcall function 6C42ECE0: HeapFree.KERNEL32(00000000,00000000,?,6C473D3A,00000000,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C42ECF4

free.MSVCR120(?,000000FF,?,00000000,000000FF,?,6C474CE2), ref: 6C452071
_errno.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C474D10
_invalid_parameter_noinfo.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C474D1B

Strings

LGl, xrefs: 6C452042

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: wcslen$free$FreeHeap__wcenvarg_calloc_crt_errno_invalid_parameter_noinfo_wdupenv_swcscpy_s
String ID: LGl
API String ID: 1355187257-2850259299
Opcode ID: 76bf5bb4073fa13d9f8f257364d9b8be033e431d19ac16dc88059f4c09db1408
Instruction ID: 4d435c3f5024923f827d63a2da57a4cce907d98ecb24afef0d625b7ad52dcd1d
Opcode Fuzzy Hash: 76bf5bb4073fa13d9f8f257364d9b8be033e431d19ac16dc88059f4c09db1408
Instruction Fuzzy Hash: 73F0AD32801018BBCF21DEA4CC05EEE3728AF01368F200256FD2452AA0DB729A24DBE1

Function 6C44C754 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.MSVCR120(?), ref: 6C44C770

Part of subcall function 6C432226: malloc.MSVCR120(6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C432237

std::exception::exception.LIBCMT(?,00000001), ref: 6C473AB3
std::exception::exception.LIBCMT(?), ref: 6C473AD4
_CxxThrowException.MSVCR120(6C48176C,6C4FCE18,?), ref: 6C473AE9
free.MSVCR120(00000000), ref: 6C473AF0

Strings

_DebugMallocator<T>::allocate() - Integer overflow., xrefs: 6C473AC9

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: std::exception::exception$ExceptionThrow_malloc_crtfreemalloc
String ID: _DebugMallocator<T>::allocate() - Integer overflow.
API String ID: 845836463-3293063709
Opcode ID: a8c726f14812e68bea7e9e15309b93389b9e96749003cc1f1ec6e89dba64a2c9
Instruction ID: 59184f83b36cffae18d634719c42e82aeb1b9e68ef56b3de5bde739905f6c7cf
Opcode Fuzzy Hash: a8c726f14812e68bea7e9e15309b93389b9e96749003cc1f1ec6e89dba64a2c9
Instruction Fuzzy Hash: 49F0A976C0120D6ADF10EFA5D882FDEBB6CEB00654F20C55AEC15A7E50DB34D218C6E1

Function 6C439AB6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_FindAndUnlinkFrame.MSVCR120(?,6C4399B8,00000000), ref: 6C439ABF

Part of subcall function 6C439A8D: _getptd.MSVCR120(?,?,6C439AC4,?,6C4399B8,00000000), ref: 6C439A91
Part of subcall function 6C439A8D: _getptd.MSVCR120(?,?,6C439AC4,?,6C4399B8,00000000), ref: 6C439AA5

_getptd.MSVCR120(6C4399B8,00000000), ref: 6C439AC5
_getptd.MSVCR120(6C4399B8,00000000), ref: 6C439AD3
_IsExceptionObjectToBeDestroyed.MSVCR120(00000000), ref: 6C439B14

Part of subcall function 6C439364: _getptd.MSVCR120 ref: 6C439367

__DestructExceptionObject.MSVCR120(?,00000000), ref: 6C439B22

Strings

csm, xrefs: 6C439AE1

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _getptd$ExceptionObject$DestroyedDestructFindFrameUnlink
String ID: csm
API String ID: 473968603-1018135373
Opcode ID: c69c183f2a0aeb567c3bf67c87643f11215e2007519679327255a15a990112a2
Instruction ID: 12d63e2fc76cbf360e8623fa39419da605906cb81b0d5168c6cccab4435c7cb9
Opcode Fuzzy Hash: c69c183f2a0aeb567c3bf67c87643f11215e2007519679327255a15a990112a2
Instruction Fuzzy Hash: 4701CC35806325CACF28CF62C400E9ABBB1FF98316F28252DC49D16F50DB32D949CA80

Function 6C49C9A7 Relevance: 10.5, APIs: 7, Instructions: 31threadCOMMON

Download Yara Rule

APIs

__get_tlsindex.MSVCR120 ref: 6C49C9AA
__crtFlsGetValue.MSVCR120(00000000), ref: 6C49C9B0
__get_tlsindex.MSVCR120(?), ref: 6C49C9BF
__crtFlsSetValue.MSVCR120(00000000,?), ref: 6C49C9C5
GetLastError.KERNEL32 ref: 6C49C9D0
ExitThread.KERNEL32 ref: 6C49C9D7
_freefls.MSVCR120(?), ref: 6C49C9F3

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Value__crt__get_tlsindex$ErrorExitLastThread_freefls
String ID:
API String ID: 415173470-0
Opcode ID: 59047c13d008b20ab1b3a6e4500fe0879a228577c4c9673a451f387c73dd9d97
Instruction ID: a3ee29e0742186703ad5a00f4246ed68cadfbb0ba7f29d7dbed889d886aeb1c4
Opcode Fuzzy Hash: 59047c13d008b20ab1b3a6e4500fe0879a228577c4c9673a451f387c73dd9d97
Instruction Fuzzy Hash: D2F05E75A042059FEB08EFB9C904D4D7BBAAF48209325851DA809CBB01EB35D845CBD4

Function 6C49C9FE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?), ref: 6C49CA18
GetProcAddress.KERNEL32(00000000), ref: 6C49CA1F
EncodePointer.KERNEL32(00000000), ref: 6C49CA2B
DecodePointer.KERNEL32(00000001,?), ref: 6C49CA48

Strings

combase.dll, xrefs: 6C49CA13
RoInitialize, xrefs: 6C49CA07

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 11e3c266d54eadb4b97864f28a05783e1fd2dfc8875c129dea3000d1bf814574
Instruction ID: 9a054860cbd19b43577c608d4df9be3ae5de84b02a987784f0a7ce0fde7b0a20
Opcode Fuzzy Hash: 11e3c266d54eadb4b97864f28a05783e1fd2dfc8875c129dea3000d1bf814574
Instruction Fuzzy Hash: A6E01A707A4250AAEF10AF76CD1CF097B74BB1274AF925528B102D6580DB7440089A4C

Function 6C4BE164 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 21COMMON

Download Yara Rule

APIs

_getptd.MSVCR120 ref: 6C4BE184
_getptd.MSVCR120 ref: 6C4BE195
_getptd.MSVCR120 ref: 6C4BE1A3

Strings

MOC, xrefs: 6C4BE174
RCC, xrefs: 6C4BE16C
csm, xrefs: 6C4BE17C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: 4baa1040828cfe797551a8c501a7ba5fca23831defe1c63595536794fd8fcb59
Instruction ID: 430bf22043ec53fa43811f0877231b72a6c99272fcc1ffcefa65c12939208e7a
Opcode Fuzzy Hash: 4baa1040828cfe797551a8c501a7ba5fca23831defe1c63595536794fd8fcb59
Instruction Fuzzy Hash: 79E0E538505204CEE700DBA4C14AFA836A4BF8975AF6615E5C85C5BB22C77CA885CAF2

Function 6C49CA56 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,6C473F0C), ref: 6C49CA70
GetProcAddress.KERNEL32(00000000), ref: 6C49CA77
EncodePointer.KERNEL32(00000000), ref: 6C49CA82
DecodePointer.KERNEL32(6C473F0C), ref: 6C49CA9D

Strings

combase.dll, xrefs: 6C49CA6B
RoUninitialize, xrefs: 6C49CA5F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 3febfe42c0ff5b42836624a68007d66491d56ca755cbcd024e00e394274da667
Instruction ID: 18a09c2281e6cbec30303cad02dead460911707ec34ab9af6a3efd079c32e6a2
Opcode Fuzzy Hash: 3febfe42c0ff5b42836624a68007d66491d56ca755cbcd024e00e394274da667
Instruction Fuzzy Hash: 41E09274784240AAEF40DF65CC1DF087B78BB12346F62942CB502D6580DB7494489F5C

Function 6C4F0162 Relevance: 9.2, APIs: 6, Instructions: 182COMMON

Download Yara Rule

APIs

_dtest.MSVCR120(?,?,?,?,?,?,?,?,?,6C4F0120), ref: 6C4F016F
_dtest.MSVCR120(?,?,?,?,?,?,?,?,?,?,6C4F0120), ref: 6C4F017B
__Dunscale.LIBCPMT ref: 6C4F01F7
__Dunscale.LIBCPMT ref: 6C4F0210
__dscale.LIBCMT ref: 6C4F026D
__fperrraise.LIBCMT ref: 6C4F0304

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Dunscale_dtest$__dscale__fperrraise
String ID:
API String ID: 1009800014-0
Opcode ID: fe0d1fe1bc5aa49b18ec5c889c01e1657bc6a13e3ca34df6534d2c888d116b0d
Instruction ID: a82c12b3638a11a09bfe1b2a5441be7a0f429573632a45cdd68fe190a60bc423
Opcode Fuzzy Hash: fe0d1fe1bc5aa49b18ec5c889c01e1657bc6a13e3ca34df6534d2c888d116b0d
Instruction Fuzzy Hash: BD513862D0524E96CF01EE94D880FDE3FB8FBC5751F524689E961625C0EB308A578BD0

Function 6C447893 Relevance: 9.2, APIs: 6, Instructions: 182memoryCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CreateAllocatedNodeData.LIBCMT ref: 6C4478A7

Part of subcall function 6C4445FA: ??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C44461A
Part of subcall function 6C4445FA: memset.MSVCR120(00000000,00000000,?,00000000), ref: 6C44462D
Part of subcall function 6C4445FA: ??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C44466B
Part of subcall function 6C4445FA: memset.MSVCR120(00000000,00000000,?), ref: 6C44469C

Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 6C44792E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::details::DataManager::Resourcememset$AllocatedAllocationCreateGlobalNodeReset
String ID:
API String ID: 3832299370-0
Opcode ID: 5ba2245185b1c115d7de764aee7fb82574760f26232a0778eeb2a0d3bdcf0b35
Instruction ID: 5eec9387551fc4dfdb86ee88de590da688f89c5f0bd8d7c2fc49552b54f09517
Opcode Fuzzy Hash: 5ba2245185b1c115d7de764aee7fb82574760f26232a0778eeb2a0d3bdcf0b35
Instruction Fuzzy Hash: A751A170A04249AFEF15DF78C844EEDBBA6EF45344F20846DD816D7B40DB309A46CB91

Function 6C448C4C Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32(-00000030,00000000,00000000,00000000), ref: 6C448CAC
GetCPInfo.KERNEL32(00000000,?), ref: 6C448CBB
memset.MSVCR120(00000019,00000000,00000101), ref: 6C448CD3
setSBCS.LIBCMT ref: 6C4775F0
memset.MSVCR120(00000019,00000000,00000101,00000000,00000000,00000000), ref: 6C477670

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: memset$CodeInfoPageValid
String ID:
API String ID: 344587817-0
Opcode ID: 58ac8969f2279400775b700c0ddf5c5270ba5a00084d061b55616c38dd0d870e
Instruction ID: 1ef45d1d46110a7bed148e9b0a2dc2c43189b40a12879d7204d9c01d23017d22
Opcode Fuzzy Hash: 58ac8969f2279400775b700c0ddf5c5270ba5a00084d061b55616c38dd0d870e
Instruction Fuzzy Hash: 9A513870A092455EEB22CF79C840EEABBB5EF52319F60842FC491CBA55D7359146CBE0

Function 6C4BCB9D Relevance: 9.2, APIs: 6, Instructions: 157timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

__crtGetTimeFormatEx.MSVCR120(?,00000000,00000000,?,00000000,00000000,?,00000000,00000000,6C4BD992,00000000,00000000,00000000), ref: 6C4BCC58
__crtGetDateFormatEx.MSVCR120(?,00000000,00000000,?,00000000,00000000,?,00000000,00000000,6C4BD992,00000000,00000000,00000000), ref: 6C4BCC64
malloc.MSVCR120(00000000,?,?,?,?,00000000,00000000,6C4BD992,00000000,00000000,00000000), ref: 6C4BCCAB
__crtGetTimeFormatEx.MSVCR120(?,00000000,00000000,?,00000000,00000000,?,?,?,?,00000000,00000000,6C4BD992,00000000,00000000,00000000), ref: 6C4BCCEE
__crtGetDateFormatEx.MSVCR120(?,00000000,00000000,?,00000000,00000000,?,?,?,?,00000000,00000000,6C4BD992,00000000,00000000,00000000), ref: 6C4BCCF5
_freea_s.MSVCR120(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C4BD992,00000000,00000000), ref: 6C4BCD2A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Format__crt$DateTime$_freea_smalloc
String ID:
API String ID: 4257112946-0
Opcode ID: 38de370211fdeff077c56e52ad416ee633e15a5ead8c6f4a40082488749d25c9
Instruction ID: ee455b82848076d2c4cd615b594362374f0b13ae4694992c794c592150effe78
Opcode Fuzzy Hash: 38de370211fdeff077c56e52ad416ee633e15a5ead8c6f4a40082488749d25c9
Instruction Fuzzy Hash: DA515E79E0021ACBDB00DF98C480EEEB7B5FF88714F248069E804BB700D7359942CBA5

Function 6C4ACF38 Relevance: 9.1, APIs: 6, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

_errno.MSVCR120(00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000001,?,00000000,00000000,6C503B90,6C49C0DE), ref: 6C4ACF5A
_invalid_parameter_noinfo.MSVCR120(00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000001,?,00000000,00000000,6C503B90,6C49C0DE), ref: 6C4ACF65
_stricmp_l.MSVCR120(00000001,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000001,?,00000000,00000000,6C503B90,6C49C0DE), ref: 6C4ACF7F
__crtLCMapStringA.MSVCR120(00000000,?,00000200,00000002,00000002,?,00000002,?,00000001,00000000,00000000,00000000,00000004,00000000,00000000,00000000), ref: 6C4ACFC2
__crtLCMapStringA.MSVCR120(00000000,?,00000200,00000000,00000002,?,00000002,?,00000001,?,?,?,?,?,00000000,00000000), ref: 6C4AD04D
_errno.MSVCR120(?,?,?,?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000001,?,00000000,00000000), ref: 6C4AD0B6

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: String__crt_errno$_getptd_invalid_parameter_noinfo_stricmp_l
String ID:
API String ID: 1992914148-0
Opcode ID: b6cfae906dbf84914c0c135dea50e33e46292a1bbb46c92c2bff56f3f78f5555
Instruction ID: 7be94279bd9abc44cbccdc42cd2c7e284fb681fa66f1e7bd58d9d62c0c4d9f7e
Opcode Fuzzy Hash: b6cfae906dbf84914c0c135dea50e33e46292a1bbb46c92c2bff56f3f78f5555
Instruction Fuzzy Hash: FD514470A08259ABDB01DE96C840FEA7BB4DB6931DF248159FC948FAC5D336CA43D790

Function 6C440891 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

memcpy.MSVCR120(?,00000000,?), ref: 6C440923
_flsbuf.MSVCR120(00000000,?), ref: 6C44F7DB
_errno.MSVCR120 ref: 6C45138C
_invalid_parameter_noinfo.MSVCR120 ref: 6C47587E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_flsbuf_invalid_parameter_noinfomemcpy
String ID:
API String ID: 508512864-0
Opcode ID: d0212448698406f956a895f9bfeae6de57b1d50abaf86fbcc3e6df5cb2bb2f33
Instruction ID: 97b2ead6262a359b241afe260e4ea93db47812d27c3ab7ee0a5e59806c19cd4d
Opcode Fuzzy Hash: d0212448698406f956a895f9bfeae6de57b1d50abaf86fbcc3e6df5cb2bb2f33
Instruction Fuzzy Hash: F041D674B067459BFB08CFA9C890DAE77A5EF44369B20C62EE814C7F50EB70D9618B40

Function 6C4929BE Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCMT ref: 6C4929E4

Part of subcall function 6C493D4A: InterlockedPopEntrySList.KERNEL32(?,?,6C4929E9,00000000,?), ref: 6C493D54
Part of subcall function 6C493D4A: ??2@YAPAXI@Z.MSVCR120(00000010,?,6C4929E9,00000000,?), ref: 6C493D69

std::exception::exception.LIBCMT(00000000), ref: 6C492AF6
_CxxThrowException.MSVCR120(?,Function_000DCEE8,00000000), ref: 6C492B0B

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??2@Base::ChoreConcurrency::details::EntryExceptionInterlockedListRealizedSchedulerThrowstd::exception::exception
String ID:
API String ID: 2878774513-0
Opcode ID: ad85f8c49a172e753cfbd447228b98b125dc97115a7c1f5ff15b945181e27653
Instruction ID: 01fe217f15aa04e361ffbb36cafb06982e6f3bc1c43546331d382d345707b0f1
Opcode Fuzzy Hash: ad85f8c49a172e753cfbd447228b98b125dc97115a7c1f5ff15b945181e27653
Instruction Fuzzy Hash: 704180316012119FDB24DF25C898F9ABBB4FF45315F218169EC199BB52DB30D94ACBD0

Function 6C48F939 Relevance: 9.1, APIs: 6, Instructions: 108COMMONLIBRARYCODE

Download Yara Rule

APIs

?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(00000000,?,00000000,?,6C47351F,00000000,00000000,?), ref: 6C48F944

Part of subcall function 6C443E7E: __EH_prolog3.LIBCMT ref: 6C443E85

?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(00000000,?,00000000,?,6C47351F,00000000,00000000,?), ref: 6C48F9AB
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(00000000,?,00000000,?,6C47351F,00000000,00000000,?), ref: 6C48F9B5
??0exception@std@@QAE@XZ.MSVCR120(00000000,?,00000000,?,6C47351F,00000000,00000000,?), ref: 6C48FA1C
_CxxThrowException.MSVCR120(?,Function_000DCFD8,00000000,?,00000000), ref: 6C48FA31
std::exception::exception.LIBCMT(?,?,?,?,Function_000DCFD8,00000000,?,00000000), ref: 6C48FA40

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Version@$Concurrency@@Manager@1@Resource$??0exception@std@@ExceptionH_prolog3Throwstd::exception::exception
String ID:
API String ID: 1103279269-0
Opcode ID: a5bd3143eaec2bc3626c686399ac2e90b45de237c3a67e6e1fd3ef49667ade86
Instruction ID: cb00641ceb80113331154074fcceac0a78c79ec821ed00db4f94c5e3d9c33753
Opcode Fuzzy Hash: a5bd3143eaec2bc3626c686399ac2e90b45de237c3a67e6e1fd3ef49667ade86
Instruction Fuzzy Hash: 73310831E03154ABEB04DF69C880DAEBBB5EF85359B21806ED855E7B00D735D982CBD0

Function 6C49ACDD Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(?,00000000,?,?,?,?,6C49AB93,?,?,?), ref: 6C49AD53
InterlockedPushEntrySList.KERNEL32(?,?,?,?,?,?,6C49AB93,?,?,?), ref: 6C49AD6A
QueryDepthSList.KERNEL32(?,?,?,?,?,6C49AB93,?,?,?), ref: 6C49AD71
InterlockedFlushSList.KERNEL32(?,?,?,?,?,6C49AB93,?,?,?), ref: 6C49ADA0
Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCMT ref: 6C49ADB5

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: List$DepthInterlockedPointQuerySafe$Concurrency::details::EntryFlushInvocation::InvokeNextPush
String ID:
API String ID: 1206056122-0
Opcode ID: 44da1b8f9467788f652a32f6907a27614999ad87c55a890c146a63419ba153cf
Instruction ID: 983858c759712b80892d805bac3061593860bf71d770e78788160a43dd2384a8
Opcode Fuzzy Hash: 44da1b8f9467788f652a32f6907a27614999ad87c55a890c146a63419ba153cf
Instruction Fuzzy Hash: 5931A331601624EFCB15DF19C980DAA77F6EF89316B10865DE956CBA11DB30F902CBA0

Function 6C48AD3B Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(?,?,00000000,00000070,?,?,6C471E37,00000000,?,00000000,?,?,-00000004,6C492C37,?,?), ref: 6C48ADB1
InterlockedPushEntrySList.KERNEL32(?,?,?,6C471E37,00000000,?,00000000,?,?,-00000004,6C492C37,?,?,-00000004,?,6C48DEB3), ref: 6C48ADC6
QueryDepthSList.KERNEL32(?,?,6C471E37,00000000,?,00000000,?,?,-00000004,6C492C37,?,?,-00000004,?,6C48DEB3,-00000004), ref: 6C48ADCD
InterlockedFlushSList.KERNEL32(?,?,6C471E37,00000000,?,00000000,?,?,-00000004,6C492C37,?,?,-00000004,?,6C48DEB3,-00000004), ref: 6C48ADFC
Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCMT ref: 6C48AE11

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: List$DepthInterlockedPointQuerySafe$Concurrency::details::EntryFlushInvocation::InvokeNextPush
String ID:
API String ID: 1206056122-0
Opcode ID: ef56d897d597bbf20fdc71742d06ac8cfd56180f6494b9218f3d265630f06f5c
Instruction ID: c8ed5d40410fcc607e84da90347712b0605312d02e16e98b2be4305bbef3feb2
Opcode Fuzzy Hash: ef56d897d597bbf20fdc71742d06ac8cfd56180f6494b9218f3d265630f06f5c
Instruction Fuzzy Hash: C431A131202610EFCB15DF19C980CAAB3F5FF8931A710895DE956CBA51DB70F902CBA0

Function 6C496326 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

QueryDepthSList.KERNEL32 ref: 6C49639C
InterlockedPushEntrySList.KERNEL32(?,?), ref: 6C4963B3
QueryDepthSList.KERNEL32(?), ref: 6C4963BA
InterlockedFlushSList.KERNEL32(?), ref: 6C4963E9
Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCMT ref: 6C4963FE

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: List$DepthInterlockedPointQuerySafe$Concurrency::details::EntryFlushInvocation::InvokeNextPush
String ID:
API String ID: 1206056122-0
Opcode ID: 4685859b5bbe03f994dc1ee8a79a2c0d8a9281fc3db92474e56f2f3d76f5e624
Instruction ID: 41b3449be90fb9e6ea2248062d4cc549f2f877a58ba2e7268f625cf0317c7ffa
Opcode Fuzzy Hash: 4685859b5bbe03f994dc1ee8a79a2c0d8a9281fc3db92474e56f2f3d76f5e624
Instruction Fuzzy Hash: CB3190312016209FCB25CF19CA80DEAB7F5EF89315715856DE956CBA01CB30F942CFA4

Function 6C493BC9 Relevance: 9.1, APIs: 6, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C493BD0
InterlockedPopEntrySList.KERNEL32(?,?,?,6C473091,00000000,00000000), ref: 6C493BF1
__crtGetTickCount64.MSVCR120(?,?,?,6C473091,00000000,00000000), ref: 6C493C14
__crtGetTickCount64.MSVCR120(00000018,6C48D71D,00000001,?,?,6C473091,00000000,00000000), ref: 6C493C40
InterlockedPopEntrySList.KERNEL32(?,00000018,6C48D71D,00000001,?,?,6C473091,00000000,00000000), ref: 6C493C58
??2@YAPAXI@Z.MSVCR120(00000008,?,?,6C473091,00000000,00000000), ref: 6C493C7C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Count64EntryInterlockedListTick__crt$??2@H_prolog3_catch
String ID:
API String ID: 1274909586-0
Opcode ID: f6cd6d8e25d44a18ec18eef0731103c509a1845ce3d0d5643991d4a8ea4e8648
Instruction ID: ecefbc5646a1538262aa9ddad1163338ceaff16c1e994eb1b095dea4b729f899
Opcode Fuzzy Hash: f6cd6d8e25d44a18ec18eef0731103c509a1845ce3d0d5643991d4a8ea4e8648
Instruction Fuzzy Hash: E7316C72646A229FD705CF74C454FD9BBA0BF4A719F158629D859CB740DB3099098BC0

Function 6C450D63 Relevance: 9.1, APIs: 6, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(?,?,6C450D31,?,?,?,?,00000000), ref: 6C4740FA
_invalid_parameter_noinfo.MSVCR120(?,?,6C450D31,?,?,?,?,00000000), ref: 6C474104
_errno.MSVCR120(?,?,?,?,6C450D31,?,?,?,?,00000000), ref: 6C474110
_errno.MSVCR120(?,?,?,?,6C450D31,?,?,?,?,00000000), ref: 6C47411A
_errno.MSVCR120(?,?,?,?,?,6C450D31,?,?,?,?,00000000), ref: 6C474142
_invalid_parameter_noinfo.MSVCR120(?,?,?,?,6C450D31,?,?,?,?,00000000), ref: 6C474149

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: c2757aba9618cebd934d0aa37c1abdb19a80ef9c5ce30a57f709cfeef8e815d8
Instruction ID: 41a66f6589c4163b8210404f9378750466fabac7bd2dbe550c72a51e6d5540cb
Opcode Fuzzy Hash: c2757aba9618cebd934d0aa37c1abdb19a80ef9c5ce30a57f709cfeef8e815d8
Instruction Fuzzy Hash: 533136386492868FD702DF2CC841FDA3BA1EF6A394F245015E8508BB41D770D866CBF1

Function 6C432EB8 Relevance: 9.1, APIs: 6, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C476EB2
_invalid_parameter_noinfo.MSVCR120 ref: 6C476EBC

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 5e11eba46e6ddeb57dcd9311bf8b200ca86bbb9609fbf9110a0d3a375050a6f6
Instruction ID: f3f9f3c2769e76a66279a4e61c672320761d4f78ebe83035a27b3f3a347b3c20
Opcode Fuzzy Hash: 5e11eba46e6ddeb57dcd9311bf8b200ca86bbb9609fbf9110a0d3a375050a6f6
Instruction Fuzzy Hash: E421E5316012269ADB21DE6ECC45FEF7364AF89719F201219E928C7BD1DB30C456C7E1

Function 6C432862 Relevance: 9.1, APIs: 6, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C477388
_invalid_parameter_noinfo.MSVCR120 ref: 6C477392
_errno.MSVCR120 ref: 6C4773A5

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 21118100cbbe5d861a037cf4a075a8dc3dfc8e7837ca19d7b0035dacd5064d74
Instruction ID: 19c1f7214e282cf834978373e4a174dc8497d639c145a24a7e2c8b8c5c48fd62
Opcode Fuzzy Hash: 21118100cbbe5d861a037cf4a075a8dc3dfc8e7837ca19d7b0035dacd5064d74
Instruction Fuzzy Hash: 692107316096319BD736CE6D8844FEE3694DF89719F201259EC2C9BF91DB70C88583E1

Function 6C4AB935 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4AB95C
_invalid_parameter_noinfo.MSVCR120 ref: 6C4AB966

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

_ismbblead_l.MSVCR120(?,?,?), ref: 6C4AB98A
_errno.MSVCR120(?), ref: 6C4AB9A9
_errno.MSVCR120(?), ref: 6C4AB9BF
_invalid_parameter_noinfo.MSVCR120(?), ref: 6C4AB9C9

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_getptd_invalid_parameter_ismbblead_l
String ID:
API String ID: 959098441-0
Opcode ID: 3252a056dfe37f55f8aae8bfbb9124206d09738d798fbd0ce30511ae7be5e211
Instruction ID: 315298c261593497d5c146878565213fde1a86417d704b9fbd3a076cdd801bfe
Opcode Fuzzy Hash: 3252a056dfe37f55f8aae8bfbb9124206d09738d798fbd0ce30511ae7be5e211
Instruction Fuzzy Hash: FD31013190929B9EC701CFA99440FA97BA8BF26319F24425EE8D41F785C735C84ACBA1

Function 6C49999C Relevance: 9.1, APIs: 6, Instructions: 85threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C443C0B: __crtCreateEventExW.MSVCR120(00000000,00000000,00000000,001F0002), ref: 6C443C1B

Part of subcall function 6C49A549: CreateThread.KERNEL32(00000000,00010000,6C487870,6C48754C,?,"Il), ref: 6C49A55C

CloseHandle.KERNEL32(?), ref: 6C499A0D
GetLastError.KERNEL32 ref: 6C499A1B
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?), ref: 6C499A3D
_CxxThrowException.MSVCR120(?,6C499A58,?), ref: 6C499A52
Concurrency::details::ThreadProxy::~ThreadProxy.LIBCMT ref: 6C499A6E
free.MSVCR120(?,00000002), ref: 6C499A7A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Thread$Create$CloseConcurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorEventExceptionHandleLastProxyProxy::~Throw__crtfree
String ID:
API String ID: 4077590961-0
Opcode ID: 60be62f3d738eddd8ec82a96afb5348886fff4d2393d25dd508b9fcce4974961
Instruction ID: 70411175272fa035218c4d2f73ad20c7546fd2e81e31ed384e7ebfdd02d9914b
Opcode Fuzzy Hash: 60be62f3d738eddd8ec82a96afb5348886fff4d2393d25dd508b9fcce4974961
Instruction Fuzzy Hash: CD31A071605666AFC300DF6AC845E99FFB8FF55220B00826AE808C7B10D731E825CBD5

Function 6C499FA9 Relevance: 9.1, APIs: 6, Instructions: 79timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120 ref: 6C499FC2

Part of subcall function 6C443E7E: __EH_prolog3.LIBCMT ref: 6C443E85

?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR120 ref: 6C49A012
CreateTimerQueueTimer.KERNEL32(?,00000000,6C499F7B,?,?,00000000,00000020), ref: 6C49A026
std::exception::exception.LIBCMT(00000000,00000001,?,?), ref: 6C49A043
std::exception::exception.LIBCMT(?), ref: 6C49A075

Part of subcall function 6C446FED: ___crtSetThreadpoolTimer.LIBCMT ref: 6C447032

_CxxThrowException.MSVCR120(6C44D1CC,6C44C7FC,00000000,00000001,?,?), ref: 6C49A08C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Timer$Concurrency@@Version@std::exception::exception$CreateExceptionH_prolog3Manager@1@QueueQueue@details@ResourceSharedThreadpoolThrow___crt
String ID:
API String ID: 3581381746-0
Opcode ID: c4f96a9e924e1a3bc065464315f95a6611d9cdb9a86240a0750b90f04908c539
Instruction ID: 0c4d29738e558b4d8b93688f213750a4f8a66dac3a837a3eab4c99f9709a5db6
Opcode Fuzzy Hash: c4f96a9e924e1a3bc065464315f95a6611d9cdb9a86240a0750b90f04908c539
Instruction Fuzzy Hash: AD218172909356ABD300DE65D884E8BFFA8EF85608F14892DF55493A41E731E90CC7E2

Function 6C44433D Relevance: 9.1, APIs: 6, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C444382
memset.MSVCR120(00000000,00000000,?,00000000), ref: 6C444392
??2@YAPAXI@Z.MSVCR120(0000000C,00000000,00000000,?,00000000), ref: 6C444399

Part of subcall function 6C42EE11: malloc.MSVCR120(?), ref: 6C42EE1A

??_U@YAPAXI@Z.MSVCR120(00000000,?,?,00000180,00000000,6C444A97), ref: 6C4443C3
InitializeSListHead.KERNEL32(?,?,?,00000180,00000000,6C444A97), ref: 6C4443D8
InitializeSListHead.KERNEL32(00000180,?,?,00000180,00000000,6C444A97), ref: 6C4443DE

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: HeadInitializeList$??2@mallocmemset
String ID:
API String ID: 3540956195-0
Opcode ID: 6bbc8cd5cda6e44f7d35f1060ab04cf2fd730ac81437502c0b0b33961cb4ee73
Instruction ID: e4522c5b626f4cd57e1aebf2965d4c8459ea63ba258c1b41d6ca25cd1bd9e141
Opcode Fuzzy Hash: 6bbc8cd5cda6e44f7d35f1060ab04cf2fd730ac81437502c0b0b33961cb4ee73
Instruction Fuzzy Hash: 02213DB1701A12AFD708CF2AD985E55BBA5FB48314B54922EE60AC7E90D770E860CBD4

Function 6C4443FE Relevance: 9.1, APIs: 6, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C444443
memset.MSVCR120(00000000,00000000,?,00000000), ref: 6C444453
??2@YAPAXI@Z.MSVCR120(0000000C,00000000,00000000,?,00000000), ref: 6C44445A

Part of subcall function 6C42EE11: malloc.MSVCR120(?), ref: 6C42EE1A

??_U@YAPAXI@Z.MSVCR120(00000000,?,?,00000180,00000000,6C444AC1), ref: 6C444484
InitializeSListHead.KERNEL32(?,?,?,00000180,00000000,6C444AC1), ref: 6C444499
InitializeSListHead.KERNEL32(?,?,?,00000180,00000000,6C444AC1), ref: 6C44449F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: HeadInitializeList$??2@mallocmemset
String ID:
API String ID: 3540956195-0
Opcode ID: 7fc779babb36ea92e0a76694297af25c64b83863a3b1bf0dce383ea734d8b3ff
Instruction ID: e859147d56daa449c8ee52688f651b55f0fc8290606b29b41f93ebab19d9a5db
Opcode Fuzzy Hash: 7fc779babb36ea92e0a76694297af25c64b83863a3b1bf0dce383ea734d8b3ff
Instruction Fuzzy Hash: 632130B1601A12AFD748CF2AD981E55BBA8FB48320B54522EE61AC7F90D770E460CBD4

Function 6C49AE9C Relevance: 9.1, APIs: 6, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C49AEA3
??_U@YAPAXI@Z.MSVCR120(00000100,00000004,6C48A14B,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215,?,?), ref: 6C49AECB
??_U@YAPAXI@Z.MSVCR120(00000100,00000004,6C48A14B,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215,?,?), ref: 6C49AEDA
memset.MSVCR120(6C489323,00000000,00000100,00000004,6C48A14B,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215), ref: 6C49AF06
??_U@YAPAXI@Z.MSVCR120(00000100,6C489323,00000000,00000100,00000004,6C48A14B,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?), ref: 6C49AF30
??_U@YAPAXI@Z.MSVCR120(00000200,00000100,6C489323,00000000,00000100,00000004,6C48A14B,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?), ref: 6C49AF3D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: H_prolog3memset
String ID:
API String ID: 747782440-0
Opcode ID: 69288710fb6c3648d002d1b5426a96926cdc1916744cc76c9ba23933fa379e8a
Instruction ID: 9ef1cbe72b8769adf200fd8284757f76558ebba9c8ef2167ef6f55c464ab16ba
Opcode Fuzzy Hash: 69288710fb6c3648d002d1b5426a96926cdc1916744cc76c9ba23933fa379e8a
Instruction Fuzzy Hash: D6312CB0A51B508FD761CF39C444FA6BBE0FF49719F10586EC08ACAA80E7B5D145CB81

Function 6C434728 Relevance: 9.1, APIs: 6, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 6C434754
_calloc_crt.MSVCR120(00000001,00000002), ref: 6C47463E
_errno.MSVCR120 ref: 6C47464B
_errno.MSVCR120 ref: 6C474690

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$CurrentDirectory_calloc_crt
String ID:
API String ID: 1498051304-0
Opcode ID: a694dc48cb95f4cdec634d72b99d83f45808cb44591e8560d93bc917b455b19c
Instruction ID: 6fd83789fb216de712b04e375ca26a0c1c387a0f3dda0cc9f8f6723abd5154ad
Opcode Fuzzy Hash: a694dc48cb95f4cdec634d72b99d83f45808cb44591e8560d93bc917b455b19c
Instruction Fuzzy Hash: A8212935D412288BE720DF69C889FE977B4EB8A394F51225DD81C97640DB758D848EE0

Function 6C436FD5 Relevance: 9.1, APIs: 6, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

_strnicoll_l.MSVCR120(00000000,00000000,00000000,014281C0,014281C0,00000000,014281C0,00000000,00000000,00000000,00000000,00000000), ref: 6C437029

Part of subcall function 6C436F4B: __crtCompareStringA.MSVCR120(014281C0,?,00001001,00000000,014281C0,014281C0,014281C0,?,00000000,00000000,7FFFFFFF,00000000,014281C0,014281C0,00000000,014281C0), ref: 6C436FAF

_errno.MSVCR120(014281C0,00000000,014281C0,00000000,00000000,00000000,00000000,00000000), ref: 6C47777C
_invalid_parameter_noinfo.MSVCR120(014281C0,00000000,014281C0,00000000,00000000,00000000,00000000,00000000), ref: 6C477787
_errno.MSVCR120(014281C0,00000000,014281C0,00000000,00000000,00000000,00000000,00000000), ref: 6C477796
_invalid_parameter_noinfo.MSVCR120(014281C0,00000000,014281C0,00000000,00000000,00000000,00000000,00000000), ref: 6C4777A1
__crtCompareStringA.MSVCR120(00000000,?,00001001,00000000,00000000,00000000,00000000,?,014281C0,00000000,014281C0,00000000,00000000,00000000,00000000,00000000), ref: 6C4777C1

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CompareString__crt_errno_invalid_parameter_noinfo$_getptd_strnicoll_l
String ID:
API String ID: 1228067600-0
Opcode ID: 26e6da545074f4cdd8a504864dee35bddd7cbb4341ca73ddcb67acf8c5d46a9e
Instruction ID: a66574d00caf3b591df154b54d5a5d8a835e9c9fba74eb84fa5d7b116108702b
Opcode Fuzzy Hash: 26e6da545074f4cdd8a504864dee35bddd7cbb4341ca73ddcb67acf8c5d46a9e
Instruction Fuzzy Hash: 2B11E435A05125ABFB11CF65CD40EFEB379EF88365F244258E86457AA0DB389C118BE1

Function 6C4C03A7 Relevance: 9.1, APIs: 6, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(?,6C4C035B,?,?,00000000), ref: 6C4C03B4
_invalid_parameter_noinfo.MSVCR120(?,6C4C035B,?,?,00000000), ref: 6C4C03BF

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_errno.MSVCR120(?,?,6C4C035B,?,?,00000000), ref: 6C4C03D7
_invalid_parameter_noinfo.MSVCR120(?,?,6C4C035B,?,?,00000000), ref: 6C4C03E2

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
String ID:
API String ID: 1328987296-0
Opcode ID: 564b881e2ef714d8d792585edc64b52323a05b720d81117a38fef762e831cb26
Instruction ID: a7b6721b9fc263e1d7ccda344d850e817f4a085d32a8e6afa704d60ee46cb6dd
Opcode Fuzzy Hash: 564b881e2ef714d8d792585edc64b52323a05b720d81117a38fef762e831cb26
Instruction Fuzzy Hash: 9F1106BA7151554BDB04CF75DC80EBEB398DB8426DB14413EC825C7B60DB79D40486A2

Function 6C4C8638 Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(00000000,?,6C4C637F,00000000,00000000,00000000,00000000,?,00000086,?,00000000,00000000), ref: 6C4C8642
_invalid_parameter_noinfo.MSVCR120(00000000,?,6C4C637F,00000000,00000000,00000000,00000000,?,00000086,?,00000000,00000000), ref: 6C4C864C

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

__get_sys_err_msg.LIBCMT ref: 6C4C8660
_mbstowcs_s.LIBCMT(00000000,00000000,00000000,00000000,000000FF,00000000,?,6C4C637F,00000000,00000000,00000000,00000000,?,00000086,?,00000000), ref: 6C4C8670
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C4C8699

Part of subcall function 6C4C469B: IsProcessorFeaturePresent.KERNEL32(00000017,6C4C466F,?,?,?,?,?,?,6C4C467C,00000000,00000000,00000000,00000000,00000000,6C49B412), ref: 6C4C469D
Part of subcall function 6C4C469B: __crtTerminateProcess.MSVCR120(C0000417,00000002,C0000417,00000001,?,00000017,6C4C466F,?,?,?,?,?,?,6C4C467C,00000000,00000000), ref: 6C4C46BC

_wmakepath_s.MSVCR120(00000000,000000FF,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C4C86B3

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: FeaturePresentProcessProcessorTerminate__crt__get_sys_err_msg_errno_invalid_parameter_invalid_parameter_noinfo_invoke_watson_mbstowcs_s_wmakepath_s
String ID:
API String ID: 145895083-0
Opcode ID: 8c8a42b07f6a62a7c32a59da7d30d5525dd1fe1b63d91b4e242781929064f72e
Instruction ID: cccf2747042dcea714d12991e9a884c7addf8f02e6c8e37ac70ab6af79a8ec3e
Opcode Fuzzy Hash: 8c8a42b07f6a62a7c32a59da7d30d5525dd1fe1b63d91b4e242781929064f72e
Instruction Fuzzy Hash: B201243530422D7BCF119E98CC01EEE3B59AF09329F20411AF92C49BB0C73A85649BC2

Function 6C4C6C47 Relevance: 9.1, APIs: 6, Instructions: 55COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4C6C52
_errno.MSVCR120 ref: 6C4C6C8E
_invalid_parameter_noinfo.MSVCR120 ref: 6C4C6C5D

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_errno.MSVCR120 ref: 6C4C6C6E
_invalid_parameter_noinfo.MSVCR120 ref: 6C4C6C79
_invalid_parameter_noinfo.MSVCR120 ref: 6C4C6C99

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
String ID:
API String ID: 1328987296-0
Opcode ID: ca88ceccdffc9caa72e73060ede8f03a13cc4685b6424443d30ec5113135439a
Instruction ID: 402a35d7e1c28ce1c2fdf4683fd5583436b7786e71f6d70b411bf8b2ba9ae8a2
Opcode Fuzzy Hash: ca88ceccdffc9caa72e73060ede8f03a13cc4685b6424443d30ec5113135439a
Instruction Fuzzy Hash: 6D015E397042149BDF12DF56DD40EFA3664EF49399B148035A818D6B30D7719855CBE3

Function 6C4C6BC0 Relevance: 9.1, APIs: 6, Instructions: 55COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4C6BCB
_errno.MSVCR120 ref: 6C4C6C07
_invalid_parameter_noinfo.MSVCR120 ref: 6C4C6BD6

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_errno.MSVCR120 ref: 6C4C6BE7
_invalid_parameter_noinfo.MSVCR120 ref: 6C4C6BF2
_invalid_parameter_noinfo.MSVCR120 ref: 6C4C6C12

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
String ID:
API String ID: 1328987296-0
Opcode ID: 704cc1ed3ad553668fb5bc1e733ea7f572e111d665b5baa62df7495875e9be36
Instruction ID: bf582601a20d1528d53c0969825bf02cb4bc3736d60b6b4d084e74db0c19a05a
Opcode Fuzzy Hash: 704cc1ed3ad553668fb5bc1e733ea7f572e111d665b5baa62df7495875e9be36
Instruction Fuzzy Hash: 9801A13D7041149ECB02CE65DC40EFA37A4EF453AAB108026D914D6B30D7718891CBF3

Function 6C450E8C Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C440BAA
wcslen.MSVCR120(00000000,00000000,00000001,?,6C49C767,0000002F,00000000), ref: 6C450E9E
calloc.MSVCR120(00000001,00000002,00000000,00000000,00000001,?,6C49C767,0000002F,00000000), ref: 6C450EA9
wcscpy_s.MSVCR120(00000000,00000001,00000000,00000000), ref: 6C450EBC
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 6C476370
_invalid_parameter_noinfo.MSVCR120 ref: 6C47639B

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_invoke_watsoncallocwcscpy_swcslen
String ID:
API String ID: 2591421054-0
Opcode ID: 6a229dd47c25f3bbf22d3a6641da4b2aee1296c9d90f34ce879cb8083004f879
Instruction ID: f1c9bd12896ef118b5439c53ee4046976fb8c33f2ac9ee5bad835d24ae11aba5
Opcode Fuzzy Hash: 6a229dd47c25f3bbf22d3a6641da4b2aee1296c9d90f34ce879cb8083004f879
Instruction Fuzzy Hash: 89F0F4353452846AFB10DDA69C04FEA3A98EB8474EF24843DF90CD9F10E779C929C6A1

Function 6C443A83 Relevance: 9.1, APIs: 6, Instructions: 54libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,74DEF550), ref: 6C443A99
GetModuleFileNameW.KERNEL32(6C420000,?,00000104), ref: 6C443AB6
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 6C443ACF
GetLastError.KERNEL32 ref: 6C443AE9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C4737F4
_CxxThrowException.MSVCR120(?,6C4FCF40,00000000), ref: 6C473805

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Module$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionFileHandleLastLibraryLoadNameThrow
String ID:
API String ID: 2921151260-0
Opcode ID: 974a153c5d18e5f69cf1e8817707ae8ff3a6bde9dfd36858dbb7c38756bab6b8
Instruction ID: ec339ba76c1ffcc6af84727af7e3ede76d661bd32047f72adb16ff3e281ad776
Opcode Fuzzy Hash: 974a153c5d18e5f69cf1e8817707ae8ff3a6bde9dfd36858dbb7c38756bab6b8
Instruction Fuzzy Hash: 91112530B41208ABEB10DB60CC99FBFB3B8EB85705F60446DE406C7640EB39D805CAA4

Function 6C4345F8 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.MSVCR120(00000018,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C449409
_lock.MSVCR120(0000000A,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C44941B
__crtInitializeCriticalSectionEx.MSVCR120(00000000,00000FA0,00000000,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C449438
__NMSG_WRITE.LIBCMT ref: 6C473BC9
_errno.MSVCR120(6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C473BDC

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalInitializeSection__crt_errno_lock_malloc_crt
String ID:
API String ID: 3513197803-0
Opcode ID: b29fc4d118ed594ddfef329b9aa0de799b96025a6bede318ece56d29b63cf246
Instruction ID: 503e0c2848134cb25fccc6f7caa1fa635937303955c6c416cdcfd6d57a61f434
Opcode Fuzzy Hash: b29fc4d118ed594ddfef329b9aa0de799b96025a6bede318ece56d29b63cf246
Instruction Fuzzy Hash: B10168326A5362BAE720EFB0D805FE83660AB8636EF10103CD2148AFC1CF348049C5E2

Function 6C453C63 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 6C453C98
__doserrno.MSVCR120 ref: 6C453CB6
GetLastError.KERNEL32 ref: 6C474605
__dosmaperr.LIBCMT(00000000), ref: 6C47460C
_errno.MSVCR120 ref: 6C47461A
_invalid_parameter_noinfo.MSVCR120 ref: 6C474625

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CurrentDirectoryErrorLast__doserrno__dosmaperr_errno_invalid_parameter_noinfo
String ID:
API String ID: 1064742514-0
Opcode ID: afc0a5a368e936ccfd4b1105fbaa6300332427253a571c88cbc333f5a9197905
Instruction ID: fdf759dfb29e324a8ed75c68c8947f1a5306b6d02b7d883db47a1258659ae45a
Opcode Fuzzy Hash: afc0a5a368e936ccfd4b1105fbaa6300332427253a571c88cbc333f5a9197905
Instruction Fuzzy Hash: F901D676B401049BDB01DFF4D844F9D77B4AF4A314F90655AD418CBB90EB34C9188BA6

Function 6C434F4C Relevance: 9.0, APIs: 6, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

__freebuf.LIBCMT ref: 6C434F6E

Part of subcall function 6C434E60: free.MSVCR120(?,?,?,6C434F73,?,?), ref: 6C434E76

_fileno.MSVCR120(?,?,?), ref: 6C434F74
_close.MSVCR120(00000000,?,?,?), ref: 6C434F7A
_errno.MSVCR120 ref: 6C4753EC
_invalid_parameter_noinfo.MSVCR120 ref: 6C4753F7
free.MSVCR120(00000000), ref: 6C47540E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$__freebuf_close_errno_fileno_invalid_parameter_noinfo
String ID:
API String ID: 1586031509-0
Opcode ID: 420fb923944ec85eb9e92021de29aa89de89cb2ed8c06761b6a58aecfb4c2e10
Instruction ID: e2ba3eabe38bf56b8503962f0ba9d3a14cbae7bf68ec0c262faca3d120120ec1
Opcode Fuzzy Hash: 420fb923944ec85eb9e92021de29aa89de89cb2ed8c06761b6a58aecfb4c2e10
Instruction Fuzzy Hash: 73F0D632505B245ED621DA778C00FDA3A984FC93BEF186618D96C52ED1D779D00A4BE0

Function 6C446F29 Relevance: 9.0, APIs: 6, Instructions: 42memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C4458DA: __EH_prolog3.LIBCMT ref: 6C4458E1

Part of subcall function 6C446F10: TlsAlloc.KERNEL32 ref: 6C446F16

TlsAlloc.KERNEL32(6C4348CA), ref: 6C446F52
GetLastError.KERNEL32 ref: 6C472F79
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C472F90
_CxxThrowException.MSVCR120(6C4FCF40,6C4FCF40,00000000), ref: 6C472F9F
TlsFree.KERNEL32(6C4FCF40,6C4FCF40,00000000), ref: 6C472FAB
TlsFree.KERNEL32(?,6C49A5DB,?,?), ref: 6C472FBE

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: AllocFree$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionH_prolog3LastThrow
String ID:
API String ID: 46841429-0
Opcode ID: 67ff64c8e38c3c55e5b11d0f713078e34345d5530d04fac9dbbc959839b62bc5
Instruction ID: 2f9760cf4941a3bc7b5f2cc2aad533676110ff0f8851a9de67b710033a7a004f
Opcode Fuzzy Hash: 67ff64c8e38c3c55e5b11d0f713078e34345d5530d04fac9dbbc959839b62bc5
Instruction Fuzzy Hash: 2D0175717502019BDB10EF75CC09FA577B4F742226F504B2EF466C1A91EB348019CBA8

Function 6C497D4E Relevance: 9.0, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

?_Abort@_StructuredTaskCollection@details@Concurrency@@AAEXXZ.MSVCR120 ref: 6C497D5D

Part of subcall function 6C4981A1: ?_Cancel@_StructuredTaskCollection@details@Concurrency@@QAEXXZ.MSVCR120(?,?,00000000,?,?,?,6C489222), ref: 6C4981F1
Part of subcall function 6C4981A1: ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR120 ref: 6C498228
Part of subcall function 6C4981A1: Concurrency::details::ContextBase::CancelCollectionComplete.LIBCMT ref: 6C498246

__uncaught_exception.MSVCR120 ref: 6C497D62
?_CleanupToken@_StructuredTaskCollection@details@Concurrency@@AAEXXZ.MSVCR120 ref: 6C497D87
?_CleanupToken@_StructuredTaskCollection@details@Concurrency@@AAEXXZ.MSVCR120 ref: 6C497D93
??0exception@std@@QAE@XZ.MSVCR120 ref: 6C497D9B
_CxxThrowException.MSVCR120(?,6C4FCE94), ref: 6C497DB0

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency@@$Collection@details@StructuredTask$CleanupSpinToken@_$??0exception@std@@Abort@_Base::CancelCancel@_CollectionCompleteConcurrency::details::ContextExceptionOnce@?$_ThrowWait@$00@details@__uncaught_exception
String ID:
API String ID: 4114090006-0
Opcode ID: 9fdca2bd9e78254b94ed9f3d64d5b2e048ea68e9e981d04562d2049fd02e9a17
Instruction ID: 77d4a25c6826f081b2c1cc9a8de02f06355d356245d3e5eb168945d5b419d226
Opcode Fuzzy Hash: 9fdca2bd9e78254b94ed9f3d64d5b2e048ea68e9e981d04562d2049fd02e9a17
Instruction Fuzzy Hash: C7F0D130909B2986CB20EB59C405FEE7BF89F4071EF10879E986A02F61CB71958DC7C6

Function 6C42EE11 Relevance: 9.0, APIs: 6, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCR120(?), ref: 6C42EE1A

Part of subcall function 6C42ED30: HeapAlloc.KERNEL32(01410000,00000000,6C49C0AD,00000000,?,00000000,?,6C43223C,6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000), ref: 6C42ED5D

_callnewh.MSVCR120(?), ref: 6C47DA32
std::exception::exception.LIBCMT(?,00000001), ref: 6C47DA50
_CxxThrowException.MSVCR120(?,6C44C7FC,?,00000001), ref: 6C47DA65
_errno.MSVCR120(00000000,?,6C473D3A,00000000,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C47DA6C
GetLastError.KERNEL32(00000000,?,6C473D3A,00000000,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C47DA73

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: AllocErrorExceptionHeapLastThrow_callnewh_errnomallocstd::exception::exception
String ID:
API String ID: 2319598913-0
Opcode ID: 52a4df7f3e9ab69d9ca06da0063a4c2cadc48600e68c8468221dcfcb0615526c
Instruction ID: ada94ed118cf11834819dd0fa78b78062795494d2cf1cbfab9f0ea694669194e
Opcode Fuzzy Hash: 52a4df7f3e9ab69d9ca06da0063a4c2cadc48600e68c8468221dcfcb0615526c
Instruction Fuzzy Hash: 31F0963590011BA7DB10EBB5EC46EDEBB68EF05219F104959E80896E50EB358A5846D4

Function 6C437CFE Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 6C42F720: GetLastError.KERNEL32(?,?,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E), ref: 6C42F722
Part of subcall function 6C42F720: __crtFlsGetValue.MSVCR120(?,?,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E), ref: 6C42F730
Part of subcall function 6C42F720: SetLastError.KERNEL32(00000000,?,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E), ref: 6C42F741

_calloc_crt.MSVCR120(0000001A,00000001), ref: 6C4491E6

Strings

, xrefs: 6C437DFE
d, xrefs: 6C437DAC

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ErrorLast$Value__crt_calloc_crt
String ID: $d
API String ID: 3815485746-2084297493
Opcode ID: afb24e242b7f8e474ad79784848949dbba7ade82a360fd10cd49b8bcbfb2928c
Instruction ID: ede3c5b3a4bd385789824ed99b9e4ac07e1c2215171fdab1917582d888d410b4
Opcode Fuzzy Hash: afb24e242b7f8e474ad79784848949dbba7ade82a360fd10cd49b8bcbfb2928c
Instruction Fuzzy Hash: CA51C135606344CFE721CF598594F95BBB5EF22258F28C18DD48887A42C336E90BDB62

Function 6C448AFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,00000001,00000000), ref: 6C448B1D
___crtGetStringTypeA.LIBCMT ref: 6C448B71
__crtLCMapStringA.MSVCR120(00000000,FE90005A,00000100,00000020,00000100,?,00000100,5EFC4D8B,00000000,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 6C448B92
__crtLCMapStringA.MSVCR120(00000000,FE90005A,00000200,00000020,00000100,?,00000100,5EFC4D8B,00000000), ref: 6C448BBA

Strings

, xrefs: 6C4774F8

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: String$__crt$InfoType___crt
String ID:
API String ID: 3423027535-3916222277
Opcode ID: 893a6d3c6477da62128ff24b81494b886bddc22ffddeb36db958002c1f853eb5
Instruction ID: 25128b10564ea73f2d964b236b7a1e1a94c3fe0b3660325926f2f58ef198345b
Opcode Fuzzy Hash: 893a6d3c6477da62128ff24b81494b886bddc22ffddeb36db958002c1f853eb5
Instruction Fuzzy Hash: 98412DB05086885FEB22CF28CC40FE7BBF9DB06308F6448DDE585C6642D2319A55CF60

Function 6C43BEE6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

__fltout2.LIBCMT ref: 6C43BF13

Part of subcall function 6C43B131: $I10_OUTPUT.MSVCR120(?,?,?,?,?,?,6C4A92B2,?,?,?,?,00000016,?,0000015D,?), ref: 6C43B170
Part of subcall function 6C43B131: strcpy_s.MSVCR120(6C4A92B2,?,?,?,?,?,?,?,?,6C4A92B2,?,?,?,?,00000016), ref: 6C43B190

_errno.MSVCR120(?,?,00000000,00000000,00000002,?,6C4CA55C,000003FF,00000002,00000000,00000000,00000000,?,?,6C4A92B2,00000016), ref: 6C480FC3
_invalid_parameter_noinfo.MSVCR120(?,?,00000000,00000000,00000002,?,6C4CA55C,000003FF,00000002,00000000,00000000,00000000,?,?,6C4A92B2,00000016), ref: 6C480FCA
_errno.MSVCR120(?,?,00000000,00000000,00000002,?,6C4CA55C,000003FF,00000002,00000000,00000000,00000000,?,?,6C4A92B2,00000016), ref: 6C480FD6

Strings

-, xrefs: 6C43BF56

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$I10___fltout2_invalid_parameter_noinfostrcpy_s
String ID: -
API String ID: 2633025121-2547889144
Opcode ID: ed4c7d13fa24c66c19c7208847e8fac9f1919f5cd74e8d6bf11a41a5befb2275
Instruction ID: 6364ef84628a9ed1f3ca19a913105857fd74e55633ce12933e636ec64fd9b328
Opcode Fuzzy Hash: ed4c7d13fa24c66c19c7208847e8fac9f1919f5cd74e8d6bf11a41a5befb2275
Instruction Fuzzy Hash: D7210672A02119ABDB05DEB9CC41FEF7B68EF4C214F04812DF918E7680EB70D4148BA1

Function 6C49A492 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 6C49A621: GetCurrentThreadId.KERNEL32 ref: 6C49A65B
Part of subcall function 6C49A621: swprintf_s.MSVCR120(?,00000401,[%d:%d:%d:%d(%d)] ,00000000,?,?,?,?,?,6C49A4C1,?), ref: 6C49A685
Part of subcall function 6C49A621: vswprintf.LIBCMT(00000401,00000401,?,6C49A4C1,?,?,?,?,?,6C49A4C1,?), ref: 6C49A6AD

_fwprintf.LIBCMT(6C4FE040,?), ref: 6C49A4DB

Part of subcall function 6C4A2828: _errno.MSVCR120(6C4A28C0,0000000C,6C49A4E0,6C4FE040,?), ref: 6C4A2847
Part of subcall function 6C4A2828: _invalid_parameter_noinfo.MSVCR120(6C4A28C0,0000000C,6C49A4E0,6C4FE040,?), ref: 6C4A2852

__aullrem.LIBCMT ref: 6C49A4F4
fflush.MSVCR120(00000032,00000000), ref: 6C49A517

Part of subcall function 6C440A94: _lock_file.MSVCR120(?,6C440AE0,0000000C), ref: 6C440AB1
Part of subcall function 6C440A94: _fflush_nolock.MSVCR120(?,6C440AE0,0000000C), ref: 6C440ABB

OutputDebugStringW.KERNEL32(?), ref: 6C49A526

Strings

@Ol, xrefs: 6C49A4C7

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CurrentDebugOutputStringThread__aullrem_errno_fflush_nolock_fwprintf_invalid_parameter_noinfo_lock_filefflushswprintf_svswprintf
String ID: @Ol
API String ID: 3114624150-2943137527
Opcode ID: 34d52cd15bdc4f412cb4cbb004ab29750e77acbaac1618078bdd4c893c3267c0
Instruction ID: 9a8b2168d77d9502f635028889abc31a9fef774ceab8a65920e489d69548924a
Opcode Fuzzy Hash: 34d52cd15bdc4f412cb4cbb004ab29750e77acbaac1618078bdd4c893c3267c0
Instruction Fuzzy Hash: 05118C36B00114ABDB50DF64DC45EDA7BB8EF56328F16405EE848E7641EF30AA89CB94

Function 6C436EDE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__output_l.LIBCMT ref: 6C436F2A

Part of subcall function 6C436C0F: _errno.MSVCR120(?,?,?,00000000), ref: 6C436C84

_errno.MSVCR120 ref: 6C4759E6
_invalid_parameter_noinfo.MSVCR120 ref: 6C4759F1
_flsbuf.MSVCR120(00000000,?), ref: 6C475A03

Strings

B, xrefs: 6C436F23

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$__output_l_flsbuf_invalid_parameter_noinfo
String ID: B
API String ID: 531506805-1255198513
Opcode ID: ff60e6265110582dff214c53019b6cac8ee69f181b0041a41a1a6057d0b1586c
Instruction ID: a8ab67be478893a92035e7e7b3a7d4da1d518f63d4c6e33ae4480531df3bb432
Opcode Fuzzy Hash: ff60e6265110582dff214c53019b6cac8ee69f181b0041a41a1a6057d0b1586c
Instruction Fuzzy Hash: 810165B290421D9FDB00DEA9DC41DFEB7B8FB48364F10416AE928E6680EB349505CBB1

Function 6C49AE0D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

??0exception@std@@QAE@XZ.MSVCR120 ref: 6C49AE28
std::exception::exception.LIBCMT(?), ref: 6C49AE60
_CxxThrowException.MSVCR120(LuHlpxHl,Function_000DCEE8,?), ref: 6C49AE75

Strings

LuHlpxHl, xrefs: 6C49AE71, 6C49AE74
pScheduler, xrefs: 6C49AE55

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??0exception@std@@ExceptionThrowstd::exception::exception
String ID: LuHlpxHl$pScheduler
API String ID: 4282526312-2283447266
Opcode ID: 19fdfe06fa944cf13b55bfa6757bbb6ad488d30c6cb52f5eda73031d3bdd05ee
Instruction ID: 5b44ff3efb5696d0d9af7a660533f5cc31de0e24a8c32e342ea98a647b46c67a
Opcode Fuzzy Hash: 19fdfe06fa944cf13b55bfa6757bbb6ad488d30c6cb52f5eda73031d3bdd05ee
Instruction Fuzzy Hash: BCF0C235D41218ABCB14EF54C491DEEBB78AF40204B10856DE82667F60CB30DA49CBD4

Function 6C434094 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT(Attempted a typeid of NULL pointer!,6C4340D0,00000014), ref: 6C47B524
_CxxThrowException.MSVCR120(?,6C47B5B0,Attempted a typeid of NULL pointer!,6C4340D0,00000014), ref: 6C47B532
std::bad_exception::bad_exception.LIBCMT(Bad read pointer - no RTTI data!,?,6C47B5B0,Attempted a typeid of NULL pointer!,6C4340D0,00000014), ref: 6C47B53F

Strings

Attempted a typeid of NULL pointer!, xrefs: 6C47B51C
Bad read pointer - no RTTI data!, xrefs: 6C47B537

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: std::bad_exception::bad_exception$ExceptionThrow
String ID: Attempted a typeid of NULL pointer!$Bad read pointer - no RTTI data!
API String ID: 20138871-236372618
Opcode ID: f46fd6440fd795ed0bae89238ede3a9c36b33187a44206ea8de2c2c4f1ab652c
Instruction ID: c93605b9683ea6129ee527ed88a58c6198189bb10bc094cd1baf01ff60db920e
Opcode Fuzzy Hash: f46fd6440fd795ed0bae89238ede3a9c36b33187a44206ea8de2c2c4f1ab652c
Instruction Fuzzy Hash: 10F01235501245ABD710DBA5CA85FDD77B46F0836DF504498E4006BF90DB35DE09DAB0

Function 6C4506D5 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

__ctrlfp.LIBCMT ref: 6C4F6E66

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __ctrlfp
String ID:
API String ID: 1574075368-0
Opcode ID: 2ef794573849e4bff7f13eeb56080e5b9322a094f583a08aa0332222d853e612
Instruction ID: b9c146d67ed401d5cd3444d0b2dbcd557fa279ebb59cbfe03998b258c660d0b7
Opcode Fuzzy Hash: 2ef794573849e4bff7f13eeb56080e5b9322a094f583a08aa0332222d853e612
Instruction Fuzzy Hash: BC519A61918705A9DF01EB25D855FEA7BB8EF86385F10CB5DF8E891680FF3088568292

Function 6C463FF0 Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

___libm_error_support.LIBCMT ref: 6C4640A3

Part of subcall function 6C4F6158: DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,6C46417F), ref: 6C4F6174
Part of subcall function 6C4F6158: _errno.MSVCR120 ref: 6C4F6215

__ctrlfp.LIBCMT ref: 6C4F69AF

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: DecodePointer___libm_error_support__ctrlfp_errno
String ID:
API String ID: 3902546397-0
Opcode ID: 194fdfb4e483c8ef6e8d5f7043a51d974866fc536778fa2d0a7e6a17cd1769db
Instruction ID: 18a56f8d949f09c842b8ddada08e45c906795d1e1c1c7fb1733ba40b64d5f7e3
Opcode Fuzzy Hash: 194fdfb4e483c8ef6e8d5f7043a51d974866fc536778fa2d0a7e6a17cd1769db
Instruction Fuzzy Hash: CF518861D08704A9DF01FB25D945EEA7BB8EF87385F00CB5DF8D891A81EF3194968283

Function 6C48A94B Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR120(00000000,?,00000000,00000000,?,?,?,6C489D78,?,?,?,?), ref: 6C48A974
??_U@YAPAXI@Z.MSVCR120(00000000,?,00000000,00000000,?,?,?,6C489D78,?,?,?,?), ref: 6C48A994
memset.MSVCR120(?,00000000,?,?,00000000,00000000,?,?,?,6C489D78,?,?,?,?), ref: 6C48AA46
free.MSVCR120(?,?,00000000,00000000,?,?,?,6C489D78,?,?,?,?), ref: 6C48AAA6
free.MSVCR120(?,?,00000000,00000000,?,?,?,6C489D78,?,?,?,?), ref: 6C48AAAF

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: 4e7ca5e0138b25afbda86750dcd9407cbb7e04a3b5bb751fa6837829e94b8737
Instruction ID: 0ff87b81c74814fea24dd85f97e9e575a4dfdaada5aee930f07d8fbf4ec3ba78
Opcode Fuzzy Hash: 4e7ca5e0138b25afbda86750dcd9407cbb7e04a3b5bb751fa6837829e94b8737
Instruction Fuzzy Hash: F05146B5A0161AAFCB04CFA9C581D9DFBB4FF48314B20856EE819EB740D730EA51CB90

Function 6C48E670 Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR120(00000000,?,?,00000000), ref: 6C48E699
??_U@YAPAXI@Z.MSVCR120(00000000,00000000,?,?,00000000), ref: 6C48E6B8
memset.MSVCR120(?,00000000,?,?,?,00000000), ref: 6C48E76B
free.MSVCR120(?,?,?,00000000), ref: 6C48E7CB
free.MSVCR120(?,?,?,?,00000000), ref: 6C48E7D3

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: 032aca3e2913888c7ed28bbd4d3b4576cb184e68f41b8cfeb88283ba157c15a8
Instruction ID: 4a1451991d4bc2b2e673c4b54a334da12bf34235671535652d44a5fa412af2f4
Opcode Fuzzy Hash: 032aca3e2913888c7ed28bbd4d3b4576cb184e68f41b8cfeb88283ba157c15a8
Instruction Fuzzy Hash: 375117B9A0161AAFCB04CFA9C581D9DFBB5FF48354B20816EE819A7740D731EA51CBD0

Function 6C4A4F8E Relevance: 7.6, APIs: 5, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(6C4A5128,00000008), ref: 6C4A4FA8
_errno.MSVCR120(6C4A5128,00000008), ref: 6C4A4FC0
_invalid_parameter_noinfo.MSVCR120(6C4A5128,00000008), ref: 6C4A5118

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_invalid_parameter_noinfo
String ID:
API String ID: 4106058386-0
Opcode ID: 6f32840836b302b553f9f0d66965f2ec1b826f77a697f3eb8fd93c45001bb65d
Instruction ID: 7ad021273ef4c6478192a4347749fc18a89b06e90dfd182588299b0bf8033604
Opcode Fuzzy Hash: 6f32840836b302b553f9f0d66965f2ec1b826f77a697f3eb8fd93c45001bb65d
Instruction Fuzzy Hash: 6A411831959A118AD711CEFB8640F6937B0AB6639AF148629D523CBF8CDB74C443CAD0

Function 6C4362EA Relevance: 7.6, APIs: 5, Instructions: 125COMMON

Download Yara Rule

APIs

_errno.MSVCR120(6C4363D0,00000008), ref: 6C4363F4
_errno.MSVCR120(6C4363D0,00000008), ref: 6C475446
_errno.MSVCR120(6C4363D0,00000008), ref: 6C475453
_invalid_parameter_noinfo.MSVCR120(6C4363D0,00000008), ref: 6C475466

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 37c6a680e2341d785b9b1ce9083c9b38fbd13dbe4c6dcb8f1e8621c2a2dd3bfc
Instruction ID: 5bf551d831f59b4467d359530ec0e5e735bcf55112687207d13b6774d37be21c
Opcode Fuzzy Hash: 37c6a680e2341d785b9b1ce9083c9b38fbd13dbe4c6dcb8f1e8621c2a2dd3bfc
Instruction Fuzzy Hash: 284109319852739AD721CF2A8440FD97760BBCB35BF14A249C8B9CEF91C7348417CAA1

Function 6C4E1476 Relevance: 7.6, APIs: 5, Instructions: 121COMMONLIBRARYCODE

Download Yara Rule

APIs

sqrt.MSVCR120(?,?), ref: 6C4E14D0
___libm_error_support.LIBCMT ref: 6C4E14F4
sqrt.MSVCR120(?,?), ref: 6C4E1504
_fabs.LIBCMT(?,?), ref: 6C4E151C
_fabs.LIBCMT(?,?), ref: 6C4E1530

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _fabssqrt$___libm_error_support
String ID:
API String ID: 1264880858-0
Opcode ID: 01e7fd3f7f6f718c24a1ad5a1f260da2309ba31b6ed7e566643e79dee8bedf95
Instruction ID: d306641fd84f330b449d9e60f90f7e83326e5dc6844ad364f686c338200dfab0
Opcode Fuzzy Hash: 01e7fd3f7f6f718c24a1ad5a1f260da2309ba31b6ed7e566643e79dee8bedf95
Instruction Fuzzy Hash: 6641C3B2F40009EBCB00AF54C440DDC7F75EF487A6F724569D49691A9AFA31CA64CBC0

Function 6C44FCDA Relevance: 7.6, APIs: 5, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock_file.MSVCR120(?,6C44FD98,00000010), ref: 6C44FD28
__freebuf.LIBCMT ref: 6C44FD38
_malloc_crt.MSVCR120(?,?,?,6C44FD98,00000010), ref: 6C44FD61
_errno.MSVCR120(6C44FD98,00000010), ref: 6C475919
_invalid_parameter_noinfo.MSVCR120(6C44FD98,00000010), ref: 6C475924

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __freebuf_errno_invalid_parameter_noinfo_lock_file_malloc_crt
String ID:
API String ID: 1322749186-0
Opcode ID: 304d96db5e30121d5d1c15ff1b4a0a8a0bde4957cfce91973fa333b04d283dd8
Instruction ID: 5807b97c4ec16ca418d015587fd754ed523818d6cdbb81b2298fd2929f17fd6b
Opcode Fuzzy Hash: 304d96db5e30121d5d1c15ff1b4a0a8a0bde4957cfce91973fa333b04d283dd8
Instruction Fuzzy Hash: 9521C5B05017058AF720CF6AD880EDE7BA0EF45378B20C61ED5669FBD0DB349501CB90

Function 6C43AFF1 Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strlen.MSVCR120(00000002,00000000,?,?,?,6C43BF6E,00000000), ref: 6C43B06A
memmove.MSVCR120(00000001,00000002,00000001,00000002,00000000,?,?,?,6C43BF6E,00000000), ref: 6C43B073
_errno.MSVCR120(?,?,?,6C43BF6E,00000000,?,00000001,?,?,?,00000000,00000000,00000002), ref: 6C473F50
_invalid_parameter_noinfo.MSVCR120(?,?,?,6C43BF6E,00000000,?,00000001,?,?,?,00000000,00000000,00000002), ref: 6C473F5A
_errno.MSVCR120(?,?,?,6C43BF6E,00000000), ref: 6C473F66

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfomemmovestrlen
String ID:
API String ID: 4167440682-0
Opcode ID: af6727cf59f20b271ab767bf85387911a2095cfeb52e4ea39ca4c13e1f283f11
Instruction ID: c93e7bc9b8efa42471e5c309296fb4b2330346740a6f1da9b73f0a73bfe79fd3
Opcode Fuzzy Hash: af6727cf59f20b271ab767bf85387911a2095cfeb52e4ea39ca4c13e1f283f11
Instruction Fuzzy Hash: 9A216E30289BA69DF712CE7A8850F9A7B78DF8E345F04505DD85D9BB01D3788846C7A1

Function 6C495B3A Relevance: 7.6, APIs: 5, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C495B41
EnterCriticalSection.KERNEL32(?,00000030,6C492161,?,00000000,?,?,?), ref: 6C495B58
??_U@YAPAXI@Z.MSVCR120(00000000,?,?,?), ref: 6C495B7B
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 6C495BE0
free.MSVCR120(?,?,?,?), ref: 6C495BEE

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalSection$EnterH_prolog3_Leavefree
String ID:
API String ID: 2469348259-0
Opcode ID: 9522138f71dcc715f3b24b8e7eff591c86f9c4e615f5ea10eeb3833a7851056b
Instruction ID: e6af78bdac4de4aa058076153595cacf8b23bb5f905e5cf189146b4709f47095
Opcode Fuzzy Hash: 9522138f71dcc715f3b24b8e7eff591c86f9c4e615f5ea10eeb3833a7851056b
Instruction Fuzzy Hash: A8219A31601215AFDB08CF69D490E5EBFB5AF8631AF358258E115DBB60CB30E802CB90

Function 6C4C4519 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_crt_debugger_hook.MSVCR120(000000FF), ref: 6C4C4536
memset.MSVCR120(?,00000000,0000004C), ref: 6C4C454E
IsDebuggerPresent.KERNEL32 ref: 6C4C45FD
__crtUnhandledException.MSVCR120(?), ref: 6C4C460C
_crt_debugger_hook.MSVCR120(000000FF), ref: 6C4C4623

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _crt_debugger_hook$DebuggerExceptionPresentUnhandled__crtmemset
String ID:
API String ID: 2836902185-0
Opcode ID: c1d17883dd6461f2279575f752003a687941d90695c1f273c02fa605db4c4e73
Instruction ID: 52f9b2c6813eb0515d3f8f181b25c7a4ea0ee3db87388af34c12a92e7ebbbc31
Opcode Fuzzy Hash: c1d17883dd6461f2279575f752003a687941d90695c1f273c02fa605db4c4e73
Instruction Fuzzy Hash: 8131E87590122C9BCB21DF24D984BDCBBF8AF48311F5052EAE81CA6360E7349B858F45

Function 6C4A9AC7 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4A9AEB
_invalid_parameter_noinfo.MSVCR120 ref: 6C4A9AF5
__mbsrtowcs_helper.LIBCMT ref: 6C4A9B1A
_errno.MSVCR120 ref: 6C4A9B30
_errno.MSVCR120 ref: 6C4A9B4B

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$__mbsrtowcs_helper_invalid_parameter_noinfo
String ID:
API String ID: 2140840981-0
Opcode ID: 1bce2497fcfcb09d2059b597ac2393f79fd620e060f83240e75c937c886f4091
Instruction ID: 3b803e7b274e25023d18d061096c79e50da221281f295b1fe8a4062a77ddf44a
Opcode Fuzzy Hash: 1bce2497fcfcb09d2059b597ac2393f79fd620e060f83240e75c937c886f4091
Instruction Fuzzy Hash: 3B1108326616615ACB12DFED8880F9B3AA5FF75765F24051AED6487B58D333C4038391

Function 6C49C042 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,6C503B90,00000104,00000000,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 6C49C05E
_parse_cmdline.LIBCMT ref: 6C49C085
_malloc_crt.MSVCR120(?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C49C0A8
_parse_cmdline.LIBCMT ref: 6C49C0C2
__cwild.LIBCMT ref: 6C49C0D9

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _parse_cmdline$FileModuleName__cwild_malloc_crt
String ID:
API String ID: 953782237-0
Opcode ID: 8f34cf609e26efb1357c2dc6becf37494087193003e2fee6c974f144ee4a2fae
Instruction ID: 7372347e0d1ec1db3dada685faad6a9730af608db1ce0004921df42c22d38469
Opcode Fuzzy Hash: 8f34cf609e26efb1357c2dc6becf37494087193003e2fee6c974f144ee4a2fae
Instruction Fuzzy Hash: BD11B6B1941118BBAB11EAE9DC84CDF7BBCEA86354B50035AE525C3740E7315A15C6B1

Function 6C4989F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C4989FA
??0exception@std@@QAE@XZ.MSVCR120(00000014), ref: 6C498A0C
_CxxThrowException.MSVCR120(?,?,?,?,?,?,?,?,6C4FD0DC,00000014), ref: 6C498A21

Part of subcall function 6C4392EB: RaiseException.KERNEL32(?,?,?,6C44C7FC,?,?,?,?,?,6C47DA6A,?,6C44C7FC,?,00000001), ref: 6C439333

Part of subcall function 6C49887D: ?wait@event@Concurrency@@QAEII@Z.MSVCR120(000000FF,00000000,6C498AB2,?,?,?,00000014), ref: 6C498895

Part of subcall function 6C443AF4: TlsGetValue.KERNEL32(6C443DF7,00000000,00000000,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C443AFA

Part of subcall function 6C489E5E: Concurrency::location::operator==.LIBCMT ref: 6C489E8E
Part of subcall function 6C489E5E: Concurrency::details::ContextBase::CreateWorkQueue.LIBCMT ref: 6C489EDA

??2@YAPAXI@Z.MSVCR120(00000010,?,?,?,00000014), ref: 6C498A5A
Concurrency::details::TaskStack::Push.LIBCMT ref: 6C498A94

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::details::Exception$??0exception@std@@??2@?wait@event@Base::Concurrency::location::operator==Concurrency@@ContextCreateH_prolog3_catchPushQueueRaiseStack::TaskThrowValueWork
String ID:
API String ID: 3358135389-0
Opcode ID: 8b50a1da98f6f89eea842e0377b51a8007ca4f03b43cb08403b6e3e5820b8dda
Instruction ID: bf9f670da4f6d83895bc227c107779471ebe100b4e974d8da60ceb58bd0d9710
Opcode Fuzzy Hash: 8b50a1da98f6f89eea842e0377b51a8007ca4f03b43cb08403b6e3e5820b8dda
Instruction Fuzzy Hash: 62217C71901A15ABCB01DF69C481EADFBB2BF88218F10852ED859A7F50DB359506DB90

Function 6C498AE6 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C498AED
??0exception@std@@QAE@XZ.MSVCR120(00000014), ref: 6C498AFF
_CxxThrowException.MSVCR120(?,?,?,?,?,?,?,?,6C4FD0DC,00000014), ref: 6C498B14

Part of subcall function 6C4392EB: RaiseException.KERNEL32(?,?,?,6C44C7FC,?,?,?,?,?,6C47DA6A,?,6C44C7FC,?,00000001), ref: 6C439333

Part of subcall function 6C49887D: ?wait@event@Concurrency@@QAEII@Z.MSVCR120(000000FF,00000000,6C498AB2,?,?,?,00000014), ref: 6C498895

Part of subcall function 6C443AF4: TlsGetValue.KERNEL32(6C443DF7,00000000,00000000,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C443AFA

Part of subcall function 6C489FA4: Concurrency::details::ContextBase::CreateWorkQueue.LIBCMT ref: 6C489FB2

??2@YAPAXI@Z.MSVCR120(00000010,?,?,?,00000014), ref: 6C498B4D
Concurrency::details::TaskStack::Push.LIBCMT ref: 6C498B84

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::details::Exception$??0exception@std@@??2@?wait@event@Base::Concurrency@@ContextCreateH_prolog3_catchPushQueueRaiseStack::TaskThrowValueWork
String ID:
API String ID: 3410968691-0
Opcode ID: 4d7448d19db8361c3211ea45a796843e410a7be858db4c9d8c57738bc29ab34d
Instruction ID: 6b7887086f9ae432301316340977099084381f6db30b8c973aea0c952ba3581b
Opcode Fuzzy Hash: 4d7448d19db8361c3211ea45a796843e410a7be858db4c9d8c57738bc29ab34d
Instruction Fuzzy Hash: 8F218BB1900A219FCB00DF69C490E9DFFB1BF89218F24892EE559A7B40DB369405CB90

Function 6C4AA49D Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4AA4C1
_invalid_parameter_noinfo.MSVCR120 ref: 6C4AA4CB
__wcsrtombs_helper.LIBCMT ref: 6C4AA4EE
_errno.MSVCR120 ref: 6C4AA502
_errno.MSVCR120 ref: 6C4AA517

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$__wcsrtombs_helper_invalid_parameter_noinfo
String ID:
API String ID: 1232677100-0
Opcode ID: 7077da380754c1ad6578630a45be5d76f80f97c30f2ceafb05829f971d4b7d84
Instruction ID: 8c79e64ce007cd0e8c4aa78fa5a13e4f729d8d0fc4cfa34e30001b31f09c8be5
Opcode Fuzzy Hash: 7077da380754c1ad6578630a45be5d76f80f97c30f2ceafb05829f971d4b7d84
Instruction Fuzzy Hash: 0611E7326496215FE712CEE99844F9A3BA49F65379F140209FD685FB88D334C8078FE2

Function 6C443DE8 Relevance: 7.6, APIs: 5, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C443AF4: TlsGetValue.KERNEL32(6C443DF7,00000000,00000000,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C443AFA

TlsSetValue.KERNEL32(00000000,?), ref: 6C443E2B
TlsSetValue.KERNEL32(00000000,00000000,00000000), ref: 6C473099

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a60e9b023971dfb415cfff1f411e8b69d0a5a9a3357a44839dfbf12657537209
Instruction ID: dcced843e236abb943e2505ad64549c54dd91644b89ce64e120059a40262d481
Opcode Fuzzy Hash: a60e9b023971dfb415cfff1f411e8b69d0a5a9a3357a44839dfbf12657537209
Instruction Fuzzy Hash: 531103357026009BDB25EF26CC08FAABBB8EF81719F14412EE55693F10DB30D419CAE5

Function 6C4899E7 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C4899EE
??2@YAPAXI@Z.MSVCR120(00000008,00000008,6C48A446,?,?,?,00000000,?,6C48A65B), ref: 6C489A15
??_U@YAPAXI@Z.MSVCR120(00000080,00000008,6C48A446,?,?,?,00000000,?,6C48A65B), ref: 6C489A31
??2@YAPAXI@Z.MSVCR120(00000008,00000008,6C48A446,?,?,?,00000000,?,6C48A65B), ref: 6C489A60
??_U@YAPAXI@Z.MSVCR120(00000080,00000008,6C48A446,?,?,?,00000000,?,6C48A65B), ref: 6C489A7F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??2@$H_prolog3
String ID:
API String ID: 2611423129-0
Opcode ID: 62f87c2e91cfbc2908ab69081807a7eff314a596075dede47e38011385cc5064
Instruction ID: e3a75257517b59e7ef9672a0022d372b5bff1433b1266bb59980c59f7b488e68
Opcode Fuzzy Hash: 62f87c2e91cfbc2908ab69081807a7eff314a596075dede47e38011385cc5064
Instruction Fuzzy Hash: EF21AE31A066218BDB10DFA8C540F99B7E0BF98715F15855DEC98AF780DBB6D9048BD0

Function 6C45287F Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

_localtime64_s.MSVCR120(?,?), ref: 6C4528CA
asctime_s.MSVCR120(?,00000000,?), ref: 6C4528DD
_errno.MSVCR120 ref: 6C4528F4
_errno.MSVCR120 ref: 6C476926
_invalid_parameter_noinfo.MSVCR120 ref: 6C476947

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_localtime64_sasctime_s
String ID:
API String ID: 2556715357-0
Opcode ID: c51acd0ebc46a976307fd30441aee71ff1eb96b5ba00941a6b2e95ff36d3d37f
Instruction ID: 8fc748271495fa860cd8ec85c91b12bc2bb622cda60f5220ff4cb5e6bc03eb4f
Opcode Fuzzy Hash: c51acd0ebc46a976307fd30441aee71ff1eb96b5ba00941a6b2e95ff36d3d37f
Instruction Fuzzy Hash: 3A11C171A02218DFDB25CF989D04EDA77A8AF0A315F44416FE804EBB44DB3485589BE1

Function 6C44C1BA Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

_errno.MSVCR120(6C44C248,0000000C), ref: 6C452280
_local_unwind4.MSVCR120(6C4FF7B8,?,000000FE,6C44C248,0000000C), ref: 6C452296

Part of subcall function 6C44C264: _wsopen_s.MSVCR120(?,?,00000000,?,00000180,?,00000000,?,?,?,?,6C44C22A,?,?,?,00000000), ref: 6C44C32B

Part of subcall function 6C44C1B2: _unlock_file.MSVCR120(00000000,6C44C23E), ref: 6C44C1B3

_errno.MSVCR120(6C44C248,0000000C), ref: 6C4522A5
_invalid_parameter_noinfo.MSVCR120(6C44C248,0000000C), ref: 6C475F0B

Part of subcall function 6C435857: _lock.MSVCR120(00000001,6C4358A0,00000010,6C43639E,6C4363D0,00000008), ref: 6C43586C

_errno.MSVCR120(6C44C248,0000000C), ref: 6C475F15

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_local_unwind4_lock_unlock_file_wsopen_s
String ID:
API String ID: 494836370-0
Opcode ID: 03246bb07474048021b8e8db074330edf41183186b9e5a712b48ac7ddf25fceb
Instruction ID: d7a6828274e0d005d2c9de800dad4efb77f747bbefbfce0243cdd9ce2501d176
Opcode Fuzzy Hash: 03246bb07474048021b8e8db074330edf41183186b9e5a712b48ac7ddf25fceb
Instruction Fuzzy Hash: EE11C431D01216ABE750EFB98C04FAF36A4AF45254F18852EA424DBB80DF74C555CBA1

Function 6C440477 Relevance: 7.6, APIs: 5, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR120(?,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C44047F
_isatty.MSVCR120(00000000,?,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C440485
__p__iob.MSVCR120(0000FFFF,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C440491
__p__iob.MSVCR120(0000FFFF,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C4404A1
_malloc_crt.MSVCR120(00001000,?,0000FFFF,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C4405B1

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __p__iob$_fileno_isatty_malloc_crt
String ID:
API String ID: 1391627188-0
Opcode ID: d820365222c29537eeb09bf5dcedf7e3c411eaac5135fd628d4c51ef0bde141a
Instruction ID: cffb08a847011ca656eca778c54d5143a2323ac62f0ad505ee888e0782fe8348
Opcode Fuzzy Hash: d820365222c29537eeb09bf5dcedf7e3c411eaac5135fd628d4c51ef0bde141a
Instruction Fuzzy Hash: 5C11E7725087519EF720CF6AD840E837BF4EB5A3A5F20942ED599C2F41E730E0418B94

Function 6C492E72 Relevance: 7.6, APIs: 5, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedFlushSList.KERNEL32(?,?,?,?,6C492CC2,00000004,6C49249A), ref: 6C492E7E
InterlockedFlushSList.KERNEL32(?,?,?,?,6C492CC2,00000004,6C49249A), ref: 6C492E96
free.MSVCR120(?,?,?,?,6C492CC2,00000004,6C49249A), ref: 6C492EE0
free.MSVCR120(?,?,?,?,?,6C492CC2,00000004,6C49249A), ref: 6C492EE6
free.MSVCR120(?,?,?,?,6C492CC2,00000004,6C49249A), ref: 6C492EF6

Part of subcall function 6C48AF6F: free.MSVCR120(?,?,6C48AF12), ref: 6C48AF79
Part of subcall function 6C48AF6F: free.MSVCR120(?,?,?,6C48AF12), ref: 6C48AF81
Part of subcall function 6C48AF6F: free.MSVCR120(?,?,?,?,6C48AF12), ref: 6C48AF89
Part of subcall function 6C48AF6F: free.MSVCR120(?,?,?,?,?,6C48AF12), ref: 6C48AF91
Part of subcall function 6C48AF6F: free.MSVCR120(?,?,?,?,?,?,6C48AF12), ref: 6C48AF97

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$FlushInterlockedList
String ID:
API String ID: 1955102368-0
Opcode ID: a0ded818fda80a5830a7f868223fb7739204c68e414ac8bd2d30ed6e55411e65
Instruction ID: fefef1069dea6b534598fdfc834b84aa7dbf275e7d5225078f95c8471fb60ad1
Opcode Fuzzy Hash: a0ded818fda80a5830a7f868223fb7739204c68e414ac8bd2d30ed6e55411e65
Instruction Fuzzy Hash: E5119E36901531AB8B35DB62C5C5D99BBA0BF083A5309066CDA8027F40DF60BC09CBE0

Function 6C44A0D4 Relevance: 7.6, APIs: 5, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

_tolower_l.MSVCR120(00000000,00000000,00000000,00000001,00000000,00000004,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000001,?,00000000), ref: 6C44A119
_tolower_l.MSVCR120(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000004,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000001), ref: 6C44A128
_errno.MSVCR120(00000000,00000001,00000000,00000004,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000001,?,00000000,00000000,6C503B90), ref: 6C47AA7B
_invalid_parameter_noinfo.MSVCR120(00000000,00000001,00000000,00000004,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000001,?,00000000,00000000,6C503B90), ref: 6C47AA86
___ascii_stricmp.LIBCMT ref: 6C47AA97

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _tolower_l$___ascii_stricmp_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3107707399-0
Opcode ID: 84813851034a8717271fea99eba7a290e7d961285fff9cd1113fb0d8ba26f70c
Instruction ID: 1dd236ce1446b7dfabf2d3a4be93b04f00d1ee2de4cdab5f616a65d1c563e2c6
Opcode Fuzzy Hash: 84813851034a8717271fea99eba7a290e7d961285fff9cd1113fb0d8ba26f70c
Instruction Fuzzy Hash: 22110D729052259FEB11DEA8C884EFA7768EF05199F24466CD87457B90DB309C04C7E1

Function 6C44FEF3 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_fileno.MSVCR120(?,6C44FF90,00000008), ref: 6C44FF15
_lock_file.MSVCR120(?,?,6C44FF90,00000008), ref: 6C44FF1D

Part of subcall function 6C434B96: _lock.MSVCR120(?), ref: 6C434BC1

_lseek.MSVCR120(00000000,00000000,00000000,?,?,6C44FF90,00000008), ref: 6C44FF6C
_errno.MSVCR120(6C44FF90,00000008), ref: 6C4758D0
_invalid_parameter_noinfo.MSVCR120(6C44FF90,00000008), ref: 6C4758DB

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_fileno_invalid_parameter_noinfo_lock_lock_file_lseek
String ID:
API String ID: 3904067199-0
Opcode ID: 32808cb73b38fed37f615678e1ca6a719a93f0e4d9efbee784b9d2e019fa4a71
Instruction ID: cb37ca7d2abaae71c9d1a1df84b72c9788ed792737522553bef9ebc3e24a3838
Opcode Fuzzy Hash: 32808cb73b38fed37f615678e1ca6a719a93f0e4d9efbee784b9d2e019fa4a71
Instruction Fuzzy Hash: 6711C422512A109BF620CF788801FAD7BA0DF43279F35D30ED4758EBD1DB28D6068696

Function 6C48C9DA Relevance: 7.6, APIs: 5, Instructions: 57threadCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 6C48CA00
GetCurrentThread.KERNEL32 ref: 6C48CA35
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCMT ref: 6C48CA48

Part of subcall function 6C48EE8E: GetLastError.KERNEL32(?,?,?,6C4730F2), ref: 6C48EE94
Part of subcall function 6C48EE8E: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,6C4730F2), ref: 6C48EEAA
Part of subcall function 6C48EE8E: _CxxThrowException.MSVCR120(?,6C4FCF40,00000000,?,?,?,6C4730F2), ref: 6C48EEB8

Part of subcall function 6C48C9DA: List.LIBCMT ref: 6C48CA67
Part of subcall function 6C48C9DA: free.MSVCR120(?,?), ref: 6C48CA73

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCoreCurrentDecrementErrorExceptionLastListProxy::SchedulerSubscriptionThreadThrowValuefree
String ID:
API String ID: 3155433331-0
Opcode ID: 6976438553c7ca93ae8e4aab387bb43b8de11b89a2e984af5930bc347e754654
Instruction ID: d7361a08f75b742c76b91699d905f5bc39225275e403e4fd2753b22f605789bd
Opcode Fuzzy Hash: 6976438553c7ca93ae8e4aab387bb43b8de11b89a2e984af5930bc347e754654
Instruction Fuzzy Hash: 6E1194312426109BD620EFA6D854F9677F4FF05355B04071DE8C746EA0DB25E808CBE1

Function 6C451B83 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

wcslen.MSVCR120(?,6C451C00,00000014), ref: 6C451BB9
_lock_file.MSVCR120(?,?,6C451C00,00000014), ref: 6C451BC2

Part of subcall function 6C434B96: _lock.MSVCR120(?), ref: 6C434BC1

_fputwc_nolock.MSVCR120(?,?,6C451C00,00000014), ref: 6C451BE7
_errno.MSVCR120(6C451C00,00000014), ref: 6C474FCE
_invalid_parameter_noinfo.MSVCR120(6C451C00,00000014), ref: 6C474FD9

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_fputwc_nolock_invalid_parameter_noinfo_lock_lock_filewcslen
String ID:
API String ID: 1101344634-0
Opcode ID: ebcac1f5016f1c0fcd5086224720e683acab79a8da81f82cc376c6970bbc6952
Instruction ID: 7a8bbb3f868b7529d81a4b76c0ad096aa44b70093e7438ec89e9bbc654fdc4c2
Opcode Fuzzy Hash: ebcac1f5016f1c0fcd5086224720e683acab79a8da81f82cc376c6970bbc6952
Instruction Fuzzy Hash: FE110C75A043269B9B11DF798840EFE36B4AF45395B50462DF414EBBC0DF38C9059BE4

Function 6C44CA08 Relevance: 7.5, APIs: 5, Instructions: 46memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C44D40E: EncodePointer.KERNEL32(00000000,?,6C44CA0D,6C44CA91,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C44D411
Part of subcall function 6C44D40E: __initp_misc_winsig.LIBCMT ref: 6C44D42C
Part of subcall function 6C44D40E: GetModuleHandleW.KERNEL32(kernel32.dll,00000000), ref: 6C44D448
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6C44D45C
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6C44D46F
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6C44D482
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6C44D495
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 6C44D4A8
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 6C44D4BB
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 6C44D4CE
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6C44D4E1
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 6C44D4F4
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 6C44D507
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 6C44D51A
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 6C44D52D
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 6C44D540
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 6C44D553
Part of subcall function 6C44D40E: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 6C44D566

__crtFlsAlloc.MSVCR120(?,6C44CA91,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C44CA1F
_calloc_crt.MSVCR120(00000001,000003BC,?,6C44CA91,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C44CA3B
__crtFlsSetValue.MSVCR120(00000000,?,6C44CA91,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C44CA4F
_initptd.MSVCR120(00000000,00000000,6C44CA91,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C44CA5D

Part of subcall function 6C431BFD: _lock.MSVCR120(0000000D), ref: 6C431C41
Part of subcall function 6C431BFD: _lock.MSVCR120(0000000C), ref: 6C431C62

GetCurrentThreadId.KERNEL32 ref: 6C44CA64

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: AddressProc$__crt_lock$AllocCurrentEncodeHandleModulePointerThreadValue__initp_misc_winsig_calloc_crt_initptd
String ID:
API String ID: 4031882113-0
Opcode ID: 58ee3ed208efda16ffdf112680dfd83fe0fc87181602f214728802b320ebde84
Instruction ID: 3810e0d49feb251206dfd991f8d9cc05b996454f6c40cf52562bbb6a36d6b076
Opcode Fuzzy Hash: 58ee3ed208efda16ffdf112680dfd83fe0fc87181602f214728802b320ebde84
Instruction Fuzzy Hash: 73F0C23314A62169F724F6757C05FCA3A94CB42679F30461EE874E9AD0EF10C009C5E0

Function 6C437FDE Relevance: 7.5, APIs: 5, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_get_osfhandle.MSVCR120(00000000,00000000,00000000,00000000,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C437FE9
SetFilePointerEx.KERNEL32(00000000,6C475D30,?,00000000,00000000,00000000,00000000,00000000,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000), ref: 6C438008
_errno.MSVCR120(00000000,00000000,00000000,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C47EE36
GetLastError.KERNEL32(?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C47EE4A
__dosmaperr.LIBCMT(00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C47EE51

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr_errno_get_osfhandle
String ID:
API String ID: 1165083932-0
Opcode ID: b2941830a9a2c82ae03b70d1b2ba7c5d2317afc00ad4c83885412d35f0bef5d4
Instruction ID: 24eebb5d58f2e87eea316dab84c8aaa4a5aef4abf35f29829ea7a4307468c146
Opcode Fuzzy Hash: b2941830a9a2c82ae03b70d1b2ba7c5d2317afc00ad4c83885412d35f0bef5d4
Instruction Fuzzy Hash: F201A232711125AFDF11DFA9DC48CDE3B29DB8A271B254349F9289B690EB71D81187E0

Function 6C43E0B5 Relevance: 7.5, APIs: 5, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C43E0FE
_errno.MSVCR120 ref: 6C475EB0
_invalid_parameter_noinfo.MSVCR120 ref: 6C475EBB
_errno.MSVCR120 ref: 6C475ECF
_invalid_parameter_noinfo.MSVCR120 ref: 6C475EE2

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 9efad319d91fd8bd55ac6ed90aa64a6e6cc79819995aab4bd78431531782de31
Instruction ID: aa033f4d58d28158d7ac9090c072b16c975095c97cd5bddb0682e6f93f367b2f
Opcode Fuzzy Hash: 9efad319d91fd8bd55ac6ed90aa64a6e6cc79819995aab4bd78431531782de31
Instruction Fuzzy Hash: 1201A2315062389ACB10DFA58C00FEA3774AF89379F105209E83C4AAE0C7798465CBF2

Function 6C435A09 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

_lock_file.MSVCR120(?,6C435A70,0000000C), ref: 6C435A38

Part of subcall function 6C434B96: _lock.MSVCR120(?), ref: 6C434BC1

_fread_nolock_s.MSVCR120(?,?,?,?,?,6C435A70,0000000C), ref: 6C435A4E

Part of subcall function 6C435938: memcpy_s.MSVCR120(?,?,?,?,00000000), ref: 6C4359E0

Part of subcall function 6C4358ED: _unlock_file.MSVCR120(?,6C435A67), ref: 6C4358EE

memset.MSVCR120(?,00000000,000000FF,?,?,6C435A70,0000000C), ref: 6C475609
_errno.MSVCR120(?,?,6C435A70,0000000C), ref: 6C475611
_invalid_parameter_noinfo.MSVCR120(?,?,6C435A70,0000000C), ref: 6C47561C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_fread_nolock_s_invalid_parameter_noinfo_lock_lock_file_unlock_filememcpy_smemset
String ID:
API String ID: 4031208221-0
Opcode ID: ad9f2dd5ddc88d367b700aae78a0bd04f7fed68a32c7c3c95b7fe959937ccf7a
Instruction ID: 6b8e43fa8971e4675458210539fb0e37e7fdc96af164cf9fb1795e9567014821
Opcode Fuzzy Hash: ad9f2dd5ddc88d367b700aae78a0bd04f7fed68a32c7c3c95b7fe959937ccf7a
Instruction Fuzzy Hash: 93015E71802615EBCF11DFA6DC00DDE3B61AF88365B145119F8281AA60D7358625EFE1

Function 6C433EF3 Relevance: 7.5, APIs: 5, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C433F3C
_errno.MSVCR120 ref: 6C475D50
_invalid_parameter_noinfo.MSVCR120 ref: 6C475D5B
_errno.MSVCR120 ref: 6C475D6D
_invalid_parameter_noinfo.MSVCR120 ref: 6C475D80

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 4eda0d946fa370e038eae1b7dace44a424cc99ccc43b559b5f22e38f5d06c039
Instruction ID: 9beba2defc29ab779645664ddb8bcc839322f402b4e0add47f60c74cb99886a3
Opcode Fuzzy Hash: 4eda0d946fa370e038eae1b7dace44a424cc99ccc43b559b5f22e38f5d06c039
Instruction Fuzzy Hash: 7D01AD315012689ACB11DEAADD04FEA3BA4AF49378F545205E93C0BAE0C775C052CBF2

Function 6C437E9F Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

_localtime64_s.MSVCR120(?,?), ref: 6C437ED4
asctime.MSVCR120(?), ref: 6C437EE3
_errno.MSVCR120(00000000,00000000,00000000,00000000,00000000,0000000B,?,00000001), ref: 6C476901
_invalid_parameter_noinfo.MSVCR120(00000000,00000000,00000000,00000000,00000000,0000000B,?,00000001), ref: 6C47690C
_errno.MSVCR120 ref: 6C476916

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_localtime64_sasctime
String ID:
API String ID: 1110404623-0
Opcode ID: b33b47a96b00daefb24340030bb7ef48e9353e6fbba36a87e5cad798756f9fc8
Instruction ID: 83a482bf4248c4146667bcae277c6814bc8d55e32f5810017b7865baea5efbdb
Opcode Fuzzy Hash: b33b47a96b00daefb24340030bb7ef48e9353e6fbba36a87e5cad798756f9fc8
Instruction Fuzzy Hash: 5DF0F471A08218DADB04DFA6DA01FD973E89F8D358F41245EC44CD7E90EB34C8449BB1

Function 6C4A8531 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4A8548
_invalid_parameter_noinfo.MSVCR120 ref: 6C4A8553

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_errno.MSVCR120 ref: 6C4A8575
_localtime64_s.MSVCR120(?,?), ref: 6C4A8587

Part of subcall function 6C437888: memset.MSVCR120(?,000000FF,00000024), ref: 6C4378AF
Part of subcall function 6C437888: _get_daylight.MSVCR120(?), ref: 6C4378EA
Part of subcall function 6C437888: _get_dstbias.MSVCR120(?), ref: 6C4378FC
Part of subcall function 6C437888: _get_timezone.MSVCR120(?), ref: 6C43790E
Part of subcall function 6C437888: _gmtime64_s.MSVCR120(?,?), ref: 6C437942
Part of subcall function 6C437888: _gmtime64_s.MSVCR120(?,?), ref: 6C43796C

__wasctime.LIBCMT(?), ref: 6C4A8596

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_gmtime64_s$__wasctime_get_daylight_get_dstbias_get_timezone_invalid_parameter_invalid_parameter_noinfo_localtime64_smemset
String ID:
API String ID: 2959933861-0
Opcode ID: a6067e0b381149316e742672a4bd3eb7821f8c9cfe1f616d84c557919f466727
Instruction ID: c67639016627ae9f0f278143dea54daa7073d4a742b25c4d84bba48bcd75c62f
Opcode Fuzzy Hash: a6067e0b381149316e742672a4bd3eb7821f8c9cfe1f616d84c557919f466727
Instruction Fuzzy Hash: 50F0F471A041489ED708DFE9C800FCA77F8DF1932DF04086BC80487A44EB34C54A87A1

Function 6C44C9B5 Relevance: 7.5, APIs: 5, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

_control87.MSVCR120(00000001,?,00000000,?,6C49CAB9,00000000,00010000,00030000,?,6C480802,?,6C44CCEB,?,?,6C44CD94,00000000), ref: 6C44C9E1
_control87.MSVCR120(00000000,00000000,00000000,?,6C49CAB9,00000000,00010000,00030000,?,6C480802,?,6C44CCEB,?,?,6C44CD94,00000000), ref: 6C4814C2
_errno.MSVCR120(00000000,?,6C49CAB9,00000000,00010000,00030000,?,6C480802,?,6C44CCEB,?,?,6C44CD94,00000000), ref: 6C4814CB
_invalid_parameter_noinfo.MSVCR120(00000000,?,6C49CAB9,00000000,00010000,00030000,?,6C480802,?,6C44CCEB,?,?,6C44CD94,00000000), ref: 6C4814D5
_control87.MSVCR120(00000001,?,00000000,?,6C49CAB9,00000000,00010000,00030000,?,6C480802,?,6C44CCEB,?,?,6C44CD94,00000000), ref: 6C4814E1

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _control87$_errno_invalid_parameter_noinfo
String ID:
API String ID: 1498936549-0
Opcode ID: b8281eb09a1cbd4dd0ead9bc02e2e7ab9cc2ae18aa67bca1d8c24307461bbb46
Instruction ID: deb9aa5fefd83f079fa05212add507dfa290686350fa66c51e470ec5fa52f237
Opcode Fuzzy Hash: b8281eb09a1cbd4dd0ead9bc02e2e7ab9cc2ae18aa67bca1d8c24307461bbb46
Instruction Fuzzy Hash: F3F096326497149BE715EE659C02F9A33A4DF04F65F28811EE9599BB80DBB0D40442D4

Function 6C4A0A89 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4A0A96
_invalid_parameter_noinfo.MSVCR120 ref: 6C4A0AA1

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_errno.MSVCR120 ref: 6C4A0ABF
_invalid_parameter_noinfo.MSVCR120 ref: 6C4A0ACA

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
String ID:
API String ID: 1328987296-0
Opcode ID: 475424ba0e096a867894ab4a8339ffc3ab863acb4e767b1e4831fecb20219b77
Instruction ID: b8ff9144dfd69f0d38e7e88951a57db6007d56a25bd5024600a270438579b93c
Opcode Fuzzy Hash: 475424ba0e096a867894ab4a8339ffc3ab863acb4e767b1e4831fecb20219b77
Instruction Fuzzy Hash: 9DF0C8316001095ACF00DFB5C840FA63378AF7136CB148259A8298BBA4D771D84687E1

Function 6C4A6C01 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4A6C18
_invalid_parameter_noinfo.MSVCR120 ref: 6C4A6C23

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_errno.MSVCR120 ref: 6C4A6C3D
__localtime32_s.LIBCMT(?,?), ref: 6C4A6C4F

Part of subcall function 6C4A7269: _errno.MSVCR120(?,?,6C4A6C54,?,?), ref: 6C4A7283
Part of subcall function 6C4A7269: _invalid_parameter_noinfo.MSVCR120(?,?,6C4A6C54,?,?), ref: 6C4A728D

asctime.MSVCR120(?), ref: 6C4A6C5E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$__localtime32_s_invalid_parameterasctime
String ID:
API String ID: 4154182036-0
Opcode ID: c7b5fa59cb860e44146926f76e75f1400d86452236a99ea3178f008478cc969a
Instruction ID: e9f5e8dbf51881afaa75c870abe4dd577a2380607c388f1bf3038059f5eeb601
Opcode Fuzzy Hash: c7b5fa59cb860e44146926f76e75f1400d86452236a99ea3178f008478cc969a
Instruction Fuzzy Hash: ADF0CD31A09208AEC700EFF9D940ECAB7F8DF49318F00041AC804CBA48EF34954A8BA0

Function 6C4A8450 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4A8467
_invalid_parameter_noinfo.MSVCR120 ref: 6C4A8472

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_errno.MSVCR120 ref: 6C4A848C
__localtime32_s.LIBCMT(?,?), ref: 6C4A849E

Part of subcall function 6C4A7269: _errno.MSVCR120(?,?,6C4A6C54,?,?), ref: 6C4A7283
Part of subcall function 6C4A7269: _invalid_parameter_noinfo.MSVCR120(?,?,6C4A6C54,?,?), ref: 6C4A728D

__wasctime.LIBCMT(?), ref: 6C4A84AD

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$__localtime32_s__wasctime_invalid_parameter
String ID:
API String ID: 2302537511-0
Opcode ID: cd562c2c6b21409f16a986e55078e5e219c46a58338694d6e0f46e65be2633d5
Instruction ID: 812f0220c42163aa2edc2205fb3662422792ed4484a1179dcb7a67c1c15c169f
Opcode Fuzzy Hash: cd562c2c6b21409f16a986e55078e5e219c46a58338694d6e0f46e65be2633d5
Instruction Fuzzy Hash: 8EF06D75A042089FD700DFF5D840EDA77F8DF19318F44046FD4449BA44FB34944A8BA1

Function 6C4A0B7E Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4A0B88
_invalid_parameter_noinfo.MSVCR120 ref: 6C4A0B93

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_errno.MSVCR120 ref: 6C4A0BB7
_invalid_parameter_noinfo.MSVCR120 ref: 6C4A0BC2

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
String ID:
API String ID: 1328987296-0
Opcode ID: 6d6395948eedd5649a624c3172034b6550d85d7bc18a98dec504bf27fb883ff1
Instruction ID: af7aebb1108df8734877c688ac560920270a3b7d51ede82232bad20967be5e43
Opcode Fuzzy Hash: 6d6395948eedd5649a624c3172034b6550d85d7bc18a98dec504bf27fb883ff1
Instruction Fuzzy Hash: B1F0E234A4124486DB00DFF6D940EB73B286F723BDB244358A4294BFA8D771884182F1

Function 6C44E3AD Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_strnicmp_l.MSVCR120(?,?,?,00000000), ref: 6C44E3C9

Part of subcall function 6C44E311: _tolower_l.MSVCR120(00000000,00000000,?,014281C0,014281C0,?), ref: 6C44E370
Part of subcall function 6C44E311: _tolower_l.MSVCR120(00000000,00000000,00000000,00000000,?,014281C0,014281C0,?), ref: 6C44E37F

_errno.MSVCR120 ref: 6C47AB39
_invalid_parameter_noinfo.MSVCR120 ref: 6C47AB44

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _tolower_l$_errno_invalid_parameter_noinfo_strnicmp_l
String ID:
API String ID: 1343604086-0
Opcode ID: d244380cd29c802b8be9acc9b09a0cc7b9b051f469fe44149256e8652cc5339b
Instruction ID: eec2d165202cdbdc9b6dcb4ea3beb3ef783ce299e50216d0139f72cbffca3db1
Opcode Fuzzy Hash: d244380cd29c802b8be9acc9b09a0cc7b9b051f469fe44149256e8652cc5339b
Instruction Fuzzy Hash: DEF09631541118DBDB21DE55DC00FE97765EF01369F205225E53409BE0C775C855CBE1

Function 6C4BBF3D Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4BBF50
_invalid_parameter_noinfo.MSVCR120 ref: 6C4BBF5B

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_errno.MSVCR120 ref: 6C4BBF77
_invalid_parameter_noinfo.MSVCR120 ref: 6C4BBF82
__wcsncoll_l.LIBCMT(?,?,?,00000000), ref: 6C4BBF9D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$__wcsncoll_l_invalid_parameter
String ID:
API String ID: 2322608260-0
Opcode ID: d5fea4c42fb125ffba51a8c74191b31608627c061b89bca364bfa1856274dc89
Instruction ID: 43c1833f54986c67256888bef0d400f6c9bc8e82b522d4483e8f05daeefc7302
Opcode Fuzzy Hash: d5fea4c42fb125ffba51a8c74191b31608627c061b89bca364bfa1856274dc89
Instruction Fuzzy Hash: 61F09A31640218DBEF11DE95DC40FE937B4AB053BAF144225A838AABE0CB758465CFF2

Function 6C4BB83A Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4BB84D
_invalid_parameter_noinfo.MSVCR120 ref: 6C4BB858

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_errno.MSVCR120 ref: 6C4BB874
_invalid_parameter_noinfo.MSVCR120 ref: 6C4BB87F
__strncoll_l.LIBCMT(?,?,?,00000000), ref: 6C4BB89A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$__strncoll_l_invalid_parameter
String ID:
API String ID: 3877343156-0
Opcode ID: 53e60ace8884983c6658314445ba7e71165f9fc49d824e81dd6f6f82156afcda
Instruction ID: f5fbc4333fc684cc4815c4d1da65654a0595269d3d10b624d10b23e8b54b30c0
Opcode Fuzzy Hash: 53e60ace8884983c6658314445ba7e71165f9fc49d824e81dd6f6f82156afcda
Instruction Fuzzy Hash: 23F03031640218DBDB11EE99DC40FE977A4AF413B9F144166E53819BE0CB754455CBF2

Function 6C434D4B Relevance: 7.5, APIs: 5, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.MSVCR120(?,6C437FEE,00000000,00000000,00000000,00000000,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C434D84
__doserrno.MSVCR120(?,6C437FEE,00000000,00000000,00000000,00000000,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C47EFCE
_errno.MSVCR120(?,6C437FEE,00000000,00000000,00000000,00000000,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C47EFD6
_errno.MSVCR120(?,6C437FEE,00000000,00000000,00000000,00000000,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C47EFE6
_invalid_parameter_noinfo.MSVCR120(?,6C437FEE,00000000,00000000,00000000,00000000,00000000,?,6C47E899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C47EFF1

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 44fbca1c8360165fe1635753ed67ce73cb2c59829de19cf171dabfac1bf62c14
Instruction ID: ebba786f7e08caa0dd3f8b8473e1a1d74c01f863988db6235084d7ea1dd6d5fa
Opcode Fuzzy Hash: 44fbca1c8360165fe1635753ed67ce73cb2c59829de19cf171dabfac1bf62c14
Instruction Fuzzy Hash: 5BF090312152245FE716EE6AD890FF83BA49F8636DF14224CE02D4BFA1D775984186E1

Function 6C4A1C8C Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4A1C95
_invalid_parameter_noinfo.MSVCR120 ref: 6C4A1CA0

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_errno.MSVCR120 ref: 6C4A1CB2
_invalid_parameter_noinfo.MSVCR120 ref: 6C4A1CBD

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
String ID:
API String ID: 1328987296-0
Opcode ID: b44530d45fed6bfb9e2749c3a7c2443ccc1c9b57e117419d4663897ddb75d736
Instruction ID: 409b7a1a284a0e238f445a1fd601c8dbdaedd154938d2d496e94d6e88a315878
Opcode Fuzzy Hash: b44530d45fed6bfb9e2749c3a7c2443ccc1c9b57e117419d4663897ddb75d736
Instruction Fuzzy Hash: F7F08C31A04918AAC7009FB9DC00FEA36E45F41379F249729E47C9BBE4DB74C84586A1

Function 6C4558DA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120(00000000,00000000), ref: 6C455ABD
_invalid_parameter_noinfo.MSVCR120(00000000,00000000), ref: 6C455AC8

Strings

9, xrefs: 6C455971
0, xrefs: 6C45596A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: 0$9
API String ID: 2959964966-1975997740
Opcode ID: de52dfcae4c3a7dbb3614e954a5accbd2f8c09ba79dae866b76fd9d209d5d2fb
Instruction ID: ba0fe74be5f06315924be757da0a84742baf97e394fbecf56a7e076fd0daf50c
Opcode Fuzzy Hash: de52dfcae4c3a7dbb3614e954a5accbd2f8c09ba79dae866b76fd9d209d5d2fb
Instruction Fuzzy Hash: E4A15975E052198BDB10CFA9C880EEDBBB1FF45305FA4812EE819EBB40E7359855CB80

Function 6C433DB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 248COMMON

Download Yara Rule

Strings

g, xrefs: 6C450845
0, xrefs: 6C4339A5

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID: 0$g
API String ID: 0-4178848223
Opcode ID: 1cd0bc1bd83b1070691577364e05e62d953465f98580e63b56d53afd16ddba9a
Instruction ID: d4e2aa95392d50e09024c37df970290e72abe91d28fe5ec92dacc8749a2c019e
Opcode Fuzzy Hash: 1cd0bc1bd83b1070691577364e05e62d953465f98580e63b56d53afd16ddba9a
Instruction Fuzzy Hash: A591C9B1D062399EEB20CA56CC88FD9BBB4AF9C319F1462D5D41CA3B41D7349E868F50

Function 6C456AE2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6C456B72

Part of subcall function 6C466295: __87except.LIBCMT ref: 6C4662D0

Strings

pow, xrefs: 6C456B4A, 6C456B67

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 549e0db339bfb74aa9f549d59578859a3b5783bfd9f059676870b03d209f1ec8
Instruction ID: 0656bbd73756ba069d375584a9a8c78875113475d516210943a0eeb7f39bcfb9
Opcode Fuzzy Hash: 549e0db339bfb74aa9f549d59578859a3b5783bfd9f059676870b03d209f1ec8
Instruction Fuzzy Hash: 8E511870A0D21196DB01FA16C900FEE3FA4DB4275EF604A5CE4D4C3F9DEB3584E98A4A

Function 6C442E64 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6C47B64A
DName::operator+.LIBCMT ref: 6C47B651

Part of subcall function 6C4501E3: DName::DName.LIBCMT ref: 6C45029A
Part of subcall function 6C4501E3: DName::operator+.LIBCMT ref: 6C4502A1

Strings

CV: , xrefs: 6C47B642

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: NameName::Name::operator+
String ID: CV:
API String ID: 2649573449-3725821052
Opcode ID: 19ca783ff630a01f0df88e4989b8bdfec05a199410bc116cf0c11421040d1569
Instruction ID: 250bd6d6906a500167fba3c0b6066ec152ecfb34a5409a099d26815ef510aeed
Opcode Fuzzy Hash: 19ca783ff630a01f0df88e4989b8bdfec05a199410bc116cf0c11421040d1569
Instruction Fuzzy Hash: 62413430B451869FEB21CF68C889FE6BBB6EB46304F35816ED411C3B51DB308842CB54

Function 6C445FD6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR120(00000008,?,-00000018,00000000,?,6C47280E,?,00000000,?,-00000018,00000000,00000000), ref: 6C445FEA

Part of subcall function 6C42EE11: malloc.MSVCR120(?), ref: 6C42EE1A

??_U@YAPAXI@Z.MSVCR120(00000000,?,-00000018,00000000,?,6C47280E,?,00000000,?,-00000018,00000000,00000000), ref: 6C44605A
memset.MSVCR120(00000000,00000000,?,?,-00000018,00000000,?,6C47280E,?,00000000,?,-00000018,00000000,00000000), ref: 6C446076

Strings

EDlU, xrefs: 6C445FDC

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??2@mallocmemset
String ID: EDlU
API String ID: 743209956-676647903
Opcode ID: 6f9284117e5982b502a5c341b36fa5947e899f3f902fba4e770be94e90d46c50
Instruction ID: ccb3594ba3b7edfd3fa83edf2da145bfba8d7f16cb6e13cca1608b05633b0d34
Opcode Fuzzy Hash: 6f9284117e5982b502a5c341b36fa5947e899f3f902fba4e770be94e90d46c50
Instruction Fuzzy Hash: 8031A2B16017019FE714CF19C881EABBBE4EF84356724C52EE89ACBB50D735E945CBA0

Function 6C49A621 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C493608: TlsGetValue.KERNEL32(6C4898A4), ref: 6C49361A

GetCurrentThreadId.KERNEL32 ref: 6C49A65B
swprintf_s.MSVCR120(?,00000401,[%d:%d:%d:%d(%d)] ,00000000,?,?,?,?,?,6C49A4C1,?), ref: 6C49A685
vswprintf.LIBCMT(00000401,00000401,?,6C49A4C1,?,?,?,?,?,6C49A4C1,?), ref: 6C49A6AD

Strings

[%d:%d:%d:%d(%d)] , xrefs: 6C49A67A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CurrentThreadValueswprintf_svswprintf
String ID: [%d:%d:%d:%d(%d)]
API String ID: 281614720-3832470304
Opcode ID: 9c4b73847394a88f31f480786f8062616ebab2cfa3e2ce872a967bf65ada8f38
Instruction ID: f36c77d7669d8466653843e11a858afc84e5e3d4215f58148f7bbfabe2b0ed4e
Opcode Fuzzy Hash: 9c4b73847394a88f31f480786f8062616ebab2cfa3e2ce872a967bf65ada8f38
Instruction Fuzzy Hash: 68212131700210AFDB04CFA9C885E7B7BB9EF88304B55456DE69AC7760DBB09C61C790

Function 6C4482D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

memset.MSVCR120(?,00000000,000001CA,20FB68CF,00000000,00000055,00000000,?,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C4482EF
_wcscspn.LIBCMT(6C4481B3,_.,,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C44831B
wcsncpy_s.MSVCR120(?,00000040,6C4481B3,00000000,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C448367
wcsncpy_s.MSVCR120(?,00000010,6C4481B5,0000000F,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C4483B0
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,?,?,?,?,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C47F768

Strings

_.,, xrefs: 6C448315

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: wcsncpy_s$_invoke_watson_wcscspnmemset
String ID: _.,
API String ID: 1770680180-2709443920
Opcode ID: eacb555db0b540332f3a152feb81a8801ac941cb1a2884e9d7d8003825637500
Instruction ID: 2cf3e79dcf6db69a19ca7f204f72cc6210137cbf64cfbfea44e649a73935c1f8
Opcode Fuzzy Hash: eacb555db0b540332f3a152feb81a8801ac941cb1a2884e9d7d8003825637500
Instruction Fuzzy Hash: 0D1134319052516EFB10CB294C50EBE3768DF02369F74801FEE54DBA81DB319901C6A0

Function 6C4482D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

memset.MSVCR120(?,00000000,000001CA,20FB68CF,00000000,00000055,00000000,?,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C4482EF
_wcscspn.LIBCMT(6C4481B3,_.,,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C44831B
wcsncpy_s.MSVCR120(?,00000040,6C4481B3,00000000,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C448367
wcsncpy_s.MSVCR120(?,00000010,6C4481B5,0000000F,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C4483B0
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,?,?,?,?,6C4481B3,?,00000000,?,00000000,00000000,00000000), ref: 6C47F768

Strings

_.,, xrefs: 6C448315

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: wcsncpy_s$_invoke_watson_wcscspnmemset
String ID: _.,
API String ID: 1770680180-2709443920
Opcode ID: 287fd582dfe417ac243d6d4783e53bce8fb7cd318f771bb6068841fb619ec0a5
Instruction ID: 311975d2b8446a08e3f3bed1fb104afc6f18b56c163e0dec34f55bea7109e8c6
Opcode Fuzzy Hash: 287fd582dfe417ac243d6d4783e53bce8fb7cd318f771bb6068841fb619ec0a5
Instruction Fuzzy Hash: 991102719012556AFB14CB298C90EBE3368EF01769F74801FFE59EBA80DB319E41C6E4

Function 6C438E94 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

RtlUnwind.KERNEL32(?,6C455811,80000026,00000000,?,?), ref: 6C45580C
_local_unwind2.MSVCR120(?,?,?), ref: 6C455825

Strings

02CV, xrefs: 6C438EEF
&, xrefs: 6C438E9E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Unwind_local_unwind2
String ID: &$02CV
API String ID: 2435528123-3673091860
Opcode ID: dba5c69eb6edd17124daf9ce20e67dac9c6d2af973c24bb756a62c8cd7d49e29
Instruction ID: 902b3c1a33f9c15cd9e1a00242490d2313b76c94841b86b9b6457705d201d798
Opcode Fuzzy Hash: dba5c69eb6edd17124daf9ce20e67dac9c6d2af973c24bb756a62c8cd7d49e29
Instruction Fuzzy Hash: CF114CB19002149FDB00DF85C881F9AFBA4BB08314F551555D918AB785D375EC65CBE1

Function 6C43EAF3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

wcslen.MSVCR120(?), ref: 6C43EB1E
_errno.MSVCR120 ref: 6C475A96
_invalid_parameter_noinfo.MSVCR120 ref: 6C475AA1

Strings

I, xrefs: 6C43EB23

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfowcslen
String ID: I
API String ID: 2689964535-3707901625
Opcode ID: 9c37a6a3ebfe66e9fcd513b538005e3099b3ebd00d8d87435b18cd7b5d3d85b2
Instruction ID: 6a3fc7b11c935f376ed1cac0d5df4fae5e6797c491381771eefdd4600ec2d75b
Opcode Fuzzy Hash: 9c37a6a3ebfe66e9fcd513b538005e3099b3ebd00d8d87435b18cd7b5d3d85b2
Instruction Fuzzy Hash: 56017572C012299BDF10DFA9DC41EFE7B74BF09325F10061AE934A66D0D77985158BE1

Function 6C43ACD3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strlen.MSVCR120(?), ref: 6C43ACFE
_errno.MSVCR120 ref: 6C475A0F
_invalid_parameter_noinfo.MSVCR120 ref: 6C475A1A

Strings

I, xrefs: 6C43AD09

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfostrlen
String ID: I
API String ID: 1371076374-3707901625
Opcode ID: a5f64acb0cfe6047d5516fa7c526f73389597081c2670116c273927e34166219
Instruction ID: 825614886252b056bf9d4391058cf9de99ddbca85f72b9c3b9846e0f26389f51
Opcode Fuzzy Hash: a5f64acb0cfe6047d5516fa7c526f73389597081c2670116c273927e34166219
Instruction Fuzzy Hash: 1A01D471C0022E9FDF10DFA9D800DFE7BB8BF48325F10061AF924A6280DB7985118BE1

Function 6C48F8AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,00000000,.iDl,?,6C472519,00000000,?,00000000,00000000,?,?,?,?,6C4458C9,00000004,6C44692E), ref: 6C48F8BD

Part of subcall function 6C443E7E: __EH_prolog3.LIBCMT ref: 6C443E85

GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000,.iDl,?,6C472519,00000000,?,00000000,00000000,?,?,?,?,6C4458C9), ref: 6C48F8E2
GetProcessAffinityMask.KERNEL32(00000000,?,00000000), ref: 6C48F8E9

Strings

.iDl, xrefs: 6C48F8B1, 6C48F8D2

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ProcessVersion@$AffinityConcurrency@@CurrentH_prolog3Manager@1@MaskResource
String ID: .iDl
API String ID: 2898901060-4139667660
Opcode ID: 07cc5c52c581f9f32c4c9e45875bea3c3bb6b800243c57917164bd785d3aaa29
Instruction ID: 7cf8952806aae8fa201775a56a56d94be7858e64fc082f37b54c8f76239656a8
Opcode Fuzzy Hash: 07cc5c52c581f9f32c4c9e45875bea3c3bb6b800243c57917164bd785d3aaa29
Instruction Fuzzy Hash: 1CF03A72311108BFAB10DFADCC48C8ABBECEF5A260751452AFA49C7610D770E94087A5

Function 6C4503E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6C450418
DName::operator+.LIBCMT ref: 6C45041F

Strings

WKl, xrefs: 6C450415
unsigned , xrefs: 6C450410

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: NameName::Name::operator+
String ID: WKl$unsigned
API String ID: 2649573449-1267401270
Opcode ID: 36636c29834ac073287c31c3916cb9061aa422aecba4d38841a8fe7e225a1b36
Instruction ID: 1439ce54b7e12a81a173d698d2510b47eb83b25238d921105fe7b1964c72bebc
Opcode Fuzzy Hash: 36636c29834ac073287c31c3916cb9061aa422aecba4d38841a8fe7e225a1b36
Instruction Fuzzy Hash: C0F0657DD0114B9E9B84CEBDCA54CEEBBB4EF0520EBA0852E9450E7F04DA349615CB20

Function 6C453F3C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,FFFFFFFE,00000008,?,6C453FA2,00000000,?,6C45427E,00000000,6C454238,0000001C,6C49BBC7,00000000,00000001,00000000), ref: 6C453F4B
GetProcAddress.KERNEL32(FFFFFFFE,CorExitProcess), ref: 6C453F5D

Strings

CorExitProcess, xrefs: 6C453F55
mscoree.dll, xrefs: 6C453F44

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 87151d576590968369210761fe9d7d741a2af2216c4ebefeead224130e9e2085
Instruction ID: cffb0ce6a9a7575859e923df62e7a415396bb8d51ed8fd3cb9201f497b0cf58d
Opcode Fuzzy Hash: 87151d576590968369210761fe9d7d741a2af2216c4ebefeead224130e9e2085
Instruction Fuzzy Hash: C6D01232348108BBEF01DAA5CC05F5E7B7CAF05546F900158B81AD2550DB22DA20A6A9

Function 6C48AF6F Relevance: 6.3, APIs: 5, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCR120(?,?,6C48AF12), ref: 6C48AF79

Part of subcall function 6C42ECE0: HeapFree.KERNEL32(00000000,00000000,?,6C473D3A,00000000,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C42ECF4

free.MSVCR120(?,?,?,6C48AF12), ref: 6C48AF81
free.MSVCR120(?,?,?,?,6C48AF12), ref: 6C48AF89
free.MSVCR120(?,?,?,?,?,6C48AF12), ref: 6C48AF91
free.MSVCR120(?,?,?,?,?,?,6C48AF12), ref: 6C48AF97

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$FreeHeap
String ID:
API String ID: 32654580-0
Opcode ID: 35c46fae50c05662356181fb7ad4d344ed15a287719cd2b1bd15bcf9abf46fa9
Instruction ID: e4b1e64fafaf18ed5fb333eff7a464d2f16b5169e5412bd0f4b58e2845ca78c2
Opcode Fuzzy Hash: 35c46fae50c05662356181fb7ad4d344ed15a287719cd2b1bd15bcf9abf46fa9
Instruction Fuzzy Hash: 8AD05E31402A205BC722A776ED43ECA76517F0027A30D0D2CBC8121F308B59A818D6D4

Function 6C44E4B5 Relevance: 6.2, APIs: 4, Instructions: 221COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

_errno.MSVCR120(00000000,6C45028F,00000000,00000000,0000000A,?,6C47D096,?,?,00000010,00000000,00000000,00000000), ref: 6C45267B
_invalid_parameter_noinfo.MSVCR120(00000000,6C45028F,00000000,00000000,0000000A,?,6C47D096,?,?,00000010,00000000,00000000,00000000), ref: 6C476F90

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2821341848-0
Opcode ID: c78d6a05d8a0d560071064e9d90023594e76daec8ed1c1df4c57b2be8ba333f4
Instruction ID: 37a3d2130646ca3ec59defd60b39bf5852824a1272193b2c4e7b8f0c4635cb77
Opcode Fuzzy Hash: c78d6a05d8a0d560071064e9d90023594e76daec8ed1c1df4c57b2be8ba333f4
Instruction Fuzzy Hash: 8D716C30A492458FEB21CE98C4D1FDDB7F2EF46319F64825AD8A097B81D731D852CBA1

Function 6C43C79B Relevance: 6.2, APIs: 4, Instructions: 204COMMONLIBRARYCODE

Download Yara Rule

APIs

iswctype.MSVCR120(000000A0,00000008,000000A0,?,0000009C,?,?,?,6C4C9BDB,?,00000000), ref: 6C43C7DE

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: iswctype
String ID:
API String ID: 304682654-0
Opcode ID: f458ca2586a78459268bcb4b736d6bb2edfedf0da226f2f39c6a32d6ccd335d1
Instruction ID: 789f330a8d3ea738ef8a680ea7c31f4b3f80b971b06aa77a0e54c6c9f1ceb74d
Opcode Fuzzy Hash: f458ca2586a78459268bcb4b736d6bb2edfedf0da226f2f39c6a32d6ccd335d1
Instruction Fuzzy Hash: 15516071D882358AE724DE1AC840F9933A1EBCA76FF60931AEC6857FC0D770D5528650

Function 6C43DCDD Relevance: 6.2, APIs: 4, Instructions: 202stringCOMMON

Download Yara Rule

APIs

_mbtowc_l.MSVCR120(?,?,?,?), ref: 6C43DD43

Part of subcall function 6C43EF00: _isleadbyte_l.MSVCR120(?,?), ref: 6C43EF4B
Part of subcall function 6C43EF00: MultiByteToWideChar.KERNEL32(00000080,00000009,6C475D30,00000001,00000000,00000000), ref: 6C43EF73

strlen.MSVCR120(?), ref: 6C43DDBC
__forcdecpt_l.LIBCMT ref: 6C43DED6
free.MSVCR120(?), ref: 6C43DFCD

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ByteCharMultiWide__forcdecpt_l_isleadbyte_l_mbtowc_lfreestrlen
String ID:
API String ID: 1852445238-0
Opcode ID: 3a8ae3253d87742ad01a66b37f9f0e7205adb0abc0fd2f564433514a92b20627
Instruction ID: 3b45ae729eb728084ba9f57a3dd4f0a877ab0072aa29a1676c932c4e25f83d7f
Opcode Fuzzy Hash: 3a8ae3253d87742ad01a66b37f9f0e7205adb0abc0fd2f564433514a92b20627
Instruction Fuzzy Hash: 887161F1E152399ADB25CB16CC80FD9B7B8AF88319F0451D9E60CA3641D7349AC9CF98

Function 6C43CF18 Relevance: 6.2, APIs: 4, Instructions: 192stringCOMMON

Download Yara Rule

APIs

_mbtowc_l.MSVCR120(?,?,?,?), ref: 6C43D008
strlen.MSVCR120(?), ref: 6C43D081
__forcdecpt_l.LIBCMT ref: 6C43D19B

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __forcdecpt_l_mbtowc_lstrlen
String ID:
API String ID: 810383619-0
Opcode ID: e6205bd884e2f2c9398675e8af2c85c5044fc283ce3ba5cc6396f99fdc022120
Instruction ID: 9d05e2de5d8455a0c0d80084b410aafa07fd0935fbe452180482a2b6b6b76053
Opcode Fuzzy Hash: e6205bd884e2f2c9398675e8af2c85c5044fc283ce3ba5cc6396f99fdc022120
Instruction Fuzzy Hash: 83715EF1D152398BDB20CB56CC40FD9B7B8AB88309F1451EAE60CA7641E7359BC58F98

Function 6C448F92 Relevance: 6.2, APIs: 4, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d10ae7b4408229afde17a404f26af3fbaf7022464394c1fa6259a4feaa7f654
Instruction ID: c9208a45891618b0a1423bb500898937b3bb8bded721339f00bdf043cf581d0d
Opcode Fuzzy Hash: 8d10ae7b4408229afde17a404f26af3fbaf7022464394c1fa6259a4feaa7f654
Instruction Fuzzy Hash: 82510676B022058BEB14DF19C980ED937F7EB86319F29812AE814CBB41D331D915CB60

Function 6C48E943 Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

Concurrency::details::HillClimbing::GetHistory.LIBCMT ref: 6C48E97B
Concurrency::details::HillClimbing::FlushHistories.LIBCMT ref: 6C48E990

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Climbing::Concurrency::details::Hill$FlushHistoriesHistory
String ID:
API String ID: 2521976074-0
Opcode ID: 9c593d655aa090b54fa74ea58527f0fc575f4aec769c0364910b402b44caf8a3
Instruction ID: c0314a24a17c45fa235f0e760f1f9aef8d14050bb0325762e605db18e274e1c3
Opcode Fuzzy Hash: 9c593d655aa090b54fa74ea58527f0fc575f4aec769c0364910b402b44caf8a3
Instruction Fuzzy Hash: F151BF38A02A06ABCB08DF24D4C0ED9FBB4FF49744F158659C8AA53641EF31E964CBD1

Function 6C48AB18 Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR120(00000000,?,00000000,00000000,?,?,?,6C489F50,?,?,?,?,00000000,00000000), ref: 6C48AB46
??_U@YAPAXI@Z.MSVCR120(00000000,?,00000000,00000000,?,?,?,6C489F50,?,?,?,?,00000000,00000000), ref: 6C48AB66
free.MSVCR120(?), ref: 6C48AC8A
free.MSVCR120(?), ref: 6C48AC93

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 18214f1ebb69e61ce8dd15747d9ea3c5218b36c8b23233d7e3175f5c03915d63
Instruction ID: cfb96c7b9e9648ab70d5454fdae33eb697df75cb07ab52e9266af8a8191a569b
Opcode Fuzzy Hash: 18214f1ebb69e61ce8dd15747d9ea3c5218b36c8b23233d7e3175f5c03915d63
Instruction Fuzzy Hash: F25108B5A01A06AFDB04CF69C581A99F7F1FF48314F24826ED81997B40D774E951CF90

Function 6C441928 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

APIs

_CRT_RTC_INITW.MSVCR120(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C4415A6
free.MSVCR120(00006A69), ref: 6C441A0D
free.MSVCR120(?,00006A69), ref: 6C441A4A
free.MSVCR120(?,?,00006A69), ref: 6C441A55
free.MSVCR120(?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C47F99E
free.MSVCR120(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C47F9B7
free.MSVCR120(?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C47F9D0
free.MSVCR120(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C47F9D9
free.MSVCR120(?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C47F9EB

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d8a231b5b15368798ce2d7599a883869612246e5cc507f460f5356734aa6a1bf
Instruction ID: f90a28856f46b04260db0b19e6d61e784374055cd8562072f4b40a3c6a4958fa
Opcode Fuzzy Hash: d8a231b5b15368798ce2d7599a883869612246e5cc507f460f5356734aa6a1bf
Instruction Fuzzy Hash: 024150326091859FE701CF359881FE17FB4EF4733673882DAD845DA626D631C852CB91

Function 6C490245 Relevance: 6.1, APIs: 4, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::AdjustAllocationIncrease.LIBCMT ref: 6C490296
Concurrency::details::SchedulerProxy::AddCore.LIBCMT ref: 6C490372
Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCMT ref: 6C490388
Concurrency::details::ResourceManager::SendResourceNotifications.LIBCMT ref: 6C4903C7

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$Resource$AdjustAllocationBorrowedCoreIncreaseManager::NotificationsSendStateToggle
String ID:
API String ID: 772867930-0
Opcode ID: de3868945a6524268160681985767abd92d420b5dde3f85a6753c6faea0fef0f
Instruction ID: 5b9e08c3cef83060cf8a3811ffb89b7aba0e0d9d1a526655a2beae3a5555ff32
Opcode Fuzzy Hash: de3868945a6524268160681985767abd92d420b5dde3f85a6753c6faea0fef0f
Instruction Fuzzy Hash: A0517770A042699FCB15CFA8C4D0EAEBBB6BF4D318F24415DD846A7B41C731A946CB91

Function 6C4898FE Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ec8090c9f45b2dfe9fa0f7f5550e1db0235acb843716e8d043a3f298008b6455
Instruction ID: 861f525944c78fbe3237a4f05aeb64017c76995d189d624fbc4a921c35c34c9c
Opcode Fuzzy Hash: ec8090c9f45b2dfe9fa0f7f5550e1db0235acb843716e8d043a3f298008b6455
Instruction Fuzzy Hash: 3531E8302096308FEE21CD2D45C0EBA6B959FA125EF24452ED87997F91C723D84BC691

Function 6C443B15 Relevance: 6.1, APIs: 4, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168c5926f176a51ca014f0c620caeda83551a452a0a67a2ee9b6ed0fcb278838
Instruction ID: baf1a015af840a4336f5e19fee4b14f74318822ecc2cc6119b18c440f70e4ba3
Opcode Fuzzy Hash: 168c5926f176a51ca014f0c620caeda83551a452a0a67a2ee9b6ed0fcb278838
Instruction Fuzzy Hash: E241B1302093018FE725CF29C981F56B7E1EF85329F24866DE15A8BAD1D730E845CB92

Function 6C4465EE Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36718de76f5c1d9e3f974a9037feca28bdc76c112b1e92968f297b7ad33f574b
Instruction ID: 45f56bffbfbb1b6ee2f07e12e10a65228dc16bf5ab0fd2245b3c9978ecd722f1
Opcode Fuzzy Hash: 36718de76f5c1d9e3f974a9037feca28bdc76c112b1e92968f297b7ad33f574b
Instruction Fuzzy Hash: CE41BD70A05215DFEB29CB29C981F9AB7F1FF45325F2482ADD1169BA80D730A941CB91

Function 6C48A760 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C48A811
memset.MSVCR120(00000000,00000000,00000000,00000000), ref: 6C48A826
??2@YAPAXI@Z.MSVCR120(0000000C,00000000,00000000,00000000,00000000), ref: 6C48A82D
?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR120 ref: 6C48A8A3

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@memset
String ID:
API String ID: 3776030036-0
Opcode ID: 423d9f86278f68586f1e8b62bd8674752f7f93ba53b6e41dd0cf4f8c555c9b28
Instruction ID: 5bbbfd196da535ee7043503ea31689779e1cf097629afc011d1ec4effdfb0470
Opcode Fuzzy Hash: 423d9f86278f68586f1e8b62bd8674752f7f93ba53b6e41dd0cf4f8c555c9b28
Instruction Fuzzy Hash: 0B41817160A3018FD725CF29C980F16B7E1BF85325F548A6DE1568BAD0D770E84ACBD2

Function 6C44A069 Relevance: 6.1, APIs: 4, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

__isctype_l.LIBCMT(00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000004,00000000,00000000,00000000,00000004), ref: 6C477097
_isleadbyte_l.MSVCR120(?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000004,00000000,00000000,00000000,00000004,00000000), ref: 6C4770D8
__crtLCMapStringA.MSVCR120(00000000,?,00000100,00000004,00000001,00000000,00000003,?,00000001,00000001,00000000,00000000,00000000,00000000,00000000,00000001), ref: 6C477128

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: String__crt__isctype_l_getptd_isleadbyte_l
String ID:
API String ID: 4137432777-0
Opcode ID: fab5e595c3bcd69590cecc153e18bd09cef618834cf9b2e290d69a79d7d2e43a
Instruction ID: 167a50729109aca3d1b07e7cba514128c3ef7f386ef4e284fd6d7ae90197092d
Opcode Fuzzy Hash: fab5e595c3bcd69590cecc153e18bd09cef618834cf9b2e290d69a79d7d2e43a
Instruction Fuzzy Hash: D141F930D08245AFDB12CFA9C845FED7BB0EF4231AF2482A9E1605B791D736C646CB91

Function 6C4501E3 Relevance: 6.1, APIs: 4, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6C45029A
DName::operator+.LIBCMT ref: 6C4502A1
UnDecorator::getOperatorName.LIBCMT ref: 6C47D3E5
DName::DName.LIBCMT ref: 6C47D41C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Name$Name::$Decorator::getName::operator+Operator
String ID:
API String ID: 2296986881-0
Opcode ID: ceee5a34558d0a3673d41a25be0f275720379285662885ad47559166a662d0b9
Instruction ID: ff200f9b76c97db8219de201754c896b97b5fad64b721bf00e0b1153b7388d17
Opcode Fuzzy Hash: ceee5a34558d0a3673d41a25be0f275720379285662885ad47559166a662d0b9
Instruction Fuzzy Hash: 7041AD75B44289AFDB04CF98C881FEDBBB8BB46304F10816EE051D7790DB709A49CB94

Function 6C497EB9 Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C497EC0
Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCMT ref: 6C497F15
Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6C497F50
Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6C497F98
??0exception@std@@QAE@XZ.MSVCR120(00000048,?), ref: 6C497FCC

Part of subcall function 6C434872: TlsGetValue.KERNEL32(?,6C4348CA,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C43488E

_CxxThrowException.MSVCR120(6C487484,6C4FCEB0), ref: 6C497FE1

Part of subcall function 6C4392EB: RaiseException.KERNEL32(?,?,?,6C44C7FC,?,?,?,?,?,6C47DA6A,?,6C44C7FC,?,00000001), ref: 6C439333

??0exception@std@@QAE@XZ.MSVCR120(?,?,?,?,?,?,?,6C487484,6C4FCEB0), ref: 6C498006
?_Abort@_StructuredTaskCollection@details@Concurrency@@AAEXXZ.MSVCR120(00000048,?,6C4FD0DC), ref: 6C498061
Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6C498081
??0exception@std@@QAE@XZ.MSVCR120(00000000,?,00000048,?,6C4FD0DC), ref: 6C498091

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??0exception@std@@Base::CancellationConcurrency::details::ContextVisible$ExceptionTask$Abort@_Base::_CollectionCollection@details@Concurrency::details::_Concurrency@@H_prolog3_catchRaiseStateStructuredThrowTokenValue
String ID:
API String ID: 4223231496-0
Opcode ID: 877b0b92a9a62ce399c1f38d7e816936787c409cd4bbdab36f5e712c89c73db6
Instruction ID: 1ca9dcbe51b232b18ddcb42767eb01b76a90ab00fe6a6bf19ff168ac16281fca
Opcode Fuzzy Hash: 877b0b92a9a62ce399c1f38d7e816936787c409cd4bbdab36f5e712c89c73db6
Instruction Fuzzy Hash: 8C416D70A096169FDB18CF6AC590EAABBF4FF48319B14801DE95AA7F51C734E901CF90

Function 6C43EF00 Relevance: 6.1, APIs: 4, Instructions: 100COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

_isleadbyte_l.MSVCR120(?,?), ref: 6C43EF4B
MultiByteToWideChar.KERNEL32(00000080,00000009,6C475D30,00000001,00000000,00000000), ref: 6C43EF73
MultiByteToWideChar.KERNEL32(00000080,00000009,6C475D30,00000001,00000000,00000000), ref: 6C476F4D
_errno.MSVCR120 ref: 6C476F6D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ByteCharMultiWide$_errno_getptd_isleadbyte_l
String ID:
API String ID: 3831352077-0
Opcode ID: ee853955cc0cbae45e18bb0f2c0d028b9052a7bfb922f65fd7131dc191eb3c6a
Instruction ID: 2693b18ab263174c272424004f4c2f0d62b27bcd923110ccffc85896a4a7289c
Opcode Fuzzy Hash: ee853955cc0cbae45e18bb0f2c0d028b9052a7bfb922f65fd7131dc191eb3c6a
Instruction Fuzzy Hash: CE31C530606256AFDB21CE36CC84FEA7BB6EF45319F114519E428D7A90E730D851CBE0

Function 6C435857 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.MSVCR120(00000001,6C4358A0,00000010,6C43639E,6C4363D0,00000008), ref: 6C43586C

Part of subcall function 6C42EDD7: EnterCriticalSection.KERNEL32(?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C42EDF3

_malloc_crt.MSVCR120(00000038,6C4358A0,00000010,6C43639E,6C4363D0,00000008), ref: 6C475A37
__crtInitializeCriticalSectionEx.MSVCR120(?,00000FA0,00000000,6C4358A0,00000010,6C43639E,6C4363D0,00000008), ref: 6C475A61
EnterCriticalSection.KERNEL32(?), ref: 6C475A75

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalSection$Enter$Initialize__crt_lock_malloc_crt
String ID:
API String ID: 1908659308-0
Opcode ID: 118e6884cebb49ebbf3fd4ca12a54e882d385ac083a927c1d7c3cadb2f2d7d5f
Instruction ID: b488f70d49015c647f0a1d84ed2b501318d5c0232d10b147ac47040bbb4045f0
Opcode Fuzzy Hash: 118e6884cebb49ebbf3fd4ca12a54e882d385ac083a927c1d7c3cadb2f2d7d5f
Instruction Fuzzy Hash: B531EE31A053228FE724CF6AE480E5977F0BF8D324B65516DE86A8BB80CB30E451CF95

Function 6C443F7C Relevance: 6.1, APIs: 4, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C443F83
??_U@YAPAXI@Z.MSVCR120(00000000,00000004,6C443C4A,?,00000001), ref: 6C444013
memset.MSVCR120(00000000,00000000,?,00000004,6C443C4A,?,00000001), ref: 6C44402B
??_U@YAPAXI@Z.MSVCR120(00000010), ref: 6C444044

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: H_prolog3memset
String ID:
API String ID: 747782440-0
Opcode ID: 07e671677730e19429c21309c20edd7b82d5b9a47580f05626f6c3d89539c0ca
Instruction ID: 1c78bed479bc69fc28a631f81824cfd5a466757757779649dca6f4d8887f4005
Opcode Fuzzy Hash: 07e671677730e19429c21309c20edd7b82d5b9a47580f05626f6c3d89539c0ca
Instruction Fuzzy Hash: 1D31B2B1901B409FD764CF2A8541A56FBF8BF98714B109A1FD1EAC7BA0C7B0A505CF54

Function 6C431D79 Relevance: 6.1, APIs: 4, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

_towlower_l.MSVCR120(?,?), ref: 6C431DBB

Part of subcall function 6C431CD0: iswctype.MSVCR120(?,00000001,?,?,?,?,?), ref: 6C431D12

_towlower_l.MSVCR120(00000000,?,?,?), ref: 6C431DCE
_errno.MSVCR120(?), ref: 6C47ABFA
_invalid_parameter_noinfo.MSVCR120(?), ref: 6C47AC05

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _towlower_l$_errno_getptd_invalid_parameter_noinfoiswctype
String ID:
API String ID: 1468503887-0
Opcode ID: 38a39bd1a0b66247343e370a84c995297be80ab28bcbabd15c118810698fdc25
Instruction ID: 01d6c54213049e279f1d6688ba4d7225dc393b120fcd9ee4b14814c2c4d66d40
Opcode Fuzzy Hash: 38a39bd1a0b66247343e370a84c995297be80ab28bcbabd15c118810698fdc25
Instruction Fuzzy Hash: 5021AB3290027046EB20CEDAC840FF633A9EB5565AF64811AE8A40B7C4E730D841E3B1

Function 6C452FD4 Relevance: 6.1, APIs: 4, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_calloc_crt.MSVCR120(00000001,00000004,00000000,?,00000000,?,6C453036,00000000,00000000,?,014281C0), ref: 6C452FF8
_wcsdup.MSVCR120(00000000,00000000,?,00000000,?,6C453036,00000000,00000000,?,014281C0), ref: 6C453014

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _calloc_crt_wcsdup
String ID:
API String ID: 1800982338-0
Opcode ID: 21d91ad0df4d3d9d656eefdccc6aad17a0984f9c1b04e687c45a499a0bff9197
Instruction ID: 4bafcad1935decb6291ff4d3a81f8abf6ffa206f5a0278ee56f74a081b4125a9
Opcode Fuzzy Hash: 21d91ad0df4d3d9d656eefdccc6aad17a0984f9c1b04e687c45a499a0bff9197
Instruction Fuzzy Hash: B711DF73B062159BE720CE5DEC00E66B7F8DB81B6AB65022EEC58D7B40DB21D811C790

Function 6C452C60 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

_wcspbrk.LIBCMT(-00000002,6C452CB8,?,6C501218,6C452DD4), ref: 6C452C85
_wmatch.LIBCMT ref: 6C473E9F

Part of subcall function 6C452C27: _malloc_crt.MSVCR120(00000008,?,6C49C85C,00000000,00000000,00000000,00000001,00000000), ref: 6C452C2C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _malloc_crt_wcspbrk_wmatch
String ID:
API String ID: 2060052928-0
Opcode ID: 9cb451153588d52ec80393467a254eb298db313f7ddccd9581e2373ab0c29841
Instruction ID: f5c916f5dde85b7f57aaf1fc1a646ccd6e88aab105acbf2e76c99f4803bd9989
Opcode Fuzzy Hash: 9cb451153588d52ec80393467a254eb298db313f7ddccd9581e2373ab0c29841
Instruction Fuzzy Hash: 4E21F672B026128BE722CF19D804D0673F8EB467293A5061FD851DBB61DF31D851CB84

Function 6C44E311 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C42F764: _getptd.MSVCR120(00000001,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C42F77A

_tolower_l.MSVCR120(00000000,00000000,?,014281C0,014281C0,?), ref: 6C44E370
_tolower_l.MSVCR120(00000000,00000000,00000000,00000000,?,014281C0,014281C0,?), ref: 6C44E37F
_errno.MSVCR120(?,014281C0,014281C0,?), ref: 6C452AB7
_invalid_parameter_noinfo.MSVCR120(?,014281C0,014281C0,?), ref: 6C47AB87

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _tolower_l$_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3234443108-0
Opcode ID: ed9bf525f1c48ced1e15b51d219a628de9eaefb9c13ec554bb3020071ed2572a
Instruction ID: 5e7c9e2eefa4905ba8ea2dad37f9ceaffe769253f00d5898f7f78d712b0ba529
Opcode Fuzzy Hash: ed9bf525f1c48ced1e15b51d219a628de9eaefb9c13ec554bb3020071ed2572a
Instruction Fuzzy Hash: 29112731901255ABEB22CE68DC88FFE7B65EF45259F614269EC3057F80DB348C14C6E1

Function 6C453DB3 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(000001F0,00000000,?,?,00000000,?,6C493F86,00000000,00000001), ref: 6C453DD2
CloseHandle.KERNEL32(?,?,00000000,?,6C493F86,00000000,00000001), ref: 6C453DF2
InterlockedPushEntrySList.KERNEL32(000001F0,?,?,00000000,?,6C493F86,00000000,00000001), ref: 6C453E0A
TlsSetValue.KERNEL32(?,?,6C4FCFF4,00000000,00000000), ref: 6C4730E3

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: List$CloseDepthEntryHandleInterlockedPushQueryValue
String ID:
API String ID: 94243546-0
Opcode ID: daeb5baf0a33f011dfa30f4781e1515b152d13262786a19c0a0a78e8beff20d9
Instruction ID: a0ff6c8e5f4d7387b9d07993c94706ae35aab3b9a73eae3ddba252941f1b4271
Opcode Fuzzy Hash: daeb5baf0a33f011dfa30f4781e1515b152d13262786a19c0a0a78e8beff20d9
Instruction Fuzzy Hash: D321DC313056009FDB11CF25C888FAA77B8AF46325F44052DFA8A8B641CB70E819CBB5

Function 6C453B18 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 6C453B52
GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 6C453B6C
towupper.MSVCR120(0000003D), ref: 6C453B9C
SetEnvironmentVariableW.KERNEL32(?,?), ref: 6C453BB8
GetLastError.KERNEL32 ref: 6C453BEC
__doserrno.MSVCR120 ref: 6C474759
_errno.MSVCR120 ref: 6C474761
_invalid_parameter_noinfo.MSVCR120 ref: 6C47476C
_calloc_crt.MSVCR120(00000001,00000002), ref: 6C47477C
GetCurrentDirectoryW.KERNEL32(00000001,00000000), ref: 6C4747A4
__dosmaperr.LIBCMT(00000000), ref: 6C4747B2

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CurrentDirectory$EnvironmentErrorLastVariable__doserrno__dosmaperr_calloc_crt_errno_invalid_parameter_noinfotowupper
String ID:
API String ID: 3078873410-0
Opcode ID: 7727bb5be3ba91e9ccde0709a55d21db51a06bb7f1fbdf7309e4681081f5d8a8
Instruction ID: c5deeed9a97796a162b3a44099965fb97d4b3c6f79a6463514b93cdb8ba07a3f
Opcode Fuzzy Hash: 7727bb5be3ba91e9ccde0709a55d21db51a06bb7f1fbdf7309e4681081f5d8a8
Instruction Fuzzy Hash: 0D11D235B052089AEB10CFA49C88FEEB7B8EF05715F60456AE415DB280E734CA84CBA4

Function 6C495A72 Relevance: 6.1, APIs: 4, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C495A79
Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCMT ref: 6C495AC3
EnterCriticalSection.KERNEL32(?), ref: 6C495AD3
LeaveCriticalSection.KERNEL32(?), ref: 6C495B2C

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalSection$BorrowedConcurrency::details::EnterH_prolog3LeaveProxy::SchedulerStateToggle
String ID:
API String ID: 3260543872-0
Opcode ID: 2425a62d3326f2c0baf9f84cf760a8bd6fdf4816f32855176e718b4868b4fb32
Instruction ID: 28a21d48eb6c7763e615682d7b752150f747009bf309fd73e0996a0e7a1a7d57
Opcode Fuzzy Hash: 2425a62d3326f2c0baf9f84cf760a8bd6fdf4816f32855176e718b4868b4fb32
Instruction Fuzzy Hash: DC2166702052119FEB08CF25C4D4FA9BFB0BF4531AF248289EC198BB92C770E845CB95

Function 6C44DD80 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

_lock_file.MSVCR120(?,?,?,6C44DE20,00000014), ref: 6C44DDCC

Part of subcall function 6C434B96: _lock.MSVCR120(?), ref: 6C434BC1

_fgetwc_nolock.MSVCR120(?,?,?,6C44DE20,00000014), ref: 6C44DDE0
_errno.MSVCR120(6C44DE20,00000014), ref: 6C45175F
_invalid_parameter_noinfo.MSVCR120(6C44DE20,00000014), ref: 6C474F61

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_fgetwc_nolock_invalid_parameter_noinfo_lock_lock_file
String ID:
API String ID: 3916178533-0
Opcode ID: 2e920713d65c016b24982c3c986d5c9e7939d27b6bd8605e9b403d3975627824
Instruction ID: 7c8be9c5a8d09e034974fdff259ef24f6b334d9c785728658237b92c344988f7
Opcode Fuzzy Hash: 2e920713d65c016b24982c3c986d5c9e7939d27b6bd8605e9b403d3975627824
Instruction Fuzzy Hash: 261181309016259FEB12CF79C440FAE36A0EF09759F31D55AD8249AB40D738C546CBD5

Function 6C44FE3C Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

_fileno.MSVCR120(?,?,?,?,?,?,?,6C44FDFE,?,?,?), ref: 6C44FE82
_lseek.MSVCR120(00000000,?,?,?,?,?,?,6C44FDFE,?,?,?), ref: 6C44FE89
_errno.MSVCR120(?,?,6C44FDFE,?,?,?,?,?,?,?,?,?,6C44FE20,0000000C), ref: 6C475631
_ftell_nolock.MSVCR120(?,?,?,?,?,6C44FDFE,?,?,?,?,?,?,?,?,?,6C44FE20), ref: 6C475645

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_fileno_ftell_nolock_lseek
String ID:
API String ID: 1482834326-0
Opcode ID: e1b8fd3bb3692f9a2688dcc8388ed6d6cb7c2fe34ff5bc3a77c116305ee9a9b1
Instruction ID: 54333cc36d2d7afc069a4133a536b592bf71bb92c217a420ae62e8186db6f641
Opcode Fuzzy Hash: e1b8fd3bb3692f9a2688dcc8388ed6d6cb7c2fe34ff5bc3a77c116305ee9a9b1
Instruction Fuzzy Hash: 2711E532102B145BF710CA29C840EDA7398EF563B9B30C219E878A7A92D736E50687E4

Function 6C49A80B Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR120 ref: 6C49A830

Part of subcall function 6C488D76: _SpinWait.LIBCMT(?,?,6C48F2B2,00000000), ref: 6C488D8E

Concurrency::details::InternalContextBase::PrepareForUse.LIBCMT ref: 6C49A84D
Concurrency::details::ScheduleGroupSegmentBase::GetInternalContext.LIBCMT ref: 6C49A859
Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCMT ref: 6C49A874

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Base::Concurrency::details::ContextInternalSpin$Concurrency@@DeferredGroupOnce@?$_PrepareScheduleSchedulerSegmentWaitWait@$00@details@
String ID:
API String ID: 1328162323-0
Opcode ID: 0d65ffd8c19dec198f197102dfe9ee5edfb3439bdfc6c72da2b67ac49bc786d4
Instruction ID: ca7bc38e644680ae50259fe17eede212524bb15d35056795fe37d109fd72e7a2
Opcode Fuzzy Hash: 0d65ffd8c19dec198f197102dfe9ee5edfb3439bdfc6c72da2b67ac49bc786d4
Instruction Fuzzy Hash: 3611CE75A04714AFC710DE69C880DA6BBA9EF85358B00492EE96107B50CB31E80BCFA2

Function 6C4E22C0 Relevance: 6.1, APIs: 4, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_ldtest.MSVCR120(?), ref: 6C4E22C7
sqrt.MSVCR120(?,?), ref: 6C4E2311
_log1p.LIBCMT(?,?), ref: 6C4E2328

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _ldtest_log1psqrt
String ID:
API String ID: 198549442-0
Opcode ID: 4329c7d424005c2d7e36900945d16f89867680177f7286a61f7a8f94b8b0b72c
Instruction ID: e7ffd87cd3cd837a752b9315213692596c10e7384fef68d5af3fdc6b01a5af9f
Opcode Fuzzy Hash: 4329c7d424005c2d7e36900945d16f89867680177f7286a61f7a8f94b8b0b72c
Instruction Fuzzy Hash: 5501D6B3D0090DA1CF15BA50E548EC57B78EB0BBA6B224948D589A1BA5FF2289944AC4

Function 6C4AABA2 Relevance: 6.1, APIs: 4, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C4AABB0
_invalid_parameter_noinfo.MSVCR120 ref: 6C4AABBB

Part of subcall function 6C4C4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C49B412,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C4C4677

_errno.MSVCR120 ref: 6C4AABCC
_invalid_parameter_noinfo.MSVCR120 ref: 6C4AABD7

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
String ID:
API String ID: 1328987296-0
Opcode ID: 30a932556a2887eb90f6c4205129141b8376bceff24a984aedeffff12ab9b976
Instruction ID: 2b962c9050e8de0dcfe9f305c86987f0ff980f265969f0cbbeb0a8698cdbb445
Opcode Fuzzy Hash: 30a932556a2887eb90f6c4205129141b8376bceff24a984aedeffff12ab9b976
Instruction Fuzzy Hash: 2B115C30B092546BE712DFA58800FA877619F91B1DF24459D99B00FB99D77284878BA0

Function 6C44C50F Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strlen.MSVCR120(00000000,6C503B90,00000001,?,6C49C4E5,00000000,00000000), ref: 6C44C521
malloc.MSVCR120(00000001,00000000,6C503B90,00000001,?,6C49C4E5,00000000,00000000), ref: 6C44C52A

Part of subcall function 6C42ED30: HeapAlloc.KERNEL32(01410000,00000000,6C49C0AD,00000000,?,00000000,?,6C43223C,6C49C0AD,6C503B90,6C503B90,?,?,6C49C0AD,?,00000000), ref: 6C42ED5D

strcpy_s.MSVCR120(00000000,00000001,00000000,6C503B90,00000001,?,6C49C4E5,00000000,00000000), ref: 6C44C53C
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C47603D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: AllocHeap_invoke_watsonmallocstrcpy_sstrlen
String ID:
API String ID: 4191897266-0
Opcode ID: 7e3913ea4bbe5590477aef437292c44a840911bebf62fcb2155f105b1f15f24f
Instruction ID: 0cd95d94b0aced8d9abc77997c31993ddd7ff2ea78581470b5e5b878eac85cfe
Opcode Fuzzy Hash: 7e3913ea4bbe5590477aef437292c44a840911bebf62fcb2155f105b1f15f24f
Instruction Fuzzy Hash: 14F0AC327092042BF710D9BAAC45EE73798C78826DB50843DFC0CC1A00FB26885581D0

Function 6C44D9D8 Relevance: 6.1, APIs: 4, Instructions: 53timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6C47F3F5
GetCurrentThreadId.KERNEL32 ref: 6C47F404
GetCurrentProcessId.KERNEL32 ref: 6C47F40D
QueryPerformanceCounter.KERNEL32(?), ref: 6C47F41A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: ea4f4fc4606c97c0a4f4cee14aec1b6bbf5fbf1d78700c9036b48375ca3accfe
Instruction ID: dbf4c6690e33e69466b3e7c6e85063d6adb5acedc30f6a37c01a85e477eaa618
Opcode Fuzzy Hash: ea4f4fc4606c97c0a4f4cee14aec1b6bbf5fbf1d78700c9036b48375ca3accfe
Instruction Fuzzy Hash: 18114F71E062089BDF14DFB9D954EAEB7F4EF59315FA1056AD502E7240DB308A018B58

Function 6C495C64 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,6C48CA56,?,?,00000000), ref: 6C495CC3
List.LIBCMT ref: 6C495CCD
LeaveCriticalSection.KERNEL32(?,?,?,?,?,6C48CA56,?,?,00000000), ref: 6C495CD3
free.MSVCR120(?,?,?,?,6C48CA56,?,?,00000000), ref: 6C495CE0

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalSection$EnterLeaveListfree
String ID:
API String ID: 645074056-0
Opcode ID: c3974cbb93451387e5505e85ac7ccaa0aa1ac1f17288a870013cf8793c16a0aa
Instruction ID: def6b4d8ca57b69b9b0e1f78725caf568da3cd9883417e198b1cf471a9c1dff5
Opcode Fuzzy Hash: c3974cbb93451387e5505e85ac7ccaa0aa1ac1f17288a870013cf8793c16a0aa
Instruction Fuzzy Hash: 04119A72601210AFCB18DF19D895D99FBB8FF59324725419AE8069B752C732AD02CBA8

Function 6C43F81C Relevance: 6.1, APIs: 4, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.MSVCR120(6C43F8A8,0000000C,6C43F8E3,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C43F82D
_lock.MSVCR120(0000000D,6C43F8A8,0000000C,6C43F8E3,00000000,?,6C44E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C43F845

Part of subcall function 6C42EDD7: EnterCriticalSection.KERNEL32(?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C42EDF3

free.MSVCR120(?,6C43F8A8,0000000C,6C43F8E3,00000000,?,6C44E01F,00000000), ref: 6C47758A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalEnterSection_getptd_lockfree
String ID:
API String ID: 2954757286-0
Opcode ID: f4842cdf03a805ceb12439b6b83dfc7d835c2f47ad7548c5e0a566774bf67bf8
Instruction ID: e019fee1eba2143e46fcac794ca740a96bb47385f9f2d0d38d55a77a75ca46fd
Opcode Fuzzy Hash: f4842cdf03a805ceb12439b6b83dfc7d835c2f47ad7548c5e0a566774bf67bf8
Instruction Fuzzy Hash: 3711A331D036329BEB19DB6A8041E9973A0BB89779B60059DDC74A7F80CB34A942CBD5

Function 6C4984C9 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C4984D0
??0event@Concurrency@@QAE@XZ.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 6C498500

Part of subcall function 6C48B72C: ??0critical_section@Concurrency@@QAE@XZ.MSVCR120(00000000,6C4986D2,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215), ref: 6C48B73C

?set@event@Concurrency@@QAEXXZ.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 6C498549
Concurrency::details::ContextBase::CreateWorkQueue.LIBCMT ref: 6C498560

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency@@$??0critical_section@??0event@?set@event@Base::Concurrency::details::ContextCreateH_prolog3QueueWork
String ID:
API String ID: 639136014-0
Opcode ID: 0c20e953129c7c680c6f0eee40e8fcb829a6273e1b066c113b2bb2cfe0408b38
Instruction ID: 17c44a0db8f80e7182cfabd5f77ef1e8618a2af36f580708ebb3118d1ad5541e
Opcode Fuzzy Hash: 0c20e953129c7c680c6f0eee40e8fcb829a6273e1b066c113b2bb2cfe0408b38
Instruction Fuzzy Hash: 5621D671901B108FD765CF39C140B9ABBF0BF44769F109A1EC5AA87B90DB75E548CB84

Function 6C443D39 Relevance: 6.1, APIs: 4, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C443D40
??0SchedulerPolicy@Concurrency@@QAA@IZZ.MSVCR120(6C4348CA,00000000,0000000C,6C443E4B,?,00000000,?,6C443A7E,?,6C4348CA), ref: 6C443D69
memcpy.MSVCR120(6C4348CA,00000000,00000028,0000000C,6C443E4B,?,00000000,?,6C443A7E,?,6C4348CA), ref: 6C473017

Part of subcall function 6C446A07: __EH_prolog3.LIBCMT ref: 6C446A0E
Part of subcall function 6C446A07: ??2@YAPAXI@Z.MSVCR120(00000210,0000000C,6C443D89,0000000C,6C443E4B,?,00000000,?,6C443A7E,?,6C4348CA), ref: 6C446A75

Part of subcall function 6C444FC6: ?GetProcessorNodeCount@Concurrency@@YAIXZ.MSVCR120(5425FDEF,?,00000180,?), ref: 6C445027
Part of subcall function 6C444FC6: ??_U@YAPAXI@Z.MSVCR120(00000000,5425FDEF,?,00000180,?), ref: 6C445059
Part of subcall function 6C444FC6: ??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C4450A3
Part of subcall function 6C444FC6: ??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C4450BB
Part of subcall function 6C444FC6: memset.MSVCR120(?,00000000,?), ref: 6C4450D1

free.MSVCR120(6C4348CA,?,6C4348CA), ref: 6C443DA3

Part of subcall function 6C42ECE0: HeapFree.KERNEL32(00000000,00000000,?,6C473D3A,00000000,6C431782,6C49B407,?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?), ref: 6C42ECF4

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency@@H_prolog3$??2@Count@FreeHeapNodePolicy@ProcessorSchedulerfreememcpymemset
String ID:
API String ID: 3530969603-0
Opcode ID: c6230baae0f58bed82e07e0b228eced703c16d89430962c4cb03102e72f47288
Instruction ID: bbc2e1283f88ed607c32b3444189bb1a3f985e3936f056f010e452d4779d0ada
Opcode Fuzzy Hash: c6230baae0f58bed82e07e0b228eced703c16d89430962c4cb03102e72f47288
Instruction Fuzzy Hash: 86116A34B042448BEB09CF64C891FDD77B0FF89709F24856EE814DBB90DB3599488B85

Function 6C44CFF8 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C44CFFF
__AdjustPointer.MSVCR120(00000000,00000009,00000004,6C44D125,00000000,?,00000001,?), ref: 6C44D02E
__AdjustPointer.MSVCR120(00000000,00000009,00000001,00000004,6C44D125,00000000,?,00000001,?), ref: 6C473978
memcpy.MSVCR120(?,00000000,00000003,00000004,6C44D125,00000000,?,00000001,?,?,00000001), ref: 6C47399F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: AdjustPointer$H_prolog3_catchmemcpy
String ID:
API String ID: 738859832-0
Opcode ID: 0bab1574b75c9acd8f9aa0b737d355cd8284eaca4f14b8f066fe1920919eafe0
Instruction ID: 7098844ad5d15addff885f19c5ab6344a531c1f4b2dbe2e8e653461272c01074
Opcode Fuzzy Hash: 0bab1574b75c9acd8f9aa0b737d355cd8284eaca4f14b8f066fe1920919eafe0
Instruction Fuzzy Hash: 7301A1B1004218AAFB25CF11C801FDA3FB4EF8431AF24A40CFC544AAA2C7769995D791

Function 6C4987CF Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C4987D6

Part of subcall function 6C434872: TlsGetValue.KERNEL32(?,6C4348CA,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C43488E

Concurrency::details::ContextBase::CreateWorkQueue.LIBCMT ref: 6C4987ED

Part of subcall function 6C48A0F6: __EH_prolog3.LIBCMT ref: 6C48A0FD
Part of subcall function 6C48A0F6: InterlockedPopEntrySList.KERNEL32(?,00000004,6C498775,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215), ref: 6C48A11A
Part of subcall function 6C48A0F6: ??2@YAPAXI@Z.MSVCR120(00000074,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215,?,?), ref: 6C48A134

??2@YAPAXI@Z.MSVCR120(00000090,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215,?,?), ref: 6C498826
Concurrency::details::_TaskCollection::_TaskCollection.LIBCMT ref: 6C49883B

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: ??2@H_prolog3Task$Base::CollectionCollection::_Concurrency::details::Concurrency::details::_ContextCreateEntryInterlockedListQueueValueWork
String ID:
API String ID: 1426128297-0
Opcode ID: 739173283d8b0c387560c1afe813116d832354d8b6b2951c260917d8772dfdd0
Instruction ID: 1341020a8d1a21020e90e7c1099ceb29e8c189d7063f7b7d4a67e14ee943a2f8
Opcode Fuzzy Hash: 739173283d8b0c387560c1afe813116d832354d8b6b2951c260917d8772dfdd0
Instruction Fuzzy Hash: 74019E307052219BCB14DA7D8880E9E7FA67F85319F00596EE5218BF80DB70D84487A0

Function 6C4483EE Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__crtGetUserDefaultLocaleName.MSVCR120(?,00000055,0000009C), ref: 6C448415
wcslen.MSVCR120(?,0000009C), ref: 6C448428
wcsncpy_s.MSVCR120(?,00000055,?,00000001,?,0000009C), ref: 6C44843F
_invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0000009C), ref: 6C48044F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: DefaultLocaleNameUser__crt_invoke_watsonwcslenwcsncpy_s
String ID:
API String ID: 2957291394-0
Opcode ID: 4c7cf5a93436f0106b280d10ec083d17692d2a3692410b40dc0c4f157b346059
Instruction ID: a3e2ef896696df2d52c8f2b0acca1108f91b40ed3ae2b2debe24c13115fc686b
Opcode Fuzzy Hash: 4c7cf5a93436f0106b280d10ec083d17692d2a3692410b40dc0c4f157b346059
Instruction Fuzzy Hash: 3701F971A017186BEB10DAB4DD45FEB73ECEB04709F50049EEA09D6680FB74EA484AE1

Function 6C44E996 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock_file.MSVCR120(?,6C44EA10,0000000C,6C44EA44,Function_0001D315,?,?,00000000,?), ref: 6C44E9CC

Part of subcall function 6C434B96: _lock.MSVCR120(?), ref: 6C434BC1

Part of subcall function 6C440477: _fileno.MSVCR120(?,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C44047F
Part of subcall function 6C440477: _isatty.MSVCR120(00000000,?,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C440485
Part of subcall function 6C440477: __p__iob.MSVCR120(0000FFFF,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C440491
Part of subcall function 6C440477: __p__iob.MSVCR120(0000FFFF,?,?,6C4407F9,-00000020,6C440850,00000010), ref: 6C4404A1

__ftbuf.LIBCMT ref: 6C44E9F2

Part of subcall function 6C44E98E: _unlock_file.MSVCR120(?,6C44EA06), ref: 6C44E98F

_errno.MSVCR120(6C44EA10,0000000C,6C44EA44,Function_0001D315,?,?,00000000,?), ref: 6C475CBA
_invalid_parameter_noinfo.MSVCR120(6C44EA10,0000000C,6C44EA44,Function_0001D315,?,?,00000000,?), ref: 6C475CC5

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __p__iob$__ftbuf_errno_fileno_invalid_parameter_noinfo_isatty_lock_lock_file_unlock_file
String ID:
API String ID: 169382274-0
Opcode ID: 295e43e561eb1c12a003468d3a337b1db5bb8cd5727947a99935d2bc34b8c4fb
Instruction ID: 21975ab9f7457f161a3110920da4063fd63f89c1e2227efcf83fe50f23593e99
Opcode Fuzzy Hash: 295e43e561eb1c12a003468d3a337b1db5bb8cd5727947a99935d2bc34b8c4fb
Instruction Fuzzy Hash: C3018F31901246ABEB12DF718C45FEF3A60FF45369F24852CE8209A790DF38C5159BE1

Function 6C45433E Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

_lock.MSVCR120(00000001), ref: 6C454345

Part of subcall function 6C42EDD7: EnterCriticalSection.KERNEL32(?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C42EDF3

fclose.MSVCR120(?), ref: 6C475369
DeleteCriticalSection.KERNEL32(?), ref: 6C475389
free.MSVCR120(01428870), ref: 6C475397

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalSection$DeleteEnter_lockfclosefree
String ID:
API String ID: 1929256606-0
Opcode ID: 2c1a5e31c5ca192f389b9bc7d140f4af7eaab95f0abc21c4dec2321edf60a207
Instruction ID: f57dd7592726c368bfe9a21c7058b214117c14985a15d3ddca7965f6a9f70461
Opcode Fuzzy Hash: 2c1a5e31c5ca192f389b9bc7d140f4af7eaab95f0abc21c4dec2321edf60a207
Instruction Fuzzy Hash: B8018C31A052158BEB21DBA99885EDCB7B0AF86325F210149E472DFAE0C7B4C452CBA5

Function 6C49842F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C498436
??0event@Concurrency@@QAE@XZ.MSVCR120(?,?,?,?,?,00000004), ref: 6C49845F

Part of subcall function 6C48B72C: ??0critical_section@Concurrency@@QAE@XZ.MSVCR120(00000000,6C4986D2,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215), ref: 6C48B73C

Part of subcall function 6C434872: TlsGetValue.KERNEL32(?,6C4348CA,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C43488E

?set@event@Concurrency@@QAEXXZ.MSVCR120(?,?,?,?,?,00000004), ref: 6C498493

Part of subcall function 6C48B922: __EH_prolog3_GS.LIBCMT ref: 6C48B929
Part of subcall function 6C48B922: ??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR120(?,00000044,6C498727,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215), ref: 6C48B950
Part of subcall function 6C48B922: std::exception::exception.LIBCMT(?,00000001,?,00000044,6C498727,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?), ref: 6C48B9D7
Part of subcall function 6C48B922: _CxxThrowException.MSVCR120(?,6C44C7FC,?,00000001,?,00000044,6C498727,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?), ref: 6C48B9EC
Part of subcall function 6C48B922: ?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR120(?,00000044,6C498727,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215), ref: 6C48BA39
Part of subcall function 6C48B922: _freea_s.MSVCR120(?,?,00000044,6C498727,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?), ref: 6C48BA50

Part of subcall function 6C443AF4: TlsGetValue.KERNEL32(6C443DF7,00000000,00000000,?,?,?,?,?,?,?,6C434938,000000FF), ref: 6C443AFA

Concurrency::details::ContextBase::CreateWorkQueue.LIBCMT ref: 6C4984A9

Part of subcall function 6C48A0F6: __EH_prolog3.LIBCMT ref: 6C48A0FD
Part of subcall function 6C48A0F6: InterlockedPopEntrySList.KERNEL32(?,00000004,6C498775,00000004,6C498840,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215), ref: 6C48A11A
Part of subcall function 6C48A0F6: ??2@YAPAXI@Z.MSVCR120(00000074,?,00000001,?,00000004,6C49931D,?,?,6C48923C,?,?,6C499215,?,?), ref: 6C48A134

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency@@$H_prolog3Value$??0critical_section@??0event@??0scoped_lock@critical_section@??2@?set@event@?unlock@critical_section@Base::Concurrency::details::ContextCreateEntryExceptionH_prolog3_InterlockedListQueueThrowV12@@Work_freea_sstd::exception::exception
String ID:
API String ID: 3177246685-0
Opcode ID: beebb3a27d7cdcc51bdce694d5d5c4d9c803353ff13a9a56fc88042d722543f0
Instruction ID: 796e9682a2307cdcd57a486130bb53e1c5fc42d3df5734bea3efd672b612c69d
Opcode Fuzzy Hash: beebb3a27d7cdcc51bdce694d5d5c4d9c803353ff13a9a56fc88042d722543f0
Instruction Fuzzy Hash: 7D11A8B0901B12AFC704DF3AC580A98FBB0BF48314B90962EC56987F90DB74E568CBC4

Function 6C49BD0B Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,00000000,?,6C473D52,6C44CA91,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C49BCC8
free.MSVCR120(?,?,?,00000000,?,6C473D52,6C44CA91,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C49BCCF
DeleteCriticalSection.KERNEL32(6C4FFCB0,00000000,?,6C473D52,6C44CA91,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C49BCF1
__crtFlsFree.MSVCR120(00000004,6C473D52,6C44CA91,6C431A28,00000008,6C431A5F,?,00000001,?), ref: 6C49BD16

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalDeleteSection$Free__crtfree
String ID:
API String ID: 2230536912-0
Opcode ID: 7000e6e9886056003b52679c0d4feb2c025f0b73454dcf8c95505b7bef083b82
Instruction ID: d0858f57ec5b6cf354a3f4029a3fc62e62ca68e8e58eb459b9e25c8db497e992
Opcode Fuzzy Hash: 7000e6e9886056003b52679c0d4feb2c025f0b73454dcf8c95505b7bef083b82
Instruction Fuzzy Hash: 62F0CD725032319BD630D7159949E1D7BA8AB8133AB25061DD47692B90CF348451CAD0

Function 6C432C8B Relevance: 6.0, APIs: 4, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.MSVCR120(6C432CF0,0000000C), ref: 6C432C9B
_lock.MSVCR120(0000000C,6C432CF0,0000000C), ref: 6C432CB3

Part of subcall function 6C42EDD7: EnterCriticalSection.KERNEL32(?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C42EDF3

Part of subcall function 6C432D0C: _unlock.MSVCR120(0000000C,6C432CDF,0000000C), ref: 6C432D0E

_getptd.MSVCR120(6C432CF0,0000000C), ref: 6C47F3D2

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _getptd$CriticalEnterSection_lock_unlock
String ID:
API String ID: 2319614578-0
Opcode ID: bb885cb0ea1798a13b4c0157e86ee57f07be41ae5b4e1a0d3271b2e61aeb7240
Instruction ID: 7be3be34ebbfa2edeafca8c9ffc82b47e523619d304f0746db3d55d5d43ce4a5
Opcode Fuzzy Hash: bb885cb0ea1798a13b4c0157e86ee57f07be41ae5b4e1a0d3271b2e61aeb7240
Instruction Fuzzy Hash: DB01AD32D026259BEB21DBB59405F9D33B06B8872AF10514DD868A7FC1CB785809CBD0

Function 6C44FDBC Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

_lock_file.MSVCR120(?,?,?,?,?,?,?,6C44FE20,0000000C), ref: 6C44FDEA

Part of subcall function 6C434B96: _lock.MSVCR120(?), ref: 6C434BC1

_fseek_nolock.MSVCR120(?,?,?,?,?,?,?,?,?,6C44FE20,0000000C), ref: 6C44FDF9

Part of subcall function 6C44FE3C: _fileno.MSVCR120(?,?,?,?,?,?,?,6C44FDFE,?,?,?), ref: 6C44FE82
Part of subcall function 6C44FE3C: _lseek.MSVCR120(00000000,?,?,?,?,?,?,6C44FDFE,?,?,?), ref: 6C44FE89

Part of subcall function 6C44FDB4: _unlock_file.MSVCR120(?,6C44FE12), ref: 6C44FDB5

_errno.MSVCR120(?,?,?,?,?,?,6C44FE20,0000000C), ref: 6C475676
_invalid_parameter_noinfo.MSVCR120(?,?,?,?,?,?,6C44FE20,0000000C), ref: 6C475681

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_fileno_fseek_nolock_invalid_parameter_noinfo_lock_lock_file_lseek_unlock_file
String ID:
API String ID: 4149153117-0
Opcode ID: dafc7c6e6eb92e4bc0ce065d8287736bcc6c0f063fe30abb6f19f2487a9f5acb
Instruction ID: 2d02884f9dde5341f9b8984b2aa6cb681e6f6495d37869e7a41bcf79a60902d7
Opcode Fuzzy Hash: dafc7c6e6eb92e4bc0ce065d8287736bcc6c0f063fe30abb6f19f2487a9f5acb
Instruction Fuzzy Hash: A7F0C232A02605A7FB11DFB58801FDE36619F8136AF358609D4285BB90DB38C905CAE2

Function 6C44F80E Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

_lock_file.MSVCR120(?,?,?,?,?,?,?,6C44F878,0000000C), ref: 6C44F83D
_fwrite_nolock.MSVCR120(?,00000000,00000000,?,?,?,?,?,?,?,6C44F878,0000000C), ref: 6C44F851

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _fwrite_nolock_lock_file
String ID:
API String ID: 3764063476-0
Opcode ID: 139f66ab05ed726522643a60b122a627351cc8f85f586162cd9b76f5b45acccf
Instruction ID: 4b3570709000fa1e11fcd944cf2a30e0bdd4b295a04c82d144e8962af72bb508
Opcode Fuzzy Hash: 139f66ab05ed726522643a60b122a627351cc8f85f586162cd9b76f5b45acccf
Instruction Fuzzy Hash: 98F08131902206ABFB11DF65CC00FEE36A0EF40359F618458E8245EA90DB788515DBE2

Function 6C48ED00 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

Concurrency::details::HillClimbing::MeasuredHistory::Variance.LIBCMT ref: 6C48ED20
_CIsqrt.MSVCR120(00000000), ref: 6C48ED25
_CIsqrt.MSVCR120(00000000), ref: 6C48ED36
Concurrency::details::HillClimbing::MeasuredHistory::Mean.LIBCMT ref: 6C48ED43

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Climbing::Concurrency::details::HillHistory::IsqrtMeasured$MeanVariance
String ID:
API String ID: 4254205323-0
Opcode ID: c8f21c4303d54cf5046913446c4f038133c5f2b16aee0b502d31622997bec896
Instruction ID: 17d3f2bd988d7b06f3e9a09ce0cbbdb762eac994a548b4ea6dd319f21ad5de8a
Opcode Fuzzy Hash: c8f21c4303d54cf5046913446c4f038133c5f2b16aee0b502d31622997bec896
Instruction Fuzzy Hash: 36F0903890150AD3CF00EFA4D690CEDBBB8EF42311F604999D881A7740CB31C96A87EA

Function 6C42EDD7 Relevance: 6.0, APIs: 4, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C42EDF3
__amsg_exit.LIBCMT(00000011,?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C473BBA
__NMSG_WRITE.LIBCMT ref: 6C473BC9
_errno.MSVCR120(6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C473BDC

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalEnterSection__amsg_exit_errno
String ID:
API String ID: 4121137658-0
Opcode ID: ce2a98758c2d5db1f6ec2a06777f0f6d1bf2893e26f30fc640b8e4afe9f6d48a
Instruction ID: 8ab5df5b97c98302be11f3c8488615b6606540a2c2289d21f9b0034480bd37a7
Opcode Fuzzy Hash: ce2a98758c2d5db1f6ec2a06777f0f6d1bf2893e26f30fc640b8e4afe9f6d48a
Instruction Fuzzy Hash: 68F02732284228B6EA20E7299804FD83F689F433AAF00102EE60486ED1CF65904881E5

Function 6C434F9E Relevance: 6.0, APIs: 4, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock_file.MSVCR120(?,?,?,6C434FF8,0000000C), ref: 6C434FCD

Part of subcall function 6C434B96: _lock.MSVCR120(?), ref: 6C434BC1

_fclose_nolock.MSVCR120(?,?,?,6C434FF8,0000000C), ref: 6C434FD8

Part of subcall function 6C434F4C: __freebuf.LIBCMT ref: 6C434F6E
Part of subcall function 6C434F4C: _fileno.MSVCR120(?,?,?), ref: 6C434F74
Part of subcall function 6C434F4C: _close.MSVCR120(00000000,?,?,?), ref: 6C434F7A

Part of subcall function 6C435014: _unlock_file.MSVCR120(?,6C434FEF,?,?,6C434FF8,0000000C), ref: 6C435015

_errno.MSVCR120(6C434FF8,0000000C), ref: 6C47541D
_invalid_parameter_noinfo.MSVCR120(6C434FF8,0000000C), ref: 6C475428

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __freebuf_close_errno_fclose_nolock_fileno_invalid_parameter_noinfo_lock_lock_file_unlock_file
String ID:
API String ID: 1403730806-0
Opcode ID: 3bbc9718a46ab67d52c156272c28e8c81190507608f06da084b6e9d4403da772
Instruction ID: 040f8676250dc809adc5ff206e2cf590de66d15a2995e6eaf26c4c74a0d67c2f
Opcode Fuzzy Hash: 3bbc9718a46ab67d52c156272c28e8c81190507608f06da084b6e9d4403da772
Instruction Fuzzy Hash: 01F0F0318002219AD711DB768C00FDE3AA02F843BAF19A24CD428AFBD0CB3D86459BE5

Function 6C495BFC Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C495C03
EnterCriticalSection.KERNEL32(?,00000004,6C49AE4B), ref: 6C495C11
List.LIBCMT ref: 6C495C38
LeaveCriticalSection.KERNEL32(?,?), ref: 6C495C4F

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalSection$EnterH_prolog3LeaveList
String ID:
API String ID: 850592863-0
Opcode ID: 8f9f05696471d66de95959f6171b97fd9ede9fd3e442f6c3054c6e3f685f7e37
Instruction ID: 9bb08f8cef9de14cf7547dc2298d3ab858613ec81616ebb82db284cc064f7012
Opcode Fuzzy Hash: 8f9f05696471d66de95959f6171b97fd9ede9fd3e442f6c3054c6e3f685f7e37
Instruction Fuzzy Hash: 6C01FF71611111DFCB08CF20C884EDCBB34BF89311B144299EA529BB82C730EA15CBD4

Function 6C4900FB Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C490102
EnterCriticalSection.KERNEL32(?,00000008,6C48C84E), ref: 6C490114

Part of subcall function 6C48C9DA: TlsSetValue.KERNEL32(?,?), ref: 6C48CA00
Part of subcall function 6C48C9DA: GetCurrentThread.KERNEL32 ref: 6C48CA35
Part of subcall function 6C48C9DA: Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCMT ref: 6C48CA48

LeaveCriticalSection.KERNEL32(?), ref: 6C49014E
SetEvent.KERNEL32(?), ref: 6C49015D

Part of subcall function 6C490245: Concurrency::details::SchedulerProxy::AdjustAllocationIncrease.LIBCMT ref: 6C490296

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Concurrency::details::CriticalProxy::SchedulerSection$AdjustAllocationCoreCurrentDecrementEnterEventH_prolog3IncreaseLeaveSubscriptionThreadValue
String ID:
API String ID: 779242910-0
Opcode ID: 67e1a99d8f9bf95d0d6ac4bc1c99dbd21d5729e1fa98a1d44d180a5b1a5eae99
Instruction ID: 23fbf68f5ff160835bfc7ffcae5bbf9efb7932169f336859c750f7bf018bbb65
Opcode Fuzzy Hash: 67e1a99d8f9bf95d0d6ac4bc1c99dbd21d5729e1fa98a1d44d180a5b1a5eae99
Instruction Fuzzy Hash: E3F08C30610264CBDF01DF20C849FED7B35BF4A34AF50815CD956AA681CB768A09CBDA

Function 6C48CDCD Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C48CDD4
CloseHandle.KERNEL32(?,00000004,6C48CB35), ref: 6C48CDF9
CloseHandle.KERNEL32(?,00000004,6C48CB35), ref: 6C48CE10
Concurrency::details::ContextBase::~ContextBase.LIBCMT ref: 6C48CE36

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CloseContextHandle$BaseBase::~Concurrency::details::H_prolog3
String ID:
API String ID: 256686745-0
Opcode ID: 75145ff8604b007460212eb0de1579cdfe204b1a6cf766f23315e484b7bec01f
Instruction ID: 0528ca3becb0af572111e330ff24f7f1367a967223653304eb3bdd832bb496cb
Opcode Fuzzy Hash: 75145ff8604b007460212eb0de1579cdfe204b1a6cf766f23315e484b7bec01f
Instruction Fuzzy Hash: ECF06D70B02710CFDB14EF758584F9ABBE8BF49644F50191DA5AAC7B40CB70D400CBA9

Function 6C43C6DD Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

memmove.MSVCR120(?,00000000,?), ref: 6C43C70C
_errno.MSVCR120 ref: 6C476013
_invalid_parameter_noinfo.MSVCR120 ref: 6C47601D
_errno.MSVCR120 ref: 6C476029

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfomemmove
String ID:
API String ID: 351588475-0
Opcode ID: bb6bcc0fa1ff81361605226a01bf269187570ccc8fff8f92234ccfeaf79458d5
Instruction ID: 4de4a7af9088e00082d579410ab745effdc279b65c10c6c424ead5d1c4da05ee
Opcode Fuzzy Hash: bb6bcc0fa1ff81361605226a01bf269187570ccc8fff8f92234ccfeaf79458d5
Instruction Fuzzy Hash: 5DF0A070601229AAEB21EE69DC08FEE37A5DB48789F000029FC1885A50D374C855CBF2

Function 6C44F9DE Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

_lock_file.MSVCR120(?,?,?,?,?,?,?,6C44FA30,0000000C), ref: 6C44FA01

Part of subcall function 6C434B96: _lock.MSVCR120(?), ref: 6C434BC1

_ftell_nolock.MSVCR120(?,?,?,?,?,?,?,6C44FA30,0000000C), ref: 6C44FA0C

Part of subcall function 6C44FA4C: _fileno.MSVCR120(?,?,?,?,?,6C44FA11,?,?,?,?,?,?,?,6C44FA30,0000000C), ref: 6C44FA78
Part of subcall function 6C44FA4C: _lseek.MSVCR120(00000000,00000000,00000001,?,?,?,?,6C44FA11,?,?,?,?,?,?,?,6C44FA30), ref: 6C44FA95

Part of subcall function 6C44F9D6: _unlock_file.MSVCR120(?,6C44FA23,?,?,?,?,?,?,6C44FA30,0000000C), ref: 6C44F9D7

_errno.MSVCR120(?,?,?,?,?,?,6C44FA30,0000000C), ref: 6C475855
_invalid_parameter_noinfo.MSVCR120(?,?,?,?,?,?,6C44FA30,0000000C), ref: 6C475860

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_fileno_ftell_nolock_invalid_parameter_noinfo_lock_lock_file_lseek_unlock_file
String ID:
API String ID: 2873353448-0
Opcode ID: aad6daecc026246bc0ee6747ee52deb8ca87aba7f722a492641e8254e2e12b02
Instruction ID: f6608caa392199f010c4aea6343076e35a11d2453c01fdccf9af302b8fc9201e
Opcode Fuzzy Hash: aad6daecc026246bc0ee6747ee52deb8ca87aba7f722a492641e8254e2e12b02
Instruction Fuzzy Hash: 31F0A731912215ABF711DB798801FEE76A0AF40379F31824DD424ABBD0CF7C85058AD1

Function 6C440868 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

__p__iob.MSVCR120(6C440850,00000010), ref: 6C440823
__ftbuf.LIBCMT ref: 6C44082F

Part of subcall function 6C44079C: __p__iob.MSVCR120(6C440842,6C440850,00000010), ref: 6C44079C

__p__iob.MSVCR120(6C440850,00000010), ref: 6C44086C
_fputwc_nolock.MSVCR120(0000000A,-00000020,6C440850,00000010), ref: 6C440877

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: __p__iob$__ftbuf_fputwc_nolock
String ID:
API String ID: 2527319753-0
Opcode ID: 55a5116f6ef209720c1df702d86225f0f404466c93ab3b74e924fd5989e55214
Instruction ID: a4ee6ff24f31b1a43482ec024f62959250b209c87b4378433552c6eb0aa9907e
Opcode Fuzzy Hash: 55a5116f6ef209720c1df702d86225f0f404466c93ab3b74e924fd5989e55214
Instruction Fuzzy Hash: F4E0D8B78A42511ABA40D7FA5C02EFC26E0DBA82A8774510DE004D9BC0DF1540450699

Function 6C44DC2C Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

_wfsopen.MSVCR120(?,?,00000080), ref: 6C44DC46
_errno.MSVCR120 ref: 6C44E2E9
_errno.MSVCR120 ref: 6C475EEF
_invalid_parameter_noinfo.MSVCR120 ref: 6C475EF9

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_wfsopen
String ID:
API String ID: 972587971-0
Opcode ID: d620637660ca66bae960d0bd9af8fdd34ac1d04a99c57386e333e1e896d64d61
Instruction ID: cbc0cf1c6fcfb885c00bcdde8fbff4eccd19132ad22fcf057c7b09ea92d48748
Opcode Fuzzy Hash: d620637660ca66bae960d0bd9af8fdd34ac1d04a99c57386e333e1e896d64d61
Instruction Fuzzy Hash: BBE09231741235ABEB11DF69DC00EEA3764EF05754F148025F8549BB10D761D8148BD0

Function 6C49A73D Relevance: 6.0, APIs: 4, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C49A744
free.MSVCR120(?,00000004,6C499F0E), ref: 6C49A771
free.MSVCR120(?,?,00000004,6C499F0E), ref: 6C49A779
free.MSVCR120(?,?,?,00000004,6C499F0E), ref: 6C49A781

Part of subcall function 6C494A30: QueryDepthSList.KERNEL32(6C500EF0,?,?,6C48CE25,00000004,6C48CB35), ref: 6C494A50
Part of subcall function 6C494A30: InterlockedPushEntrySList.KERNEL32(6C500EF0,?,?,?,6C48CE25,00000004,6C48CB35), ref: 6C494A5E

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: free$List$DepthEntryH_prolog3InterlockedPushQuery
String ID:
API String ID: 76379577-0
Opcode ID: 0146d91be2e91b6c6d6fe00e73949a6777853fb08334a36e7be4a219ce5dce34
Instruction ID: 22ba54e2dc8324077bae8c48867c6106906da155b5c9d6d5013998e0a06abe9e
Opcode Fuzzy Hash: 0146d91be2e91b6c6d6fe00e73949a6777853fb08334a36e7be4a219ce5dce34
Instruction Fuzzy Hash: 97E039719017108BCB20DB72C842F9DBBA07F84359F04185CA88516F50CBB66808CBC9

Function 6C49BD25 Relevance: 6.0, APIs: 4, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.MSVCR120(00000003,6C473BC7,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C49BD27
_set_error_mode.MSVCR120(00000003,6C473BC7,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C49BD34

Part of subcall function 6C49B3D7: _errno.MSVCR120(?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C49B402
Part of subcall function 6C49B3D7: _invalid_parameter_noinfo.MSVCR120(?,6C49BD2C,00000003,6C473BC7,6C434630,00000008,6C44C625,?,?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C49B40D

__NMSG_WRITE.LIBCMT ref: 6C49BD4C
__NMSG_WRITE.LIBCMT ref: 6C49BD56

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _set_error_mode$_errno_invalid_parameter_noinfo
String ID:
API String ID: 1239817535-0
Opcode ID: 3d9d3c69aa371541ae3d22d847cc9a9b9f8a143f2fa0265a8c73b2472cba09d2
Instruction ID: 804b67282622254c74df6338e923504205681f4f06701851fce1300da2158d54
Opcode Fuzzy Hash: 3d9d3c69aa371541ae3d22d847cc9a9b9f8a143f2fa0265a8c73b2472cba09d2
Instruction Fuzzy Hash: F2D09E3129537655F836D2A12422F752B5A4B42A2DF24026DD31198EE1DB81C0885065

Function 6C4C9FBA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

HDPl, xrefs: 6C4CA2B7
HDPl, xrefs: 6C4CA16A

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID: HDPl$HDPl
API String ID: 0-2444948253
Opcode ID: ab9c9f9cd8c0a35341013690c2bed48b3abe3734e66bf8693b8f8d3d32caf717
Instruction ID: ec26538f9296931c1d68eebba50383198a1b093ea2b078e76de06c31da49e063
Opcode Fuzzy Hash: ab9c9f9cd8c0a35341013690c2bed48b3abe3734e66bf8693b8f8d3d32caf717
Instruction Fuzzy Hash: EEA1CB79B056158BDB01CF59C880F9DB7B4EF49319F294229D815E7B60E732EC01CBA2

Function 6C44E071 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_ismbblead.MSVCR120(?,6C500F00,6C500F00,00000000,?,6C44E1FE,6C500F00,00000000,00000000,?,?), ref: 6C44E0BE
_ismbblead.MSVCR120(00000001,6C500F00,6C500F00,00000000,?,6C44E1FE,6C500F00,00000000,00000000,?,?), ref: 6C44E170

Strings

{Dl, xrefs: 6C44E0CC

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _ismbblead
String ID: {Dl
API String ID: 1022365105-572889170
Opcode ID: 85d838b51eb862aed91b8dfc5636f2c0138bdec6ef44faa5f95fa0aca8309c21
Instruction ID: 8171265f121706817bbb845f38348e46b262fe4d805f3e0b1b78497212d2d52c
Opcode Fuzzy Hash: 85d838b51eb862aed91b8dfc5636f2c0138bdec6ef44faa5f95fa0aca8309c21
Instruction Fuzzy Hash: 7151A035149296CFFB15CE298480FA5BBB1EF9631AF38945AD8E247B46D3318483CBD1

Function 6C4526E2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C452875
_invalid_parameter_noinfo.MSVCR120 ref: 6C476565

Strings

d, xrefs: 6C452787

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: d
API String ID: 2959964966-2564639436
Opcode ID: 91d3da0ea7a21b90670d147ac93605097c35879dd0118800b1b1779f68097838
Instruction ID: af03b17b2277ae462fb2d300a2b7768e6292a6dbc8a103958324fd1bd7b5c24d
Opcode Fuzzy Hash: 91d3da0ea7a21b90670d147ac93605097c35879dd0118800b1b1779f68097838
Instruction Fuzzy Hash: CE51A731205340DED731CE5E8494F857FA19B2A268F6C829ED8988B652C73BD45FC7A1

Function 6C44EFAF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

Strings

", xrefs: 6C44EFDE

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: eaffb736c70da9831b547ffc88d9b76e9718cc6a2c1efe1c865bc4693b0c627f
Instruction ID: 9aa02f8abdb0d627c24a6fabeda5655476ebd929a4e697dc654f826c0866d9d7
Opcode Fuzzy Hash: eaffb736c70da9831b547ffc88d9b76e9718cc6a2c1efe1c865bc4693b0c627f
Instruction Fuzzy Hash: D421C97554322596FB34CF59D800EB473B4EF85B6BF75C04AEC645BB81EA714982C3A0

Function 6C44AA9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6C47CC65

Strings

cpu, xrefs: 6C47CC3E
amp, xrefs: 6C47CC37

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: NameName::
String ID: amp$cpu
API String ID: 1333004437-2542064945
Opcode ID: b23a6b97f98f41b89efa1b52247ed0d2cae733127c042a893a35cecb4ea8e1b6
Instruction ID: 6a5e94852e75a544859e09120787229f08352e9ab41ba02d45b0dee08c38d7ae
Opcode Fuzzy Hash: b23a6b97f98f41b89efa1b52247ed0d2cae733127c042a893a35cecb4ea8e1b6
Instruction Fuzzy Hash: 3321E032A41508AFE714DF1CC954FE97BB4EF86355F2481ADE844ABB51DB309A0587A0

Function 6C4BEF67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6C4BEF79
DName::DName.LIBCMT ref: 6C4BEFA7

Strings

void, xrefs: 6C4BEFC6

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: NameName::
String ID: void
API String ID: 1333004437-3531332078
Opcode ID: 2663bb93ec0a5c971926836feb89427673f6ea10abe12e0a98eb0a8ca9ea3a43
Instruction ID: be66c0467ba54a48e35cf9b7f0e956cb0549cd6e912f9dc261c37fe87c1bb88e
Opcode Fuzzy Hash: 2663bb93ec0a5c971926836feb89427673f6ea10abe12e0a98eb0a8ca9ea3a43
Instruction Fuzzy Hash: E2115E35644109BAEB08DF64C8D5EEC7F34EF41708F1081ADE845ABB91DF30AA49D6E1

Function 6C453E44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,00000003,6C44C7FC,00000000,00000001,?,00000001), ref: 6C453E66
free.MSVCR120(?,?,00000001), ref: 6C453E95

Strings

csm, xrefs: 6C453E47

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: DecodePointerfree
String ID: csm
API String ID: 2443025543-1018135373
Opcode ID: a62f85fa889f7b95df635ef6a35c4cab530f1f0cb1e0e99cfe11576223d1d30f
Instruction ID: 64f596756a917ac2b97cb3b48052cda38b6d81de1833b2890e7b15158b85af76
Opcode Fuzzy Hash: a62f85fa889f7b95df635ef6a35c4cab530f1f0cb1e0e99cfe11576223d1d30f
Instruction Fuzzy Hash: 66F0AF352052018BCB30CE2AD484F0AB7F5AF1021BBA98A1DE5468BF10C720E895C7C1

Function 6C43E050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR120 ref: 6C475CDD
_invalid_parameter_noinfo.MSVCR120 ref: 6C475CE8

Strings

B, xrefs: 6C43E080

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 325f79127ad4fc52a8cc1f41517fe48395ca9ba3899d45f22d069bfb9b173150
Instruction ID: 5c220e46104e8d1c983d828e08fe7c992b81e0be1c8ad4463e0a188de7d8f85c
Opcode Fuzzy Hash: 325f79127ad4fc52a8cc1f41517fe48395ca9ba3899d45f22d069bfb9b173150
Instruction Fuzzy Hash: 2AF06274D0020E9FDF00CF65CC00EEEBBB4FB88324F108225E92866290D73945119FA5

Function 6C49A549 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,6C487870,6C48754C,?,"Il), ref: 6C49A55C

Part of subcall function 6C443A83: GetModuleHandleA.KERNEL32(00000000,74DEF550), ref: 6C443A99
Part of subcall function 6C443A83: GetModuleFileNameW.KERNEL32(6C420000,?,00000104), ref: 6C443AB6
Part of subcall function 6C443A83: LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 6C443ACF

Strings

EPl, xrefs: 6C49A56B
"Il, xrefs: 6C49A54D

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: Module$CreateFileHandleLibraryLoadNameThread
String ID: EPl$"Il
API String ID: 2585697695-2676486326
Opcode ID: 4645e3f5d040840e5af1725f09caa2e4ab8e6c3a8ab6ad798a23b087f1700aaa
Instruction ID: 5ab545c5b777451088f451e5fd9744a9fc03af531cbed9b248bfaa13c5d17e85
Opcode Fuzzy Hash: 4645e3f5d040840e5af1725f09caa2e4ab8e6c3a8ab6ad798a23b087f1700aaa
Instruction Fuzzy Hash: F8E065363452246BCB064E9D9C04F9E3B69EFC6A72B164129FA0AC6610C671CC128BE1

Function 6C434B96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.MSVCR120(?), ref: 6C434BC1

Part of subcall function 6C42EDD7: EnterCriticalSection.KERNEL32(?,?,6C4BE497,0000000E,6C4BE4F8,0000000C,6C42EC8C), ref: 6C42EDF3

EnterCriticalSection.KERNEL32(?), ref: 6C4751C4

Strings

`Ol, xrefs: 6C434BAA

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalEnterSection$_lock
String ID: `Ol
API String ID: 1875928789-2831201217
Opcode ID: dccb735ec33280dedf6b2eaccb2bfa4733faf840dddf08bf9ca86fdbf716ab1b
Instruction ID: 306b48d335487d52693e7e918008b5a469db89e2ddf034e49728c8b0eb7ce4f2
Opcode Fuzzy Hash: dccb735ec33280dedf6b2eaccb2bfa4733faf840dddf08bf9ca86fdbf716ab1b
Instruction Fuzzy Hash: 6EE02633904324478B28D56C8889EC9BB7CEB44352342492EE999CBA80DA22E84487D4

Function 6C434B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

_unlock.MSVCR120(?), ref: 6C434B8E

Part of subcall function 6C42EDFC: LeaveCriticalSection.KERNEL32(?,6C431CC7,0000000D,6C431C60), ref: 6C42EE09

LeaveCriticalSection.KERNEL32(?), ref: 6C4751E2

Strings

`Ol, xrefs: 6C434B73

Memory Dump Source

Source File: 0000000F.00000002.1781974313.000000006C421000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C420000, based on PE: true

Associated: 0000000F.00000002.1781946753.000000006C420000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782115949.000000006C4FF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782136139.000000006C501000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782163378.000000006C505000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782192035.000000006C506000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000F.00000002.1782230540.000000006C507000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6c420000_runshelldraw_x86.jbxd

Similarity

API ID: CriticalLeaveSection$_unlock
String ID: `Ol
API String ID: 203654640-2831201217
Opcode ID: d0acbd4c368bbce2a0ecb2364635fb2ffe0ae784cd4ffaf6950265ad29147f54
Instruction ID: 0476a1c63be948b72bb08b7e3d78da96f56237e48e0c9a3409e9a9e60215aa1e
Opcode Fuzzy Hash: d0acbd4c368bbce2a0ecb2364635fb2ffe0ae784cd4ffaf6950265ad29147f54
Instruction Fuzzy Hash: A3D02B73A1430547DB38C6B99C8AE9C736DD6441333118E1DE80CCBED1DA21E44085E9

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SBSLMD5qhm.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6ed163.rbs

C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1

C:\Program Files (x86)\letsvpn\LetsPRO.exe

C:\Program Files (x86)\letsvpn\Update.exe

C:\Program Files (x86)\letsvpn\app-3.9.1\CommunityToolkit.Mvvm.dll

C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.MsDelta.dll

C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.PatchApi.dll

C:\Program Files (x86)\letsvpn\app-3.9.1\DeltaCompressionDotNet.dll

C:\Program Files (x86)\letsvpn\app-3.9.1\FontAwesome.WPF.dll

Windows Analysis Report
SBSLMD5qhm.msi

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre