Edit tour

Windows Analysis Report
740d3a.msi

Overview

General Information

Sample name:	740d3a.msi
Analysis ID:	1559267
MD5:	64a6cf00b80fe77c16f6da137dd7a9d1
SHA1:	f9365c7876ac8934a48237499cf8774fe78ea196
SHA256:	630acefe136ea2e4bb95211a214e4829d8cb59d4d948b09221e61acd278854bf
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

.NET source code contains method to dynamically call methods (often used by packers)

Creates autostart registry keys with suspicious names

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to harvest and steal Bitcoin Wallet information

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: PowerShell Script Run in AppData

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

msiexec.exe (PID: 8108 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\740d3a.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 8408 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

SrTasks.exe (PID: 7812 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:8 MD5: 2694D2D28C368B921686FE567BD319EB)

conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

msiexec.exe (PID: 5780 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5A82BF8611EA627E788B63841849825E MD5: 9D09DC1EDA745A5F87553048E57620CF)

aipackagechainer.exe (PID: 7804 cmdline: "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe" MD5: 2C0130F614EA8C240320EC47D0008EEA)

Vista Software.exe (PID: 2660 cmdline: "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" MD5: 35135E7F357C522D07DDD87307C0345C)

Vista Software.tmp (PID: 3200 cmdline: "C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp" /SL5="$40454,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" MD5: 584586C0CF548DB94F76F124046D58D9)

Vista Software.exe (PID: 1744 cmdline: "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT MD5: 35135E7F357C522D07DDD87307C0345C)

Vista Software.tmp (PID: 1284 cmdline: "C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp" /SL5="$50454,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT MD5: 584586C0CF548DB94F76F124046D58D9)

cmd.exe (PID: 4656 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 9248 cmdline: tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 9260 cmdline: find /I "wrsa.exe" MD5: AE3F3DC3ED900F2A582BAD86A764508C)

cmd.exe (PID: 9308 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 9368 cmdline: tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 9376 cmdline: find /I "opssvc.exe" MD5: AE3F3DC3ED900F2A582BAD86A764508C)

cmd.exe (PID: 9420 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 9480 cmdline: tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 9488 cmdline: find /I "avastui.exe" MD5: AE3F3DC3ED900F2A582BAD86A764508C)

cmd.exe (PID: 9528 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 9584 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 9592 cmdline: find /I "avgui.exe" MD5: AE3F3DC3ED900F2A582BAD86A764508C)

cmd.exe (PID: 9632 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 9692 cmdline: tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 9700 cmdline: find /I "nswscsvc.exe" MD5: AE3F3DC3ED900F2A582BAD86A764508C)

cmd.exe (PID: 9740 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 9800 cmdline: tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 9808 cmdline: find /I "sophoshealth.exe" MD5: AE3F3DC3ED900F2A582BAD86A764508C)

file.exe (PID: 9852 cmdline: "C:\Users\user\AppData\Local\clithe\\file.exe" "C:\Users\user\AppData\Local\clithe\\millhouse1.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)

cmd.exe (PID: 9536 cmdline: "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && file.exe C:\ProgramData\\kwZvl2ZDr.a3x && del C:\ProgramData\\kwZvl2ZDr.a3x MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 9648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

PING.EXE (PID: 9704 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

file.exe (PID: 9668 cmdline: file.exe C:\ProgramData\\kwZvl2ZDr.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)

MSBuild.exe (PID: 9840 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

powershell.exe (PID: 824 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 8876 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6352 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

AutoIt3.exe (PID: 8876 cmdline: "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)

MSBuild.exe (PID: 2140 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

svchost.exe (PID: 9932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: F586835082F632DC8D9404D83BC16316)

AutoIt3.exe (PID: 5780 cmdline: "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)

MSBuild.exe (PID: 9256 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000003A.00000002.1895490189.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000038.00000002.2180979684.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe", ParentImage: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe, ParentProcessId: 7804, ParentProcessName: aipackagechainer.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", ProcessId: 824, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\clithe\file.exe, ProcessId: 9668, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eeacadf

Sigma detected: PowerShell Script Run in AppData

Source: Process started

Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe", ParentImage: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe, ParentProcessId: 7804, ParentProcessName: aipackagechainer.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", ProcessId: 824, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe", ParentImage: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe, ParentProcessId: 7804, ParentProcessName: aipackagechainer.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10", ProcessId: 824, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 888, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 9932, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:34:52.363431+0100	2035595	1	Domain Observed Used for C2 Detected	167.114.47.186	56001	192.168.11.20	49711	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\reclosable_is1

Jump to behavior

Source: unknown

HTTPS traffic detected: 23.44.201.15:443 -> 192.168.11.20:49701 version: TLS 1.2

Source:	Binary string: winload_prod.pdbx source: SrTasks.exe, 00000005.00000002.1135332325.00000140CB49A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: aipackagechainer.exe, 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmp, aipackagechainer.exe, 00000008.00000000.1025564632.00000000002E7000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: winload_prod.pdb^yn# source: SrTasks.exe, 00000005.00000003.1105177448.00000140C99E0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbic source: SrTasks.exe, 00000005.00000003.1124144652.00000140C8A3F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: SrTasks.exe, 00000005.00000002.1135046185.00000140CB442000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB1 source: SrTasks.exe, 00000005.00000002.1135332325.00000140CB49A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: SrTasks.exe, 00000005.00000003.1105177448.00000140C99E0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbrjF source: SrTasks.exe, 00000005.00000003.1104903628.00000140C98E0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBb source: SrTasks.exe, 00000005.00000003.1124144652.00000140C8A3F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbrs\*\AppData\Local:` source: SrTasks.exe, 00000005.00000003.1124144652.00000140C8A3F000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: d:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00274320 FindFirstFileW,FindClose,FindClose,	8_2_00274320
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00266BA0 FindFirstFileW,GetLastError,FindClose,	8_2_00266BA0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0025B5A0 FindFirstFileW,CreateFileW,SetFilePointer,ReadFile,CloseHandle,GetModuleFileNameW,SetCurrentDirectoryW,OpenMutexW,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,FindClose,	8_2_0025B5A0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0025DD10 DeleteFileW,FindFirstFileW,FindNextFileW,FindClose,PathIsDirectoryW,	8_2_0025DD10
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0028AC60 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	8_2_0028AC60
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002CCCF0 FindFirstFileExW,	8_2_002CCCF0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00280E10 FindFirstFileW,FindClose,	8_2_00280E10
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00289440 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	8_2_00289440
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00289880 FindFirstFileW,FindClose,	8_2_00289880
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00241950 FindFirstFileW,FindNextFileW,FindClose,	8_2_00241950
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00263B60 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	8_2_00263B60
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00267DF0 FindFirstFileW,FindClose,	8_2_00267DF0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FEC0D2 FindFirstFileExW,	55_2_00FEC0D2
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0101E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	55_2_0101E180
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0102A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	55_2_0102A187
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0102A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	55_2_0102A2E4
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0102A66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	55_2_0102A66E
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0101E9BA GetFileAttributesW,FindFirstFileW,FindClose,	55_2_0101E9BA
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0102686D FindFirstFileW,FindNextFileW,FindClose,	55_2_0102686D
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01027591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	55_2_01027591
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_010274F0 FindFirstFileW,FindClose,	55_2_010274F0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0101DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	55_2_0101DE32
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012426B5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	55_2_012426B5
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012427BD FindFirstFileA,GetLastError,	55_2_012427BD
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0123FFE5 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	55_2_0123FFE5
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0060C0D2 FindFirstFileExW,	57_2_0060C0D2
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0063E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	57_2_0063E180
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0064A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	57_2_0064A187
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0064A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	57_2_0064A2E4
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0064A66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	57_2_0064A66E
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0064686D FindFirstFileW,FindNextFileW,FindClose,	57_2_0064686D
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0063E9BA GetFileAttributesW,FindFirstFileW,FindClose,	57_2_0063E9BA
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_006474F0 FindFirstFileW,FindClose,	57_2_006474F0
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_00647591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	57_2_00647591
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0063DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	57_2_0063DE32
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0169C7ED FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	57_2_0169C7ED
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0169A11D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	57_2_0169A11D
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0169C8F5 FindFirstFileA,GetLastError,	57_2_0169C8F5

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_002880E0 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

8_2_002880E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 167.114.47.186:56001 -> 192.168.11.20:49711

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Source: global traffic

TCP traffic: 192.168.11.20:49711 -> 167.114.47.186:56001

Source: Joe Sandbox View

IP Address: 167.114.47.186 167.114.47.186

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.46.128
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.46.128
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.46.128
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.46.128
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.46.128
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.46.128
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.18
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.18
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.20.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.20.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.17
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.17
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.47.186

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_0102D935 InternetReadFile,SetEvent,GetLastError,SetEvent,

55_2_0102D935

Source: global traffic

HTTP traffic detected: GET /r/r1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic

DNS traffic detected: DNS query: c.pki.goog

Source: powershell.exe, 0000000D.00000002.1070262048.0000000002EE6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1065615160.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: powershell.exe, 0000000D.00000002.1070262048.0000000002EE6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1065615160.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 0000000D.00000002.1111749554.0000000007370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 0000000D.00000002.1111749554.0000000007328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab6
Source: powershell.exe, 0000000D.00000002.1102319799.0000000005CA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 0000000D.00000002.1072733679.0000000004E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1069297289.00000000050B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.1072733679.0000000004E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1069297289.00000000050B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 0000000D.00000002.1072733679.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 0000000D.00000002.1072733679.0000000004E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1069297289.00000000050B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.1072733679.0000000004E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1069297289.00000000050B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: powershell.exe, 0000000D.00000002.1123205050.0000000008814000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 0000000D.00000002.1070262048.0000000002EE6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1123205050.00000000087F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1065615160.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 0000000D.00000002.1072733679.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000D.00000002.1102319799.0000000005CA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1102319799.0000000005CA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1102319799.0000000005CA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.1072733679.0000000004E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1069297289.00000000050B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.1072733679.0000000004E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1069297289.00000000050B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester4
Source: Vista Software.exe, 00000009.00000000.1030398261.0000000000A21000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 0000000D.00000002.1102319799.0000000005CA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000D.00000002.1070262048.0000000002EE6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1123205050.00000000087F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1065615160.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: Vista Software.exe, 00000009.00000003.1032807752.000000000366F000.00000004.00001000.00020000.00000000.sdmp, Vista Software.exe, 00000009.00000003.1034717219.000000007F77B000.00000004.00001000.00020000.00000000.sdmp, Vista Software.tmp, 0000000A.00000000.1038233720.0000000000841000.00000020.00000001.01000000.00000009.sdmp, Vista Software.tmp, 0000000C.00000000.1048572672.0000000000B9D000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: Vista Software.exe, 00000009.00000003.1032807752.000000000366F000.00000004.00001000.00020000.00000000.sdmp, Vista Software.exe, 00000009.00000003.1034717219.000000007F77B000.00000004.00001000.00020000.00000000.sdmp, Vista Software.tmp, 0000000A.00000000.1038233720.0000000000841000.00000020.00000001.01000000.00000009.sdmp, Vista Software.tmp, 0000000C.00000000.1048572672.0000000000B9D000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49678
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown

HTTPS traffic detected: 23.44.201.15:443 -> 192.168.11.20:49701 version: TLS 1.2

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_0102F664 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

55_2_0102F664

Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0102F8D3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		55_2_0102F8D3
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0064F8D3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		57_2_0064F8D3

Source: C:\Users\user\AppData\Local\clithe\file.exe

55_2_0102F664

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_00FC4B74 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

55_2_00FC4B74

Source: SrTasks.exe, 00000005.00000003.1104646781.00000140C97E0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: #_WinAPI_RegisterRawInputDevices.au3

memstr_07419e5d-2

Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01049FB4 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		55_2_01049FB4
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_00669FB4 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		57_2_00669FB4

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_012543B1 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

55_2_012543B1

Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01257839 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		55_2_01257839
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_016B1971 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		57_2_016B1971

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_0101E3CB: CreateFileW,DeviceIoControl,CloseHandle,

55_2_0101E3CB

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_0101230F LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

55_2_0101230F

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0024C3A0 GetForegroundWindow,MessageBoxW,GetCurrentProcess,OpenProcessToken,CloseHandle,GetLastError,ExitWindowsEx,CloseHandle,	8_2_0024C3A0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0101F76E ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	55_2_0101F76E
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0063F76E ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	57_2_0063F76E

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\549e0c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1F4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2A1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA30F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA38D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA44A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA499.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA546.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\549e0f.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\549e0f.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA70C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA893.tmp	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIA1F4.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0024AB00	8_2_0024AB00
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0027FF10	8_2_0027FF10
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002AE090	8_2_002AE090
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002BA0D0	8_2_002BA0D0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002A8100	8_2_002A8100
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002415F0	8_2_002415F0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002AA410	8_2_002AA410
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002AA4B0	8_2_002AA4B0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002AE490	8_2_002AE490
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0024E540	8_2_0024E540
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00272540	8_2_00272540
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002AC5C0	8_2_002AC5C0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002AE640	8_2_002AE640
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002AC6E0	8_2_002AC6E0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0024E870	8_2_0024E870
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00252940	8_2_00252940
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002A4A50	8_2_002A4A50
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0024EAA0	8_2_0024EAA0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002D0D6D	8_2_002D0D6D
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002B4E00	8_2_002B4E00
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002C8E60	8_2_002C8E60
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00299050	8_2_00299050
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002A3190	8_2_002A3190
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002C91C0	8_2_002C91C0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0026F270	8_2_0026F270
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002AF400	8_2_002AF400
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0029D6F0	8_2_0029D6F0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00245930	8_2_00245930
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002ADA30	8_2_002ADA30
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002BDACC	8_2_002BDACC
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00297CA0	8_2_00297CA0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0029FD20	8_2_0029FD20
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0026DDB0	8_2_0026DDB0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0026DEC0	8_2_0026DEC0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002BDF0B	8_2_002BDF0B
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FB7070	55_2_00FB7070
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FC3AD9	55_2_00FC3AD9
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FEE32F	55_2_00FEE32F
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD24CA	55_2_00FD24CA
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FE6599	55_2_00FE6599
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD29E3	55_2_00FD29E3
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FDC9C0	55_2_00FDC9C0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0103C844	55_2_0103C844
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FCCBF0	55_2_00FCCBF0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01022D81	55_2_01022D81
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FE6C09	55_2_00FE6C09
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FBCE20	55_2_00FBCE20
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FBEE00	55_2_00FBEE00
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD2F23	55_2_00FD2F23
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FCF0DA	55_2_00FCF0DA
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01019168	55_2_01019168
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0104525A	55_2_0104525A
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FCD37F	55_2_00FCD37F
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD7746	55_2_00FD7746
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD7975	55_2_00FD7975
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD1964	55_2_00FD1964
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD7BD2	55_2_00FD7BD2
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FBDC70	55_2_00FBDC70
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FE9D1E	55_2_00FE9D1E
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD1FC1	55_2_00FD1FC1
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0125718A	55_2_0125718A
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01257191	55_2_01257191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_02EA4AF8	56_2_02EA4AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_02EA4AD5	56_2_02EA4AD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_02EA1DA8	56_2_02EA1DA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_02EA1DB8	56_2_02EA1DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_06404C20	56_2_06404C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_0640C220	56_2_0640C220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_0640DF68	56_2_0640DF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_06403728	56_2_06403728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_06404C11	56_2_06404C11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_0640C211	56_2_0640C211
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_0640A2F0	56_2_0640A2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_0640A300	56_2_0640A300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_06408843	56_2_06408843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_06408850	56_2_06408850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_0640B903	56_2_0640B903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_06425730	56_2_06425730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_06423420	56_2_06423420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_06425739	56_2_06425739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_06423410	56_2_06423410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_06422D45	56_2_06422D45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_064252DD	56_2_064252DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_06425805	56_2_06425805
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_064251DE	56_2_064251DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 56_2_064251E7	56_2_064251E7
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005D7070	57_2_005D7070
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005E3AD9	57_2_005E3AD9
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0060E32F	57_2_0060E32F
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005F24CA	57_2_005F24CA
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_00606599	57_2_00606599
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0065C844	57_2_0065C844
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005FC9C0	57_2_005FC9C0
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005F29E3	57_2_005F29E3
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005ECBF0	57_2_005ECBF0
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_00606C09	57_2_00606C09
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_00642D81	57_2_00642D81
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005DEE00	57_2_005DEE00
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005DCE20	57_2_005DCE20
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005F2F23	57_2_005F2F23
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005EF0DA	57_2_005EF0DA
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_00639168	57_2_00639168
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0066525A	57_2_0066525A
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005ED37F	57_2_005ED37F
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005F7746	57_2_005F7746
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005F7975	57_2_005F7975
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005F1964	57_2_005F1964
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005F7BD2	57_2_005F7BD2
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005DDC70	57_2_005DDC70
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_00609D1E	57_2_00609D1E
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005F1FC1	57_2_005F1FC1
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_016B12C9	57_2_016B12C9
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_016B12C2	57_2_016B12C2

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: String function: 002B5540 appears 55 times
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: String function: 00245680 appears 66 times
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: String function: 00245350 appears 67 times
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: String function: 002439B0 appears 49 times
Source: C:\dbgbkfc\AutoIt3.exe	Code function: String function: 005DFA3B appears 33 times
Source: C:\dbgbkfc\AutoIt3.exe	Code function: String function: 005F488E appears 33 times
Source: C:\dbgbkfc\AutoIt3.exe	Code function: String function: 005F014F appears 40 times
Source: C:\dbgbkfc\AutoIt3.exe	Code function: String function: 005F1000 appears 41 times
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: String function: 00FD1000 appears 41 times
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: String function: 00FD014F appears 40 times
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: String function: 00FD488E appears 33 times
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: String function: 00FBFA3B appears 33 times

Source: Vista Software.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Vista Software.tmp.11.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-T9NMH.tmp.12.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: Vista Software.tmp.9.dr	Static PE information: Number of sections : 11 > 10
Source: Vista Software.tmp.11.dr	Static PE information: Number of sections : 11 > 10
Source: is-T9NMH.tmp.12.dr	Static PE information: Number of sections : 11 > 10
Source: Vista Software.exe.7.dr	Static PE information: Number of sections : 11 > 10

Source: 55.2.file.exe.3ee2f24.1.raw.unpack, IdentifierAuthenticationMapper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 55.2.file.exe.3ee2f24.1.raw.unpack, TokenValListener.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 55.2.file.exe.3ee2f24.1.raw.unpack, TokenValListener.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 57.2.AutoIt3.exe.4772f24.1.raw.unpack, IdentifierAuthenticationMapper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 57.2.AutoIt3.exe.4772f24.1.raw.unpack, TokenValListener.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 57.2.AutoIt3.exe.4772f24.1.raw.unpack, TokenValListener.cs	Cryptographic APIs: 'CreateDecryptor'

Source: SrTasks.exe, 00000005.00000002.1134260436.00000140CB2A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AutoItX.sln
Source: SrTasks.exe, 00000005.00000003.1104646781.00000140C97E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AutoItX.sln~<<

Source: classification engine

Classification label: mal96.troj.spyw.evad.winMSI@86/67@1/2

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_00269710 FormatMessageW,GetLastError,

8_2_00269710

Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_010121C9 AdjustTokenPrivileges,CloseHandle,	55_2_010121C9
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_010127D9 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	55_2_010127D9
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_006321C9 AdjustTokenPrivileges,CloseHandle,	57_2_006321C9
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_006327D9 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	57_2_006327D9

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_0028A8A0 GetDiskFreeSpaceExW,

8_2_0028A8A0

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_0101E2AB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CompareStringW,CloseHandle,

55_2_0101E2AB

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_00294B00 CoCreateInstance,

8_2_00294B00

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_00262720 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

8_2_00262720

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Installer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\fe5d05a685
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9648:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8840:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3464:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4504:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9640:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9316:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9316:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9748:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9536:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8028:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9428:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9640:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF766EBEFD2708DDD6.TMP

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\clithe\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\dbgbkfc\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\dbgbkfc\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

File read: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\740d3a.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:8
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5A82BF8611EA627E788B63841849825E
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe"
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process created: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp "C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp" /SL5="$40454,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process created: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp "C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp" /SL5="$50454,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Users\user\AppData\Local\clithe\file.exe "C:\Users\user\AppData\Local\clithe\\file.exe" "C:\Users\user\AppData\Local\clithe\\millhouse1.a3x"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && file.exe C:\ProgramData\\kwZvl2ZDr.a3x && del C:\ProgramData\\kwZvl2ZDr.a3x
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\clithe\file.exe file.exe C:\ProgramData\\kwZvl2ZDr.a3x
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\dbgbkfc\AutoIt3.exe "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x
Source: C:\dbgbkfc\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\dbgbkfc\AutoIt3.exe "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:8	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5A82BF8611EA627E788B63841849825E	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process created: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp "C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp" /SL5="$40454,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process created: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp "C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp" /SL5="$50454,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process created: C:\Users\user\AppData\Local\clithe\file.exe "C:\Users\user\AppData\Local\clithe\\file.exe" "C:\Users\user\AppData\Local\clithe\\millhouse1.a3x"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && file.exe C:\ProgramData\\kwZvl2ZDr.a3x && del C:\ProgramData\\kwZvl2ZDr.a3x
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\clithe\file.exe file.exe C:\ProgramData\\kwZvl2ZDr.a3x
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\dbgbkfc\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\dbgbkfc\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vss_ps.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\clithe\file.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll

Source: C:\Windows\System32\SrTasks.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{883FF1FC-09E1-48e5-8E54-E2469ACB0CFD}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\reclosable_is1

Jump to behavior

Source: 740d3a.msi

Static file information: File size 6722560 > 1048576

Source:	Binary string: winload_prod.pdbx source: SrTasks.exe, 00000005.00000002.1135332325.00000140CB49A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: aipackagechainer.exe, 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmp, aipackagechainer.exe, 00000008.00000000.1025564632.00000000002E7000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: winload_prod.pdb^yn# source: SrTasks.exe, 00000005.00000003.1105177448.00000140C99E0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbic source: SrTasks.exe, 00000005.00000003.1124144652.00000140C8A3F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: SrTasks.exe, 00000005.00000002.1135046185.00000140CB442000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB1 source: SrTasks.exe, 00000005.00000002.1135332325.00000140CB49A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: SrTasks.exe, 00000005.00000003.1105177448.00000140C99E0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbrjF source: SrTasks.exe, 00000005.00000003.1104903628.00000140C98E0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBb source: SrTasks.exe, 00000005.00000003.1124144652.00000140C8A3F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbrs\*\AppData\Local:` source: SrTasks.exe, 00000005.00000003.1124144652.00000140C8A3F000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 55.2.file.exe.3ee2f24.1.raw.unpack, TokenValListener.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 57.2.AutoIt3.exe.4772f24.1.raw.unpack, TokenValListener.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_002698C0 LoadLibraryW,GetProcAddress,GetSystemMetrics,GetSystemMetrics,LoadImageW,FreeLibrary,

8_2_002698C0

Source: Vista Software.tmp.9.dr	Static PE information: real checksum: 0x0 should be: 0x37b358
Source: Vista Software.tmp.11.dr	Static PE information: real checksum: 0x0 should be: 0x37b358
Source: is-T9NMH.tmp.12.dr	Static PE information: real checksum: 0x0 should be: 0x3817ca
Source: aipackagechainer.exe.7.dr	Static PE information: real checksum: 0xe3b49 should be: 0xe4c7b
Source: Vista Software.exe.7.dr	Static PE information: real checksum: 0x85f640a should be: 0x33372a

Source: MSIA499.tmp.1.dr	Static PE information: section name: .didat
Source: MSIA499.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIA70C.tmp.1.dr	Static PE information: section name: .didat
Source: MSIA70C.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIA1F4.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIA2A1.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIA30F.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIA38D.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIA44A.tmp.1.dr	Static PE information: section name: .fptable
Source: Vista Software.exe.7.dr	Static PE information: section name: .didata
Source: aipackagechainer.exe.7.dr	Static PE information: section name: .didat
Source: aipackagechainer.exe.7.dr	Static PE information: section name: .fptable
Source: Vista Software.tmp.9.dr	Static PE information: section name: .didata
Source: Vista Software.tmp.11.dr	Static PE information: section name: .didata
Source: is-T9NMH.tmp.12.dr	Static PE information: section name: .didata

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002B1054 push edi; ret	8_2_002B105F
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002B512D push ecx; ret	8_2_002B5140
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04776A5D push esp; ret	13_2_04776A83
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_04DB2E85 pushfd ; ret	15_2_04DB2E89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_04DB3A4B push ebx; retf	15_2_04DB3AEA
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD1046 push ecx; ret	55_2_00FD1059
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01258186 push 0125820Dh; ret	55_2_01258205
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012581E1 push 0125820Dh; ret	55_2_01258205
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012541C7 push 01254246h; ret	55_2_0125423E
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012541C9 push 01254246h; ret	55_2_0125423E
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012581D9 push 0125820Dh; ret	55_2_01258205
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01256351 push 0125637Dh; ret	55_2_01256375
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01258219 push 0125823Fh; ret	55_2_01258237
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012525A5 push 012525D1h; ret	55_2_012525C9
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01256599 push 012565E5h; ret	55_2_012565DD
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01256945 push 01256988h; ret	55_2_01256980
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01256944 push 01256988h; ret	55_2_01256980
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012568ED push 01256921h; ret	55_2_01256919
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012568F5 push 01256921h; ret	55_2_01256919
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01240B55 push 01240BA6h; ret	55_2_01240B9E
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01242A79 push ecx; mov dword ptr [esp], eax	55_2_01242A7A
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01256D75 push 01256DB8h; ret	55_2_01256DB0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01256D74 push 01256DB8h; ret	55_2_01256DB0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01240D9D push 01240DC9h; ret	55_2_01240DC1
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01240DD5 push 01240E01h; ret	55_2_01240DF9
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01250F0D push 01250FB8h; ret	55_2_01250FB0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01250F0B push 01250FB8h; ret	55_2_01250FB0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01250FBD push 0125104Dh; ret	55_2_01251045
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01254F8D push 01254FD9h; ret	55_2_01254FD1
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01254FE5 push 01255011h; ret	55_2_01255009
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01255135 push 01255161h; ret	55_2_01255159

Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	File created: C:\Users\user\AppData\Local\Temp\is-ID1JF.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA499.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2A1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA44A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\clithe\file.exe	File created: C:\dbgbkfc\AutoIt3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	File created: C:\Users\user\AppData\Local\clithe\is-T9NMH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	File created: C:\Users\user\AppData\Local\clithe\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	File created: C:\Users\user\AppData\Local\clithe\file.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA70C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QVJTJ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	File created: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA38D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	File created: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	File created: C:\Users\user\AppData\Local\clithe\is-IOH31.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA30F.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA499.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2A1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA44A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA70C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA38D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA30F.tmp	Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Local\clithe\file.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce eeacadf

Source: C:\Windows\System32\msiexec.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Jump to behavior

Source: C:\Users\user\AppData\Local\clithe\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce eeacadf
Source: C:\Users\user\AppData\Local\clithe\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce eeacadf
Source: C:\Users\user\AppData\Local\clithe\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce eeacadf
Source: C:\Users\user\AppData\Local\clithe\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce eeacadf

Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01042558 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	55_2_01042558
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FC5D03 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	55_2_00FC5D03
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_00662558 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	57_2_00662558
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005E5D03 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	57_2_005E5D03

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\dbgbkfc\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\dbgbkfc\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2E60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3030000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 5030000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2F90000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4F90000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 31F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9843	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9925
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9869
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 9922

Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ID1JF.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA499.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA44A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA2A1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\clithe\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\clithe\is-T9NMH.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA70C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QVJTJ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA38D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA30F.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_8-56329

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_8-56740

Source: C:\Users\user\AppData\Local\clithe\file.exe	API coverage: 5.6 %
Source: C:\dbgbkfc\AutoIt3.exe	API coverage: 5.5 %

Source: C:\Windows\System32\SrTasks.exe TID: 3056	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3188	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3188	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep count: 9869 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9256	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9256	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 9996	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2788	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6740	Thread sleep count: 9922 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2660	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1140	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00274320 FindFirstFileW,FindClose,FindClose,	8_2_00274320
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00266BA0 FindFirstFileW,GetLastError,FindClose,	8_2_00266BA0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0025B5A0 FindFirstFileW,CreateFileW,SetFilePointer,ReadFile,CloseHandle,GetModuleFileNameW,SetCurrentDirectoryW,OpenMutexW,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,FindClose,	8_2_0025B5A0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0025DD10 DeleteFileW,FindFirstFileW,FindNextFileW,FindClose,PathIsDirectoryW,	8_2_0025DD10
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0028AC60 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	8_2_0028AC60
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002CCCF0 FindFirstFileExW,	8_2_002CCCF0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00280E10 FindFirstFileW,FindClose,	8_2_00280E10
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00289440 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	8_2_00289440
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00289880 FindFirstFileW,FindClose,	8_2_00289880
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00241950 FindFirstFileW,FindNextFileW,FindClose,	8_2_00241950
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00263B60 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	8_2_00263B60
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_00267DF0 FindFirstFileW,FindClose,	8_2_00267DF0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FEC0D2 FindFirstFileExW,	55_2_00FEC0D2
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0101E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	55_2_0101E180
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0102A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	55_2_0102A187
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0102A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	55_2_0102A2E4
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0102A66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	55_2_0102A66E
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0101E9BA GetFileAttributesW,FindFirstFileW,FindClose,	55_2_0101E9BA
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0102686D FindFirstFileW,FindNextFileW,FindClose,	55_2_0102686D
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01027591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	55_2_01027591
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_010274F0 FindFirstFileW,FindClose,	55_2_010274F0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0101DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	55_2_0101DE32
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012426B5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	55_2_012426B5
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012427BD FindFirstFileA,GetLastError,	55_2_012427BD
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0123FFE5 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	55_2_0123FFE5
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0060C0D2 FindFirstFileExW,	57_2_0060C0D2
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0063E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	57_2_0063E180
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0064A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	57_2_0064A187
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0064A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	57_2_0064A2E4
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0064A66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	57_2_0064A66E
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0064686D FindFirstFileW,FindNextFileW,FindClose,	57_2_0064686D
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0063E9BA GetFileAttributesW,FindFirstFileW,FindClose,	57_2_0063E9BA
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_006474F0 FindFirstFileW,FindClose,	57_2_006474F0
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_00647591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	57_2_00647591
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0063DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	57_2_0063DE32
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0169C7ED FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	57_2_0169C7ED
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0169A11D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	57_2_0169A11D
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_0169C8F5 FindFirstFileA,GetLastError,	57_2_0169C8F5

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_002880E0 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

8_2_002880E0

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_002B16FD VirtualQuery,GetSystemInfo,

8_2_002B16FD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.610_none_dec94c194a7d9cf6107572b3Hs
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd5
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.1_none_0d51a8a399d5452c
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_en-us_5ee8ada67d246bda>
Source: SrTasks.exe, 00000005.00000003.1119576190.00000140C867B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msft_neteventvmnetworkadatper.format.ps1xmlLMEMX
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24cy
Source: SrTasks.exe, 00000005.00000003.1019699123.00000140C6DF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processset.psd122\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\FFwindows\syswow64\windowspowershell\v1.0\modules\neteventpacketcapture$$msft_neteventvmnetworkadatper.cdxml22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\66windows\syswow64\windowspowershell\v1.0\modules\iscsi
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.1_none_30a02f8ac0551efb
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1165_none_a5220d9b1aae684eeb
Source: file.exe, AutoIt3.exe	Binary or memory string: microsoft hyper-v video
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127a3525d6
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1_none_914c74df26ba9a96
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-us_78dfc47123c58895
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d53a06>
Source: SrTasks.exe, 00000005.00000003.1019699123.00000140C6DF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processset.psd122\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\FFwindows\system32\windowspowershell\v1.0\modules\neteventpacketcapture$$msft_neteventvmnetworkadatper.cdxml22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\66windows\system32\windowspowershell\v1.0\modules\iscsi
Source: SrTasks.exe, 00000005.00000003.1019699123.00000140C77F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows.devices.winmd22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\ttwindows\syswow64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\dscresources\msft_processresource\en-gb msft_processresource.schema.mfl22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\FFwindows\syswow64\windowspowershell\v1.0\modules\neteventpacketcapture,,msft_neteventvmnetworkadatper.format.ps1xml22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8ED1000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1078718157.00000140C8EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1_none_b6a6a2ae8b1ec7b0
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2f0cffQf
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-us_7f1134951b6fe2f2
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1_none_3a58d94ffaa9d897k
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.19041.1_none_b6d8bfc73f89cc96z
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1_none_e64260e504e2ce32I
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.1_none_e9372a65640b0bcf5c8b5
Source: SrTasks.exe, 00000005.00000003.1119576190.00000140C867B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msft_neteventvmnetworkadatper.format.ps1xmlLMEMX
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1_none_eb319bc9ff262eec
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981
Source: AutoIt3.exe	Binary or memory string: vmware
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.1_none_ab3c0ef9f5d858c0
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_50c23e4c771f203a
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc0cba9450a52790
Source: SrTasks.exe, 00000005.00000003.1091747372.00000140CAE50000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1092804079.00000140CAE50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-gb_7788797720472f2d
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b5
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1_none_884ef285596dd5949487ebd5
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1_none_ba0c8961643f1b8b
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6=
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.1_none_ec871523fe4a3c37Y
Source: SrTasks.exe, 00000005.00000003.1019699123.00000140C77F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows.devices.winmd22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\ttwindows\system32\windowspowershell\v1.0\modules\psdesiredstateconfiguration\dscresources\msft_processresource\en-gb msft_processresource.schema.mfl22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\FFwindows\system32\windowspowershell\v1.0\modules\neteventpacketcapture,,msft_neteventvmnetworkadatper.format.ps1xml22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1_none_29421b2ffbc5ca5c
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.19041.1_none_30c4d3b8c03afdd6
Source: SrTasks.exe, 00000005.00000003.1105652236.00000140CC9A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmdebug.dll
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.928_none_8573a187d4da526f_4b77111169c26d4a
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.1_none_47b46fcdda46dc1d
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ccb9f4751718744
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.928_none_1fa9f09ad10e24e0
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd34c771f203a.
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2cX
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13ba91fq
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5H
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586
Source: SrTasks.exe, 00000005.00000003.1082945400.00000140CABE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_97e0d8d7edeea1649aca3}
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.1081_none_ab73ed7a140b868c639767ry
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1_none_f4c869717eb5b208
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.928_none_b96c565fe61a4dfa
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611
Source: SrTasks.exe, 00000005.00000002.1136747149.00000140CB6F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmdebug.dll2
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.19041.1_none_43a9017744e82ca8
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.928_none_e22c6ae2239eceef.`J
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272ddj
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1052_none_aa1b5c7a14ea46dd96271a64
Source: SrTasks.exe, 00000005.00000003.1111584878.00000140C825C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msft_neteventvmnetworkadatper.cdxmlLMEMH
Source: SrTasks.exe, 00000005.00000002.1133946144.00000140CB20A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac879'
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.19041.1_none_2246f2e6f0441379y
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1_none_e5031cd2031d874aZ
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_8d8c2e85b98ddf69bcd8
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.19041.1_en-us_1a380741b2ac7b048a5c
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.928_none_1ce84af23e15656cTe
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1_none_3f6b6ada79aa7a69
Source: SrTasks.exe, 00000005.00000003.1110648359.00000140C81BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msft_neteventvmnetworkadatper.cdxmlLMEMHp
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.1_en-us_c92f752e3f016999
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1_none_5d53c007157a9f0b
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2W
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1_none_f78a0f1a11ae717c/
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.19041.1_none_8b74d6c4b2fcd095;
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955
Source: SrTasks.exe, 00000005.00000002.1136747149.00000140CB6F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmdebug.dll^
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8Rv
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vid.resources_31bf3856ad364e35_10.0.19041.1_en-us_447494df1222bcd8
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.928_none_0d22fe52c27d3aaevt
Source: SrTasks.exe, 00000005.00000003.1098023066.00000140CB120000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1098350547.00000140CB120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1165_none_f9388606107572b39w
Source: SrTasks.exe, 00000005.00000003.1105652236.00000140CC9A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmdebug.dll\|<
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61
Source: SrTasks.exe, 00000005.00000003.1091747372.00000140CAE50000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1092804079.00000140CAE50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-gb_71570953289cd4d0-U
Source: SrTasks.exe, 00000005.00000003.1076846697.00000140C8E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_012514A7 LdrInitializeThunk,

55_2_012514A7

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_0102F607 BlockInput,

55_2_0102F607

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_002B5342 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_002B5342

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_0026AAA0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

8_2_0026AAA0

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_002698C0 LoadLibraryW,GetProcAddress,GetSystemMetrics,GetSystemMetrics,LoadImageW,FreeLibrary,

8_2_002698C0

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002B1EBE mov esi, dword ptr fs:[00000030h]	8_2_002B1EBE
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD4BF4 mov eax, dword ptr fs:[00000030h]	55_2_00FD4BF4
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0125718A mov eax, dword ptr fs:[00000030h]	55_2_0125718A
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_0125718A mov eax, dword ptr fs:[00000030h]	55_2_0125718A
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01257191 mov eax, dword ptr fs:[00000030h]	55_2_01257191
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01257191 mov eax, dword ptr fs:[00000030h]	55_2_01257191
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012512A5 mov eax, dword ptr fs:[00000030h]	55_2_012512A5
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_012630FE mov eax, dword ptr fs:[00000030h]	55_2_012630FE
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005F4BF4 mov eax, dword ptr fs:[00000030h]	57_2_005F4BF4
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_016AB3DD mov eax, dword ptr fs:[00000030h]	57_2_016AB3DD
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_016B12C9 mov eax, dword ptr fs:[00000030h]	57_2_016B12C9
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_016B12C9 mov eax, dword ptr fs:[00000030h]	57_2_016B12C9
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_016B12C2 mov eax, dword ptr fs:[00000030h]	57_2_016B12C2
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_016B12C2 mov eax, dword ptr fs:[00000030h]	57_2_016B12C2
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_016BD236 mov eax, dword ptr fs:[00000030h]	57_2_016BD236

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_002B1F2A GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

8_2_002B1F2A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe"

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002B4433 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_002B4433
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_0024CEA0 SetUnhandledExceptionFilter,	8_2_0024CEA0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002B5342 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_002B5342
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002B54CF SetUnhandledExceptionFilter,	8_2_002B54CF
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: 8_2_002B96A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_002B96A3
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FE2446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	55_2_00FE2446
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD0E4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	55_2_00FD0E4D
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD0F9F SetUnhandledExceptionFilter,	55_2_00FD0F9F
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_00FD11EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	55_2_00FD11EE
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_00602446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	57_2_00602446
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005F0E4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	57_2_005F0E4D
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005F0F9F SetUnhandledExceptionFilter,	57_2_005F0F9F
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_005F11EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	57_2_005F11EE

Source: C:\Users\user\AppData\Local\clithe\file.exe

Memory protected: page readonly | page read and write | page guard

Source: C:\Users\user\AppData\Local\clithe\file.exe

55_2_0101230F

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_0028E3A0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,AllowSetForegroundWindow,

8_2_0028E3A0

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_0101C078 SendInput,keybd_event,

55_2_0101C078

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_01032E89 GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

55_2_01032E89

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	Process created: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe "C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && file.exe C:\ProgramData\\kwZvl2ZDr.a3x && del C:\ProgramData\\kwZvl2ZDr.a3x
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\clithe\file.exe file.exe C:\ProgramData\\kwZvl2ZDr.a3x
Source: C:\Users\user\AppData\Local\clithe\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\dbgbkfc\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\dbgbkfc\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -noninteractive -nologo -executionpolicy remotesigned -command "c:\users\user\appdata\local\temp\ai_b2dc.ps1 -paths 'c:\users\user\appdata\roaming\your company\your application\prerequisites\file_deleter.ps1','c:\users\user\appdata\roaming\your company\your application\prerequisites\aipackagechainer.exe' -retry_count 10"
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -noninteractive -nologo -executionpolicy remotesigned -command "c:\users\user\appdata\local\temp\ai_b2dc.ps1 -paths 'c:\users\user\appdata\roaming\your company\your application\prerequisites\file_deleter.ps1','c:\users\user\appdata\roaming\your company\your application\prerequisites\aipackagechainer.exe' -retry_count 10"			Jump to behavior

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_01011C68 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

55_2_01011C68

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_00264710 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,

8_2_00264710

Source: Vista Software.tmp, 0000000C.00000003.1090580628.0000000008420000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe, AutoIt3.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_00FD0CA4 cpuid

55_2_00FD0CA4

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	8_2_00294DC0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	8_2_002C6EC2
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	8_2_002CF284
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	8_2_002C73C9
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	8_2_002CF4A0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	8_2_002CF543
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	8_2_002CF58E
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	8_2_002CF629
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_002CF6C0
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	8_2_002CF920
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_002CFA45
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	8_2_002CFB4B
Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_002CFC27
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	55_2_012401BD
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	55_2_012402C7
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: GetLocaleInfoA,GetACP,	55_2_012466D9
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: GetLocaleInfoA,	55_2_01240AE1
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: GetLocaleInfoA,	55_2_01245141
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: GetLocaleInfoA,	55_2_0124518D
Source: C:\dbgbkfc\AutoIt3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	57_2_0169A2F5
Source: C:\dbgbkfc\AutoIt3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	57_2_0169A3FF
Source: C:\dbgbkfc\AutoIt3.exe	Code function: GetLocaleInfoA,GetACP,	57_2_016A0811
Source: C:\dbgbkfc\AutoIt3.exe	Code function: GetLocaleInfoA,	57_2_0169AC19
Source: C:\dbgbkfc\AutoIt3.exe	Code function: GetLocaleInfoA,	57_2_0169F279
Source: C:\dbgbkfc\AutoIt3.exe	Code function: GetLocaleInfoA,	57_2_0169F2C5

Source: C:\Users\user\AppData\Local\clithe\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\dbgbkfc\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\dbgbkfc\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\dbgbkfc\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\dbgbkfc\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\clithe\file.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Users\user\AppData\Local\clithe\file.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\dbgbkfc\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\dbgbkfc\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\dbgbkfc\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\dbgbkfc\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_002B4355 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

8_2_002B4355

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_00FF59C7 GetUserNameW,

55_2_00FF59C7

Source: C:\Users\user\AppData\Local\clithe\file.exe

Code function: 55_2_00FEB782 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

55_2_00FEB782

Source: C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Code function: 8_2_002415F0 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

8_2_002415F0

Source: C:\Users\user\AppData\Local\clithe\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: SrTasks.exe, 00000005.00000003.1104386050.00000140C94E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procdump.exe
Source: SrTasks.exe, 00000005.00000002.1135258014.00000140CB488000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000005.00000003.1105418109.00000140CA100000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Source: AutoIt3.exe	Binary or memory string: WIN_81
Source: AutoIt3.exe	Binary or memory string: WIN_XP
Source: AutoIt3.exe	Binary or memory string: WIN_XPe
Source: AutoIt3.exe	Binary or memory string: WIN_VISTA
Source: Vista Software.tmp, 0000000C.00000003.1090580628.0000000008420000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 15, 1USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: AutoIt3.exe	Binary or memory string: WIN_7
Source: AutoIt3.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0000003A.00000002.1895490189.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2180979684.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_010323E0 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	55_2_010323E0
Source: C:\Users\user\AppData\Local\clithe\file.exe	Code function: 55_2_01031DD8 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	55_2_01031DD8
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_006523E0 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	57_2_006523E0
Source: C:\dbgbkfc\AutoIt3.exe	Code function: 57_2_00651DD8 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	57_2_00651DD8

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	321 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	31 Disable or Modify Tools	31 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	2 Native API	1 Create Account	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	31 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	21 Windows Service	21 Access Token Manipulation	1 Software Packing	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	11 Registry Run Keys / Startup Folder	21 Windows Service	1 DLL Side-Loading	LSA Secrets	268 System Information Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	1 File Deletion	Cached Domain Credentials	571 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	11 Registry Run Keys / Startup Folder	21 Masquerading	DCSync	351 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	351 Virtualization/Sandbox Evasion	Network Sniffing	3 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	12 Process Injection	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
740d3a.msi	11%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-ID1JF.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QVJTJ.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\clithe\file.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\clithe\is-IOH31.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\clithe\is-T9NMH.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\clithe\unins000.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe	21%	ReversingLabs
C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe	0%	ReversingLabs
C:\Windows\Installer\MSIA1F4.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA2A1.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA30F.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA38D.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA44A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA499.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA70C.tmp	0%	ReversingLabs
C:\dbgbkfc\AutoIt3.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png4	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://www.innosetup.com/	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
https://www.remobjects.com/ps	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
pki-goog.l.google.com	142.250.176.195	true	false	high
c.pki.goog	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pesterbdd.com/images/Pester.png4	powershell.exe, 0000000D.00000002.1072733679.0000000004E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1069297289.00000000050B3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester4	powershell.exe, 0000000D.00000002.1072733679.0000000004E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1069297289.00000000050B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	Vista Software.exe, 00000009.00000000.1030398261.0000000000A21000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000D.00000002.1102319799.0000000005CA4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000D.00000002.1072733679.0000000004E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1069297289.00000000050B3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 0000000D.00000002.1072733679.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000D.00000002.1072733679.0000000004E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1069297289.00000000050B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.remobjects.com/ps	Vista Software.exe, 00000009.00000003.1032807752.000000000366F000.00000004.00001000.00020000.00000000.sdmp, Vista Software.exe, 00000009.00000003.1034717219.000000007F77B000.00000004.00001000.00020000.00000000.sdmp, Vista Software.tmp, 0000000A.00000000.1038233720.0000000000841000.00000020.00000001.01000000.00000009.sdmp, Vista Software.tmp, 0000000C.00000000.1048572672.0000000000B9D000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 0000000D.00000002.1102319799.0000000005CA4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000D.00000002.1102319799.0000000005CA4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.innosetup.com/	Vista Software.exe, 00000009.00000003.1032807752.000000000366F000.00000004.00001000.00020000.00000000.sdmp, Vista Software.exe, 00000009.00000003.1034717219.000000007F77B000.00000004.00001000.00020000.00000000.sdmp, Vista Software.tmp, 0000000A.00000000.1038233720.0000000000841000.00000020.00000001.01000000.00000009.sdmp, Vista Software.tmp, 0000000C.00000000.1048572672.0000000000B9D000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 0000000D.00000002.1123205050.0000000008814000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000D.00000002.1102319799.0000000005CA4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000D.00000002.1102319799.0000000005CA4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	powershell.exe, 0000000D.00000002.1070262048.0000000002EE6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1123205050.00000000087F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1065615160.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/X	Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	powershell.exe, 0000000D.00000002.1070262048.0000000002EE6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1123205050.00000000087F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1065615160.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	Vista Software.tmp, 0000000C.00000003.1090580628.000000000842F000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000D.00000002.1072733679.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html4	powershell.exe, 0000000D.00000002.1072733679.0000000004E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1069297289.00000000050B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000D.00000002.1072733679.0000000004E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1069297289.00000000050B3000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
167.114.47.186	unknown	Canada		16276	OVHFR	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559267
Start date and time:	2024-11-20 11:31:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	61
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	740d3a.msi
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winMSI@86/67@1/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 123 Number of non-executed functions: 198
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, SgrmBroker.exe, backgroundTaskHost.exe, VSSVC.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 23.51.58.94, 23.44.201.28, 23.44.201.36, 23.44.201.33, 23.44.201.37, 23.44.201.31, 23.44.201.39, 23.44.201.38, 23.44.201.26, 23.44.201.34, 72.21.81.240
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, www-www.bing.com.trafficmanager.net, wu.azureedge.net, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target MSBuild.exe, PID 9840 because it is empty
Execution Graph export aborted for target powershell.exe, PID 824 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8876 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 740d3a.msi

Simulations

Behavior and APIs

Time	Type	Description
05:33:47	API Interceptor	4x Sleep call for process: SrTasks.exe modified
05:33:52	API Interceptor	18x Sleep call for process: powershell.exe modified
05:33:53	API Interceptor	1x Sleep call for process: Vista Software.tmp modified
05:34:07	API Interceptor	2x Sleep call for process: svchost.exe modified
05:34:51	API Interceptor	69875x Sleep call for process: MSBuild.exe modified
11:34:48	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce eeacadf "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x
11:34:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce eeacadf "C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
167.114.47.186	AI_ChainedPackageFile.VistaSoftware.exe	Get hash	malicious	PureCrypter	Browse
	Reminder.exe	Get hash	malicious	PureCrypter	Browse
	KEFttAEb.vbs	Get hash	malicious	PureCrypter	Browse
	AaronGiles(1).exe	Get hash	malicious	PureCrypter	Browse
	Reminder.exe	Get hash	malicious	PureCrypter	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	AaronGiles(1).exe	Get hash	malicious	PureCrypter	Browse	199.232.210.172
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	199.232.210.172
	MyInstaller_PDFGear.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	PO-000041492.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	199.232.214.172
	file.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	Benefit Enrollment -wZ5nusm.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	6GvQSVIEIu.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	Benefit Enrollment -eGz8VNb.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
pki-goog.l.google.com	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.185.99
	l2rP5bxDPg.exe	Get hash	malicious	Credential Flusher	Browse	142.250.186.35
	XUpERCR9nC.lnk	Get hash	malicious	Ducktail	Browse	142.250.65.163
	[EXTERNAL] Tribrik Management Limited Shared Document.eml	Get hash	malicious	Unknown	Browse	142.251.40.195
	MAqlwGvuGr.exe	Get hash	malicious	SheetRat	Browse	142.250.65.163
	9fGsCDYKLV.exe	Get hash	malicious	Flesh Stealer	Browse	142.251.40.163
	file.exe	Get hash	malicious	Credential Flusher	Browse	172.217.16.131
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.185.195
	40kib.dll	Get hash	malicious	Unknown	Browse	142.251.35.163
	YhONKuZmIa.dll	Get hash	malicious	Unknown	Browse	142.250.80.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	AI_ChainedPackageFile.VistaSoftware.exe	Get hash	malicious	PureCrypter	Browse	167.114.47.186
	Reminder.exe	Get hash	malicious	PureCrypter	Browse	167.114.47.186
	KEFttAEb.vbs	Get hash	malicious	PureCrypter	Browse	167.114.47.186
	AaronGiles(1).exe	Get hash	malicious	PureCrypter	Browse	167.114.47.186
	Reminder.exe	Get hash	malicious	PureCrypter	Browse	167.114.47.186
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	arm.nn-20241120-0508.elf	Get hash	malicious	Mirai, Okiru	Browse	51.79.4.49
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	147.135.236.178
	https://usapress.info/inside-the-last-words-of-dan-haggerty-aka-grizzly-adams-and-why-he-had-to-pull-the-plug-on-his-wife-of-20-years/	Get hash	malicious	Unknown	Browse	54.38.113.5

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	AI_ChainedPackageFile.VistaSoftware.exe	Get hash	malicious	PureCrypter	Browse	23.44.201.15
	KEFttAEb.vbs	Get hash	malicious	PureCrypter	Browse	23.44.201.15
	AaronGiles(1).exe	Get hash	malicious	PureCrypter	Browse	23.44.201.15
	Reminder.exe	Get hash	malicious	PureCrypter	Browse	23.44.201.15
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	23.44.201.15
	https://orbistravelassistance.page/app/pages/login.php	Get hash	malicious	Unknown	Browse	23.44.201.15
	http://mt6j71.p1keesoulharmony.com/	Get hash	malicious	HTMLPhisher, EvilProxy	Browse	23.44.201.15
	https://files-pdf-73j.pages.dev/?e=info@camida.com	Get hash	malicious	Unknown	Browse	23.44.201.15
	file.exe	Get hash	malicious	LummaC	Browse	23.44.201.15

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-ID1JF.tmp\_isetup\_setup64.tmp	AI_ChainedPackageFile.VistaSoftware.exe	Get hash	malicious	PureCrypter	Browse
	Reminder.exe	Get hash	malicious	PureCrypter	Browse
	KEFttAEb.vbs	Get hash	malicious	PureCrypter	Browse
	AaronGiles(1).exe	Get hash	malicious	PureCrypter	Browse
	Reminder.exe	Get hash	malicious	PureCrypter	Browse
	reservation .exe	Get hash	malicious	TVrat	Browse
	reservation .exe	Get hash	malicious	TVrat	Browse
	oZ3vtWXObB.exe	Get hash	malicious	TVrat	Browse
	wjpP1EOX0L.exe	Get hash	malicious	TVrat	Browse
C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp	AI_ChainedPackageFile.VistaSoftware.exe	Get hash	malicious	PureCrypter	Browse

Created / dropped Files

C:\Config.Msi\549e0e.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	9419
Entropy (8bit):	5.5907946003174525
Encrypted:	false
SSDEEP:	192:UYZeqhKU9NfOITNfOkNb3rtK8lE6FaLWuLplaQ4nWhA:UsKUfffbNbbtK8i6FaLWmaQ4nWhA
MD5:	EA4E3665B43B3E8E630368B726E70B3E
SHA1:	31FC591ACB688F4673D7AE33C7D8396B38663C40
SHA-256:	142DC302E6B669FFD90B735CC2D0414CC6549E136361D1848FFBAC40D7C0B190
SHA-512:	B9AB0B87F83B4505725936171981825B99A0CE25F4537D247AB20DBEF51FCC7C575B83D3D2FD993FE3D8F1574D40B6206B4345F8A062BDA780C535DA4463430C
Malicious:	false
Preview:	...@IXOS.@.....@9,tY.@.....@.....@.....@.....@.....@......&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}..Your Application..740d3a.msi.@.....@.....@.....@........&.{D5C03FE6-2CB0-44BC-9C72-3578CFB89255}.....@.....@.....@.....@.......@.....@.....@.......@......Your Application......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{2DB80D4A-91C8-4B46-99C2-BAAC7C0B3006}&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}.@......&.{C7A8C515-ACD3-4411-99AD-EAD9719AE9CF}&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}.@......&.{2DE3D436-1DE1-417A-9EA0-E82AF8BF7D62}&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}.@........CreateFolders..Creating folders..Folder: [1]#.>.C:\Users\user\AppData\Roaming\Your Company\Your Application\.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....&.Software\Your Company\Your Application...@....(.&...Version..1.0.0'.&...Path>.C:\Users\user\AppData\Roa

C:\Config.Msi\549e10.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	399
Entropy (8bit):	4.9506248637089945
Encrypted:	false
SSDEEP:	6:Ea3LMse/gReRY+Jy8QVkBMhiYBlSzVq2olnl/hkBdtsuRkYRsj9Yq:Eg5OgRGYdTdhTSzVYnl/hitft2/
MD5:	B26EA83FECE19FE83D1DB60AD7CD865A
SHA1:	8D50FCE48323532B0DE52387CD1E229B978333EE
SHA-256:	67E5A6B8F439107156AB4B3188C4E4753BBB48F0FA98A11AB635717E77E544D5
SHA-512:	21EBA0C9F1BA9958C75BC9DCF5413C08B421906F5615217CFC7D820790AE9AAAD6B80EB1E46BF2B0D73F843301742D4430E1AF960346F8663B01A4E3758DCBF8
Malicious:	false
Preview:	...@IXOS.@.....@9,tY.@.....@.....@.....@.....@.....@......&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}..Your Application..740d3a.msi.@.....@.....@.....@........&.{D5C03FE6-2CB0-44BC-9C72-3578CFB89255}.....@.....@.....@.....@.......@.....@.....@.......@......Your Application......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....AI_LaunchChainer...@.....@.....@....

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.13581370329483472
Encrypted:	false
SSDEEP:	384:mJHL7HbahIfcjcidIiBysHciXBs78MmhRht43mKdyrf6YM5Z:mJP74rzc8Myr43mNrf6YM5Z
MD5:	F0141D64B7DEA02186D70B9F0DF28293
SHA1:	36CF31A8A105D5DA0A66DDEADB24204063457C95
SHA-256:	520778EFE3719D8BADE097671158FCD4AC9C4E470DD2D2CBA22240DB7DCAABFA
SHA-512:	6296AFBBF1116DA7C1A9B785C723D67B57C665968AE84D6B953D35BEC16D2861D27E1A8D0426711BB5A529DDF5E45431AD88CA2DF7CE5CF46CF5C2B1AA5415EB
Malicious:	false
Preview:	...........@..@.3...{g.....yo.........<.....).9...y..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................;..........v[.2}c}c.#.........`h.d...............h.<.....6.:......p..*9...y..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xd678a1c9, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	0.8698470206821871
Encrypted:	false
SSDEEP:	1536:TSB2qSB2gSjlK/LfDalKohVF8/bGLBSBLil2d/3Cr5DHzk/3A5v7GoCnLKxKHKrx:TapaQK0yfOD8F31Xw
MD5:	08F1521AEEE4F9D5C75C0A26ACFF6A55
SHA1:	DD90C6E7EC4EA60BFE37DB57B7B85083AE31850C
SHA-256:	87953EE1A01F534E6C4A91BFC8B2D511BE93CA2559515427E01EB2A5C7A153D3
SHA-512:	3329D9EBDF95FD5D85FE6BB08B3E91DDFA60EDA4F5607C9332A82355230A4B07E17507BBCB9B412453A4EECA223C4FA2572DA9EFCAAE99A2AA8237337C9DC20F
Malicious:	false
Preview:	.x..... ................p..9...y........................0..........\|).."...\|..h.2...........................).9...y..........................................................................................................bJ......n....@...................................................................................................... ........3...{g.....................................................................................................................................................................................................................................).'.."...\|;..................:..."...\|...........................#......h.2.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08164808428811135
Encrypted:	false
SSDEEP:	3:yRWlUE5f2sBj4i4uRFE5/ll/pPvillo0lJlbxvws:CiPfHj3LRi5/llhPOL
MD5:	82D30992C27FD8D0A4590B1665DB7CD1
SHA1:	578CB2DAEB0988238AEA5C7208F17F807DBBD26E
SHA-256:	D4678DE2B56DDA110325B68687185BBC033876F190FEBA82B60AFEA020ECB0D0
SHA-512:	44F0C8F7A7F926CB49CB2B8BD52F344FC688674E22B5062392FFC6DF8A69A52CDB0F99F1D6E646D8A21157468579FB7D43E4505B650764C9E7D80938B7CB491E
Malicious:	false
Preview:	...t....................................*9...y..."...\|.......\|)..............\|)......\|)..C.t.....\|)O.................:..."...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\kwZvl2ZDr.a3x

Download File

Process:	C:\Users\user\AppData\Local\clithe\file.exe
File Type:	data
Category:	dropped
Size (bytes):	532964
Entropy (8bit):	7.434809463000461
Encrypted:	false
SSDEEP:	12288:/Gulirt5PUlsJIG6QvzsHzdBD8Bf874LT49dbZXa1sLKj:/RliAZysHBBD8BfRObZXa1mKj
MD5:	B3BB51CF6BE5FBE8EBAA27F06DB4BDA7
SHA1:	E535B1B4A477ACB1068A4D019AA85A622AA48F4C
SHA-256:	40B6B58FBEB08A133B56E27C94B0AA7AF7862AFE386E9056744B06BA7B03BBAC
SHA-512:	A24FD46E30E8829A3CAF93D9B91D6B0A1FFA15E9B7A4F5684A540FC42C8545405E3DED9AF4C659849B806E3644963D3C7645B019AAB3F9311DA5674BD19B62DB
Malicious:	false
Preview:	["r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................["r.....................................

C:\System Volume Information\SPP\OnlineMetadataCache\{8770b57a-cd3c-4ef2-af9f-1b6257341760}_OnDiskSnapshotProp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	4736
Entropy (8bit):	3.712062778175599
Encrypted:	false
SSDEEP:	48:FJejD2oE2RETr/7kVDrjrEmXRyiyBoPZcG48oF7HntwoFd4xVQ1Ud9ZQwovwE5lv:FJED2jHfWPcoBcH8SepVQI9XE56tKDN
MD5:	530811729232224B665956E381FB6C10
SHA1:	43FA3BAF1AFEA03406586D03F7CFDD7C2645D242
SHA-256:	F2D229C473E5D3FA2E736FC5934B23542D70B1EF60943F0F6FE60E72150B0E90
SHA-512:	50C777D6FB18BF8D144A79A989CB2596ECF554287B2AB7A85A5FD1AE5D618681EF061535238CBC0D6536233C062B5A5D9FAB2A1C7109E96DA86AC368E7330B0B
Malicious:	false
Preview:	...j.Y.G..<.&.+._i2<............X.......z.p.<..N...bW4.`..........F.7;..........:..$3.J.C.Na.V............................$.......8.......p...............I.n.s.t.a.l.l.e.d. .Y.o.u.r. .A.p.p.l.i.c.a.t.i.o.n.................C.:.\.W.i.n.d.o.w.s.\...............7.1.5.5.7.5.................W.O.R.K.G.R.O.U.P.......n6.j:..G.{4VI..H....................DMIO:ID:...c-dSA....n......... ...2.......2...\.\.?.\.V.o.l.u.m.e.{.6.3.c.2.1.a.8.2.-.6.4.2.d.-.4.1.5.3.-.9.c.d.a.-.a.d.1.6.c.9.6.e.e.c.9.3.}.\...............C.:.\...........N).A.j..j...............(...0.......,...2.......2...\.\.?.\.V.o.l.u.m.e.{.6.3.c.2.1.a.8.2.-.6.4.2.d.-.4.1.5.3.-.9.c.d.a.-.a.d.1.6.c.9.6.e.e.c.9.3.}.\.......4...............(.C.:.).........<...@...D...H...L...P...T...X...\...`...d...h...l...%.......%...A.d.o.b.e. .A.c.r.o.b.a.t. .R.e.a.d.e.r. .D.C. .2.1...0.0.7...2.0.0.9.1.................G.o.o.g.l.e. .C.h.r.o.m.e. .1.2.8...0...6.6.1.3...1.2.0.................J.a.v.a. .8. .U.p.d.a.t.e. .3.0.1. .8...0...3.0.1.0...9.........

C:\System Volume Information\SPP\metadata-2

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	13255872
Entropy (8bit):	3.6245177735325083
Encrypted:	false
SSDEEP:	12288:mYmPwQH9QlO/bLnI1BPMZTGitoem9ecB2l9xwXrZJk51Qg5E0d3pWDfJTNqVE9nu:w4QdoO/v1oem+Hg1ivh+ITIHtP0hhp
MD5:	8096990327362083550A5B997E88FE53
SHA1:	383969F5D309A3D63B4F7C75C65B4B662679808C
SHA-256:	4A2243F3B0BDAB416E38AC1519789A2D0EFC03E775CD53648BD95BF82EEB068B
SHA-512:	75E4AAB94EBF096C508ADB3F97131499130AC9C286382679EEF0044A35974F13CA02C9AB04AF29F9E615493D53212F6D1B28CE4952D11419BEF96B8D700BA88B
Malicious:	false
Preview:	7q$.o.lK.V"....6Kz..............D...................... ...Y.......Y...<.B.A.C.K.U.P._.C.O.M.P.O.N.E.N.T.S. .x.m.l.n.s.=.".x.-.s.c.h.e.m.a.:.#.V.s.s.C.o.m.p.o.n.e.n.t.M.e.t.a.d.a.t.a.". .v.e.r.s.i.o.n.=.".1...2.". .b.o.o.t.a.b.l.e.S.y.s.t.e.m.S.t.a.t.e.B.a.c.k.u.p.=.".y.e.s.". .s.e.l.e.c.t.C.o.m.p.o.n.e.n.t.s.=.".y.e.s.". .b.a.c.k.u.p.T.y.p.e.=.".f.u.l.l.". .p.a.r.t.i.a.l.F.i.l.e.S.u.p.p.o.r.t.=.".y.e.s.". .s.n.a.p.s.h.o.t.S.e.t.I.d.=.".8.7.7.0.b.5.7.a.-.c.d.3.c.-.4.e.f.2.-.a.f.9.f.-.1.b.6.2.5.7.3.4.1.7.6.0.".>.<.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S. .i.n.s.t.a.n.c.e.I.d.=.".f.0.0.8.1.4.4.e.-.5.f.9.d.-.4.b.f.9.-.a.a.a.2.-.7.4.6.9.0.0.e.e.b.f.5.e.". .w.r.i.t.e.r.I.d.=.".e.8.1.3.2.9.7.5.-.6.f.9.3.-.4.4.6.4.-.a.5.3.e.-.1.0.5.0.2.5.3.a.e.2.2.0.". .b.a.c.k.u.p.S.c.h.e.m.a.=.".0.".>.<.C.O.M.P.O.N.E.N.T. .c.o.m.p.o.n.e.n.t.N.a.m.e.=.".S.y.s.t.e.m. .F.i.l.e.s.". .c.o.m.p.o.n.e.n.t.T.y.p.e.=.".f.i.l.e.g.r.o.u.p."./.>.<./.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S.>.<.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S. .i.

C:\System Volume Information\SPP\snapshot-2

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	4736
Entropy (8bit):	3.712062778175599
Encrypted:	false
SSDEEP:	48:FJejD2oE2RETr/7kVDrjrEmXRyiyBoPZcG48oF7HntwoFd4xVQ1Ud9ZQwovwE5lv:FJED2jHfWPcoBcH8SepVQI9XE56tKDN
MD5:	530811729232224B665956E381FB6C10
SHA1:	43FA3BAF1AFEA03406586D03F7CFDD7C2645D242
SHA-256:	F2D229C473E5D3FA2E736FC5934B23542D70B1EF60943F0F6FE60E72150B0E90
SHA-512:	50C777D6FB18BF8D144A79A989CB2596ECF554287B2AB7A85A5FD1AE5D618681EF061535238CBC0D6536233C062B5A5D9FAB2A1C7109E96DA86AC368E7330B0B
Malicious:	false
Preview:	...j.Y.G..<.&.+._i2<............X.......z.p.<..N...bW4.`..........F.7;..........:..$3.J.C.Na.V............................$.......8.......p...............I.n.s.t.a.l.l.e.d. .Y.o.u.r. .A.p.p.l.i.c.a.t.i.o.n.................C.:.\.W.i.n.d.o.w.s.\...............7.1.5.5.7.5.................W.O.R.K.G.R.O.U.P.......n6.j:..G.{4VI..H....................DMIO:ID:...c-dSA....n......... ...2.......2...\.\.?.\.V.o.l.u.m.e.{.6.3.c.2.1.a.8.2.-.6.4.2.d.-.4.1.5.3.-.9.c.d.a.-.a.d.1.6.c.9.6.e.e.c.9.3.}.\...............C.:.\...........N).A.j..j...............(...0.......,...2.......2...\.\.?.\.V.o.l.u.m.e.{.6.3.c.2.1.a.8.2.-.6.4.2.d.-.4.1.5.3.-.9.c.d.a.-.a.d.1.6.c.9.6.e.e.c.9.3.}.\.......4...............(.C.:.).........<...@...D...H...L...P...T...X...\...`...d...h...l...%.......%...A.d.o.b.e. .A.c.r.o.b.a.t. .R.e.a.d.e.r. .D.C. .2.1...0.0.7...2.0.0.9.1.................G.o.o.g.l.e. .C.h.r.o.m.e. .1.2.8...0...6.6.1.3...1.2.0.................J.a.v.a. .8. .U.p.d.a.t.e. .3.0.1. .8...0...3.0.1.0...9.........

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1400
Entropy (8bit):	5.34444530197804
Encrypted:	false
SSDEEP:	24:ML9E4K1BIKDE4KhKMaKhRAE4KzDAfE4KnKIE4oKnKo9E4KhROtHZsXE4kI3nRe:MxHK1BIYHKh6oRAHKzMfHKntHoAlHKh6
MD5:	E1C0D648A2CE790CE2D28859A91D6073
SHA1:	2A59CB9D730F3A9FC84C60016BCEE9EC3F601A32
SHA-256:	A749AE27848A9302C78BCEF9CA30EDF8BAAC3A0241945DBC04854C6D7072608E
SHA-512:	4599696290939FB97ADCA8DF7EB71A618F108EA1535C55B876BB4A70BA8359E0C452796FAB3907E268C0A9A9CF9356AABC0B2D6317E9836352C9EDE67F33EC80
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\10879c5bddb2dd2399e2098d5ca5c9d1\System.Xml.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\b863adc9d550931e279ac7e2ee517d1f\System.Configuration.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=n

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1164
Entropy (8bit):	5.320209458187512
Encrypted:	false
SSDEEP:	24:3N0cYRSGfbo4Kcs4RP8jKzkmAmoUejr1o+mZ9txNBJt/NKqHrVe:WxRSGfs4c4RYdmloUefa+mZ9trBLNPHs
MD5:	A0F52FEAD94362DE729BE476E2266FDF
SHA1:	23C2AC2A52836E9CD2AFE32D78B00FCF3382BE44
SHA-256:	5AD639BA03E9D4FB677B7737BED009EC5F422E797F6CDCE7BDE8B9251971F7A3
SHA-512:	D414DC5E98C91FB0EE793D3F3A081C934EB990274C73676A8F4665B2F3FFC34F18A68285C516BD1B665460C0C43F0ED228EB3B22401922605B9F5861E6A5FE2D
Malicious:	false
Preview:	@...e...........................................................L...............h..t...D.d.u.........!.Microsoft.PowerShell.ScheduledJob...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0...............I.....B..ZR............System..4......................A....E..........System.Core.D................g$H..K..I.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............i..VdqF...\|...........System.Configuration<................t.,.lG....M...........System.Management...4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4..................%`99B....9...........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Command

C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1

Download File

Process:	C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23209
Entropy (8bit):	6.02302501724474
Encrypted:	false
SSDEEP:	384:gsurSpJjMPfBJZh+puH/aXAAtyIRWXISPVPXFtlMnOpkpNZRHbaQotu25tbJUuqS:IOpJjMPfBjhj/HkutPXFtleJ3F1oUaJL
MD5:	467774A57E387C18B5962AEAB412CDF5
SHA1:	15E5B916C5251A2D58CCA07381860A22E34BF1A5
SHA-256:	C57C9CE36B104FEBA7B9E0CAD5D37090C87CB3E351EDE658D1000B66ACAD24D9
SHA-512:	0C821543528827BE0D845421905551B07073D9ACBF7E4BC9F386B4808192E4BD28C27CF86ACCB4F7820F68829A0F4BF311BFE7A10B1388D8B385311A157430DB
Malicious:	true
Preview:	param(.. [Parameter(Mandatory = $true)].. [string[]]$paths,.. [int]$retry_count = 0..)....# Delete paths using parallel jobs. ..$jobs = $paths \| ForEach-Object {.. Start-Job -ScriptBlock {.. param(.. [string]$path,.. [int]$retry_count = 0.. ).... if (Test-Path -LiteralPath $path) {.. $count = 0.. while ($true) {.. Remove-Item -LiteralPath $path -Force.. if (-not (Test-Path -LiteralPath $path) -or ($count -ge $retry_count)) {.. return;.. }.. $count++.. Start-Sleep -s 5 #sleep 5 seconds.. } .. }.. } -ArgumentList $_, $retry_count ..}....# Wait for the delete jobs to finish..Wait-Job -Job $jobs....# Self delete..Remove-Item -Path $MyInvocation.MyCommand.Source....# SIG # Begin signature block..# MII9bwYJKoZIhvcNAQcCoII9YDCCPVwCAQExDzANBglghkgBZQMEAgEFADB5Bgor..# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMC

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jh14bcko.rpn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsjn3oad.ijd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxk330gn.fnr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhds3khn.o4t.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xczxaxep.zxt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y54r2mf2.ep3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3615232
Entropy (8bit):	6.746330366445845
Encrypted:	false
SSDEEP:	98304:7JYVM+LtVt3P/KuG2ONG9iqLRQv3330+hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh4:6VL/tnHGYiqlmhhhhhhhhhhhhhhhhhhq
MD5:	584586C0CF548DB94F76F124046D58D9
SHA1:	63BA86DC3AE44A60C315C29416EE89952F57DACF
SHA-256:	DD7B6FC3B236D3F6F5C8309B95A0748FEE3FA075E48F68DE381FD68210260FC2
SHA-512:	B3EF65AE20CA7992AF343397C68F8BE35A15437C24B35E878B9D349D5C9F6AF0FA8CB1BE4F8DA08DCBAD1D0C95DC36CED784F900696CF85F69C8D7A2148EA242
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: AI_ChainedPackageFile.VistaSoftware.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f....................d..................@...........................8...........@......@...................P,.n.....,.j:...P0......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc.......P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-ID1JF.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: AI_ChainedPackageFile.VistaSoftware.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: KEFttAEb.vbs, Detection: malicious, Browse Filename: AaronGiles(1).exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: reservation .exe, Detection: malicious, Browse Filename: reservation .exe, Detection: malicious, Browse Filename: oZ3vtWXObB.exe, Detection: malicious, Browse Filename: wjpP1EOX0L.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3615232
Entropy (8bit):	6.746330366445845
Encrypted:	false
SSDEEP:	98304:7JYVM+LtVt3P/KuG2ONG9iqLRQv3330+hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh4:6VL/tnHGYiqlmhhhhhhhhhhhhhhhhhhq
MD5:	584586C0CF548DB94F76F124046D58D9
SHA1:	63BA86DC3AE44A60C315C29416EE89952F57DACF
SHA-256:	DD7B6FC3B236D3F6F5C8309B95A0748FEE3FA075E48F68DE381FD68210260FC2
SHA-512:	B3EF65AE20CA7992AF343397C68F8BE35A15437C24B35E878B9D349D5C9F6AF0FA8CB1BE4F8DA08DCBAD1D0C95DC36CED784F900696CF85F69C8D7A2148EA242
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f....................d..................@...........................8...........@......@...................P,.n.....,.j:...P0......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc.......P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-QVJTJ.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\clithe\file.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.621472142472864
Encrypted:	false
SSDEEP:	24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
MD5:	3F58A517F1F4796225137E7659AD2ADB
SHA1:	E264BA0E9987B0AD0812E5DD4DD3075531CFE269
SHA-256:	1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
SHA-512:	ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..\|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................\|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\clithe\is-94333.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp
File Type:	data
Category:	dropped
Size (bytes):	61302
Entropy (8bit):	7.997489289281888
Encrypted:	true
SSDEEP:	1536:DuJTbCqFC3mhFOwLah/4qYkDwlCKA9J7lvUqHUkXun:CtblFbGwLa2kElnANcqHen
MD5:	F0ECA05CE9A3A95EB161E175654CBB49
SHA1:	65CF312004A77709C5181DF950F608AFBCAB92F7
SHA-256:	F50D9901798FB26B80F73685F340E769E16495E9CD7CD902321F474A11FECCB7
SHA-512:	EDEF43BD7565833C5033CE05CF611194BB6646465BC42F9A996A7C6C5AB6F90DF2E17A13DEC6DB45E1F402D25F6A168C9F2DEB17721D9ACF00769F2A83F3A2B8
Malicious:	false
Preview:	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....D....9..u2.+..^..R.a@.].F.e..EQi.,.......m..%......w4#.....f...\..z..})..4.m....vs.....f..b..O.?.I8..o...K.,.qn...D..................j.......j..kC.R......%x....}...q..U-...(....%....V..?p.h`...55.SZ_S.^q..x.....k>r0...O...9xe7y>.v.T...Ip... .oz.`7G......i...{Z/....Nk...m.N......c)Y.`.37...i=..T..!..f.....'......b~....j..C...................j..m.....KF....5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.Df!..v-."Yj...=c.#..t.E....Yt].5M".......Q..w.^5.~.o.P....3.?A\U.......?..Cp.~....E.K...9....(...0.=}.{.t4+.o...X).H*.>. .)z.....)-^.....9.....M...#..8..x.....9.i..z.=#R.=i>0..X... M..J.......u.##....Ez....U...Z8..@u.Dj....Yu?.px........(.1.0.S..@......'E.........5.8..B.;..E..q.S...f,..Z?..O..\...#B;<qr6..pw.[D.].9.G%_...........e}! .mj..?....u..6....i]&1...e..-7(VQBo....Y..6..w.'..A..=f6w,+.?..F.tA(./...h.

C:\Users\user\AppData\Local\clithe\is-IOH31.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.621472142472864
Encrypted:	false
SSDEEP:	24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
MD5:	3F58A517F1F4796225137E7659AD2ADB
SHA1:	E264BA0E9987B0AD0812E5DD4DD3075531CFE269
SHA-256:	1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
SHA-512:	ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..\|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................\|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\clithe\is-L4EJR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp
File Type:	data
Category:	dropped
Size (bytes):	532964
Entropy (8bit):	7.434809463000461
Encrypted:	false
SSDEEP:	12288:/Gulirt5PUlsJIG6QvzsHzdBD8Bf874LT49dbZXa1sLKj:/RliAZysHBBD8BfRObZXa1mKj
MD5:	B3BB51CF6BE5FBE8EBAA27F06DB4BDA7
SHA1:	E535B1B4A477ACB1068A4D019AA85A622AA48F4C
SHA-256:	40B6B58FBEB08A133B56E27C94B0AA7AF7862AFE386E9056744B06BA7B03BBAC
SHA-512:	A24FD46E30E8829A3CAF93D9B91D6B0A1FFA15E9B7A4F5684A540FC42C8545405E3DED9AF4C659849B806E3644963D3C7645B019AAB3F9311DA5674BD19B62DB
Malicious:	false
Preview:	["r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................["r.....................................

C:\Users\user\AppData\Local\clithe\is-T9NMH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3639357
Entropy (8bit):	6.7334924639235485
Encrypted:	false
SSDEEP:	98304:zJYVM+LtVt3P/KuG2ONG9iqLRQv3330+hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhn:SVL/tnHGYiqlmhhhhhhhhhhhhhhhhhhh
MD5:	A502816878594E55FE6A4BF0383C9012
SHA1:	B37FD1BE34B7A76594240F60F226AE3CBD410AA3
SHA-256:	D4F4F74F71F52E6B17355B5ABEFDA78CFC9A5EB267213F4059922468C56B0277
SHA-512:	36C3C033E6E6C5B4D82CE5F5E6DFEC9D210B51ECF34A3DDBF3A3062FE27224D6824E15403B778D10A1C3C138450701BB6B0C8452794420F23FD8E5795FCDB7B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f....................d..................@...........................8...........@......@...................P,.n.....,.j:...P0......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc.......P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\clithe\millhouse.cda (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp
File Type:	data
Category:	dropped
Size (bytes):	532964
Entropy (8bit):	7.434809463000461
Encrypted:	false
SSDEEP:	12288:/Gulirt5PUlsJIG6QvzsHzdBD8Bf874LT49dbZXa1sLKj:/RliAZysHBBD8BfRObZXa1mKj
MD5:	B3BB51CF6BE5FBE8EBAA27F06DB4BDA7
SHA1:	E535B1B4A477ACB1068A4D019AA85A622AA48F4C
SHA-256:	40B6B58FBEB08A133B56E27C94B0AA7AF7862AFE386E9056744B06BA7B03BBAC
SHA-512:	A24FD46E30E8829A3CAF93D9B91D6B0A1FFA15E9B7A4F5684A540FC42C8545405E3DED9AF4C659849B806E3644963D3C7645B019AAB3F9311DA5674BD19B62DB
Malicious:	false
Preview:	["r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................["r.....................................

C:\Users\user\AppData\Local\clithe\millhouse1.a3x (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp
File Type:	data
Category:	dropped
Size (bytes):	61302
Entropy (8bit):	7.997489289281888
Encrypted:	true
SSDEEP:	1536:DuJTbCqFC3mhFOwLah/4qYkDwlCKA9J7lvUqHUkXun:CtblFbGwLa2kElnANcqHen
MD5:	F0ECA05CE9A3A95EB161E175654CBB49
SHA1:	65CF312004A77709C5181DF950F608AFBCAB92F7
SHA-256:	F50D9901798FB26B80F73685F340E769E16495E9CD7CD902321F474A11FECCB7
SHA-512:	EDEF43BD7565833C5033CE05CF611194BB6646465BC42F9A996A7C6C5AB6F90DF2E17A13DEC6DB45E1F402D25F6A168C9F2DEB17721D9ACF00769F2A83F3A2B8
Malicious:	false
Preview:	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....D....9..u2.+..^..R.a@.].F.e..EQi.,.......m..%......w4#.....f...\..z..})..4.m....vs.....f..b..O.?.I8..o...K.,.qn...D..................j.......j..kC.R......%x....}...q..U-...(....%....V..?p.h`...55.SZ_S.^q..x.....k>r0...O...9xe7y>.v.T...Ip... .oz.`7G......i...{Z/....Nk...m.N......c)Y.`.37...i=..T..!..f.....'......b~....j..C...................j..m.....KF....5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.Df!..v-."Yj...=c.#..t.E....Yt].5M".......Q..w.^5.~.o.P....3.?A\U.......?..Cp.~....E.K...9....(...0.=}.{.t4+.o...X).H*.>. .)z.....)-^.....9.....M...#..8..x.....9.i..z.=#R.=i>0..X... M..J.......u.##....Ez....U...Z8..@u.Dj....Yu?.px........(.1.0.S..@......'E.........5.8..B.;..E..q.S...f,..Z?..O..\...#B;<qr6..pw.[D.].9.G%_...........e}! .mj..?....u..6....i]&1...e..-7(VQBo....Y..6..w.'..A..=f6w,+.?..F.tA(./...h.

C:\Users\user\AppData\Local\clithe\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp
File Type:	InnoSetup Log 64-bit clithe, version 0x418, 6369 bytes, 715575\37\user\37, C:\Users\user\AppData\Local\clithe\376\3
Category:	dropped
Size (bytes):	6369
Entropy (8bit):	3.895013548774407
Encrypted:	false
SSDEEP:	96:8I1W8JbGyaB9MDIdOTOGO/OzOGIuTXdHOk2CfbcuJlEDA4MZAe2L9Q1rHhn0:8I1W8TaBdUSn2yGIuLdHvbP4DSm9EHi
MD5:	0196B1E043F3845A0E2DE4CA79BFBBA6
SHA1:	036E46C7D48CA49341916144B2AA8B220B9411AF
SHA-256:	83375603FA6AB8E77999A64531E046B492B4F0CDCEA1C975B0D8C155FD314F0D
SHA-512:	8C8BB28B7EB307CC72C7A08AC45F40943043CA03A2134D6BE0CB7031C2D422F6CB971BF37CA278DE49BC95987B4383F88E59900267D8A4430BA9C48F7518D45E
Malicious:	false
Preview:	Inno Setup Uninstall Log (b) 64-bit.............................reclosable......................................................................................................................clithe......................................................................................................................................!................................................................................................................TK ..........Q................7.1.5.5.7.5......A.r.t.h.u.r......C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.c.l.i.t.h.e................!.4.... ..............IFPS....%........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.....................TFILETIME.........................!

C:\Users\user\AppData\Local\clithe\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3639357
Entropy (8bit):	6.7334924639235485
Encrypted:	false
SSDEEP:	98304:zJYVM+LtVt3P/KuG2ONG9iqLRQv3330+hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhn:SVL/tnHGYiqlmhhhhhhhhhhhhhhhhhhh
MD5:	A502816878594E55FE6A4BF0383C9012
SHA1:	B37FD1BE34B7A76594240F60F226AE3CBD410AA3
SHA-256:	D4F4F74F71F52E6B17355B5ABEFDA78CFC9A5EB267213F4059922468C56B0277
SHA-512:	36C3C033E6E6C5B4D82CE5F5E6DFEC9D210B51ECF34A3DDBF3A3062FE27224D6824E15403B778D10A1C3C138450701BB6B0C8452794420F23FD8E5795FCDB7B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f....................d..................@...........................8...........@......@...................P,.n.....,.j:...P0......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc.......P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3306790
Entropy (8bit):	7.790569470803338
Encrypted:	false
SSDEEP:	98304:/wREp+hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh7:90hhhhhhhhhhhhhhhhhhhhhhhhhhhhhj
MD5:	35135E7F357C522D07DDD87307C0345C
SHA1:	758A12358ED51E44E37F238070F9407B0A017FC4
SHA-256:	1503447C30588583377509F44B075E99019A59899CA8E2A4B36A6602B39D4DC7
SHA-512:	D9020A8771277B0108C2CE1ECD07204AFBC88C6B183EBE257FA90C080FE031657CF79346D39B645B1FF8D9AEEF0A926318380E80561DEB19AB584A65E34A9DB3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.................t........................@..................................d_...@......@...................p..q....P..........<R...........K2.@)...........................................................R..\....`.......................text....V.......X.................. ..`.itext..d....p.......\.............. ..`.data...88.......:...x..............@....bss....Xr...............................idata.......P......................@....didata......`......................@....edata..q....p......................@..@.tls.....................................rdata..]...........................@..@.reloc..............................@..B.rsrc...<R.......T..................@..@....................................@..@................

C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	895488
Entropy (8bit):	6.4269201931011315
Encrypted:	false
SSDEEP:	24576:qReoHhWiBkVLQ/8MRdK6C5gU1We373cGx18Zh0:QwVdh1WebcGL8Zh0
MD5:	2C0130F614EA8C240320EC47D0008EEA
SHA1:	B4DA50EBBE6ADE459974E0A199F5C780D5AD19F7
SHA-256:	B78A85120AFAF0C2B7A132ECDB8C2DAA5C18190CEEE3F2F7420C1EDEE205F957
SHA-512:	381386DF46A30EF457BC2A63E010DFD7C116029D79B79BB8BC9236EBA4B4D673A5D97A4C4E7F1B32604CE653973E9C52B8B0E37F529015D12B13D614DB7BAED4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.Rm'.<>'.<>'.<>W8??+.<>W89?..<>7=???.<>7=8?5.<>W88?<.<>7=9?N.<>W8:?&.<>W8=?>.<>'.=>.<>o<5?..<>o<.>&.<>'..>&.<>o<>?&.<>Rich'.<>........PE..L...6..f.........."....).\...J......PM.......p....@..........................P......I;....@............................................../......................p...@...p...........................p...@............p..H...4........................text....[.......\.................. ..`.rdata..Xd...p...f...`..............@..@.data....p..........................@....didat.......`......................@....fptable.....p......................@....rsrc..../.......0..................@..@.reloc..p...........................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1452
Entropy (8bit):	3.486079967126399
Encrypted:	false
SSDEEP:	24:Q+xvXor+8+Xor/kPEE0XorRkPED5kPEcJXorRkPED5kPE6X7FgXorfzv:rx/JbenEkAnD5nc5AnD5nKZQg
MD5:	ABE5AC4BC4419E98B03541234C2015B3
SHA1:	96175F6D2F93A563A8513C1FD5CFAD763D2FE24F
SHA-256:	CCD7226B005FCB1964FD0AB538B0532C62F23F594360848CDA4E37E2A1AC8934
SHA-512:	B6C378DCFF179348AE431EEFBED45E461807F2BBFD25B84D83524415A167E0FEE11AF388477C25EB343A79D5C310037124565AADCA5E00E25479A13F40EE1122
Malicious:	false
Preview:	..[.G.e.n.e.r.a.l.O.p.t.i.o.n.s.].....O.p.t.i.o.n.s.=.b.h.....D.o.w.n.l.o.a.d.F.o.l.d.e.r.=.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.Y.o.u.r. .C.o.m.p.a.n.y.\.Y.o.u.r. .A.p.p.l.i.c.a.t.i.o.n.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.....E.x.t.r.a.c.t.i.o.n.F.o.l.d.e.r.=.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.Y.o.u.r. .C.o.m.p.a.n.y.\.Y.o.u.r. .A.p.p.l.i.c.a.t.i.o.n.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.....[.P.R.E.R.E.Q.U.I.S.I.T.E.S.].....A.p.p.1.=.V.i.s.t.a. .S.o.f.t.w.a.r.e.....[.A.p.p.1.].....S.e.t.u.p.F.i.l.e.=.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.Y.o.u.r. .C.o.m.p.a.n.y.\.Y.o.u.r. .A.p.p.l.i.c.a.t.i.o.n.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.V.i.s.t.a. .S.o.f.t.w.a.r.e.\.V.i.s.t.a. .S.o.f.t.w.a.r.e...e.x.e.....O.p.t.i.o.n.s.=.i.p.....[.P.R.E.R.E.Q._.C.H.A.I.N.E.R.].....C.l.e.a.n.u.p.F.i.l.e.s.=.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.Y.o.u.r. .C.o.m.p.a.n.y.\.Y.o.u.r. .A.p.p.l.i.c.a.t.i.o.n.\.p.r.e.r.e.q.u.i.s.

C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23209
Entropy (8bit):	6.02302501724474
Encrypted:	false
SSDEEP:	384:gsurSpJjMPfBJZh+puH/aXAAtyIRWXISPVPXFtlMnOpkpNZRHbaQotu25tbJUuqS:IOpJjMPfBjhj/HkutPXFtleJ3F1oUaJL
MD5:	467774A57E387C18B5962AEAB412CDF5
SHA1:	15E5B916C5251A2D58CCA07381860A22E34BF1A5
SHA-256:	C57C9CE36B104FEBA7B9E0CAD5D37090C87CB3E351EDE658D1000B66ACAD24D9
SHA-512:	0C821543528827BE0D845421905551B07073D9ACBF7E4BC9F386B4808192E4BD28C27CF86ACCB4F7820F68829A0F4BF311BFE7A10B1388D8B385311A157430DB
Malicious:	true
Preview:	param(.. [Parameter(Mandatory = $true)].. [string[]]$paths,.. [int]$retry_count = 0..)....# Delete paths using parallel jobs. ..$jobs = $paths \| ForEach-Object {.. Start-Job -ScriptBlock {.. param(.. [string]$path,.. [int]$retry_count = 0.. ).... if (Test-Path -LiteralPath $path) {.. $count = 0.. while ($true) {.. Remove-Item -LiteralPath $path -Force.. if (-not (Test-Path -LiteralPath $path) -or ($count -ge $retry_count)) {.. return;.. }.. $count++.. Start-Sleep -s 5 #sleep 5 seconds.. } .. }.. } -ArgumentList $_, $retry_count ..}....# Wait for the delete jobs to finish..Wait-Job -Job $jobs....# Self delete..Remove-Item -Path $MyInvocation.MyCommand.Source....# SIG # Begin signature block..# MII9bwYJKoZIhvcNAQcCoII9YDCCPVwCAQExDzANBglghkgBZQMEAgEFADB5Bgor..# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMC

C:\Windows\Installer\549e0c.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {D5C03FE6-2CB0-44BC-9C72-3578CFB89255}, Number of Words: 10, Subject: Your Application, Author: Your Company, Name of Creating Application: Your Application, Template: ;1033, Comments: This installer database contains the logic and data required to install Your Application., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Oct 20 20:36:44 2024, Last Saved Time/Date: Sun Oct 20 20:36:44 2024, Last Printed: Sun Oct 20 20:36:44 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	6722560
Entropy (8bit):	7.310993946697638
Encrypted:	false
SSDEEP:	196608:E0hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhV:E8eHZC6kP
MD5:	64A6CF00B80FE77C16F6DA137DD7A9D1
SHA1:	F9365C7876AC8934A48237499CF8774FE78EA196
SHA-256:	630ACEFE136EA2E4BB95211A214E4829D8CB59D4D948B09221E61ACD278854BF
SHA-512:	FA1FCFB0E4CCE82656A377EF00FB4424860D40B6891FCA29AF240866EFDEC5A20BA16B615488252BE2B438E2415A068BD147A013AA140FE86E1EB061B4E1BC7C
Malicious:	false
Preview:	......................>...................g............................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...v.......\|.......g.......;...<...=...>...?...@...A...B...C...D...E...F...G...H...j#..k#..l#..m#..n#..o#..p#..q#..r#..s#..t#..u#..v#..w#..x#..y#..d+..e+..f+..g+..h+..i+..j+..k+..l+..m+..n+..o+..p+..q+..`2..w........................................2..............................................................................................................................................................................................................................<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\549e0f.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {D5C03FE6-2CB0-44BC-9C72-3578CFB89255}, Number of Words: 10, Subject: Your Application, Author: Your Company, Name of Creating Application: Your Application, Template: ;1033, Comments: This installer database contains the logic and data required to install Your Application., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Oct 20 20:36:44 2024, Last Saved Time/Date: Sun Oct 20 20:36:44 2024, Last Printed: Sun Oct 20 20:36:44 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	6722560
Entropy (8bit):	7.310993946697638
Encrypted:	false
SSDEEP:	196608:E0hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhV:E8eHZC6kP
MD5:	64A6CF00B80FE77C16F6DA137DD7A9D1
SHA1:	F9365C7876AC8934A48237499CF8774FE78EA196
SHA-256:	630ACEFE136EA2E4BB95211A214E4829D8CB59D4D948B09221E61ACD278854BF
SHA-512:	FA1FCFB0E4CCE82656A377EF00FB4424860D40B6891FCA29AF240866EFDEC5A20BA16B615488252BE2B438E2415A068BD147A013AA140FE86E1EB061B4E1BC7C
Malicious:	false
Preview:	......................>...................g............................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...v.......\|.......g.......;...<...=...>...?...@...A...B...C...D...E...F...G...H...j#..k#..l#..m#..n#..o#..p#..q#..r#..s#..t#..u#..v#..w#..x#..y#..d+..e+..f+..g+..h+..i+..j+..k+..l+..m+..n+..o+..p+..q+..`2..w........................................2..............................................................................................................................................................................................................................<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIA1F4.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA2A1.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA30F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA38D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA44A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA499.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908128
Entropy (8bit):	6.595002426238024
Encrypted:	false
SSDEEP:	24576:0yuK7uUCx0bzy5UrkfbDUtF4h0lhSMXlpGyFI/Yk6ibf7:0yuHHUtTZGyFI/Yk6ibf7
MD5:	ACCD9092A35E468E8AF934ACCD81E9F6
SHA1:	3751384E5E586481618002469190E3C1F271CE6D
SHA-256:	8339A5EE92E53A155828E58E7700FC17D4F3F8ECB11DAEB52AA1118BA3141ECD
SHA-512:	18E49E56AD2F78DB7F4BFABAB25CC3ECFCC8180BEEA8FF162A5D80BD0A6DB9EB598F9FA1D5167F078A12F382663A2B205D7E512370E4873A60955A174826E8E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L......f.........."!...)............0W..............................................g.....@A.........................................p..h...............`=..............p...............................@.......................@....................text...j........................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Windows\Installer\MSIA546.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2241
Entropy (8bit):	5.708599331415351
Encrypted:	false
SSDEEP:	48:F9zVQRRiBjS0qYD8SIgeqanhr7NGbEC0d:F9zOSqwJeHNNcEn
MD5:	E3B243B493B38B077C572DC310022AAF
SHA1:	B3C0CABE35D72469EDD16888285FD6963765F1BE
SHA-256:	9783BF96C348E4969011ADC79903EF8C408169DB5F90F113C4DF57E9166635F8
SHA-512:	EDB332E23D10782647B67C810570227C095A5201452C579348D988E0F7C2B5B9B185819CC3303FE714A5EADF1B97D822CC2D3D7A41FB0B909972BFF155F67632
Malicious:	false
Preview:	...@IXOS.@.....@9,tY.@.....@.....@.....@.....@.....@......&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}..Your Application..740d3a.msi.@.....@.....@.....@........&.{D5C03FE6-2CB0-44BC-9C72-3578CFB89255}.....@.....@.....@.....@.......@.....@.....@.......@......Your Application......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{2DB80D4A-91C8-4B46-99C2-BAAC7C0B3006}>.C:\Users\user\AppData\Roaming\Your Company\Your Application\.@.......@.....@.....@......&.{C7A8C515-ACD3-4411-99AD-EAD9719AE9CF}2.01:\Software\Your Company\Your Application\Version.@.......@.....@.....@......&.{2DE3D436-1DE1-417A-9EA0-E82AF8BF7D62}j.01:\Software\Caphyon\Advanced Installer\Prereqs\{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}\1.0.0\VISTASOFTWARE.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".>.C:\Users\user\AppData\Roaming\Your Company\Your Application\.@.......

C:\Windows\Installer\MSIA70C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908128
Entropy (8bit):	6.595002426238024
Encrypted:	false
SSDEEP:	24576:0yuK7uUCx0bzy5UrkfbDUtF4h0lhSMXlpGyFI/Yk6ibf7:0yuHHUtTZGyFI/Yk6ibf7
MD5:	ACCD9092A35E468E8AF934ACCD81E9F6
SHA1:	3751384E5E586481618002469190E3C1F271CE6D
SHA-256:	8339A5EE92E53A155828E58E7700FC17D4F3F8ECB11DAEB52AA1118BA3141ECD
SHA-512:	18E49E56AD2F78DB7F4BFABAB25CC3ECFCC8180BEEA8FF162A5D80BD0A6DB9EB598F9FA1D5167F078A12F382663A2B205D7E512370E4873A60955A174826E8E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L......f.........."!...)............0W..............................................g.....@A.........................................p..h...............`=..............p...............................@.......................@....................text...j........................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Windows\Installer\MSIA893.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	543
Entropy (8bit):	5.187609008492708
Encrypted:	false
SSDEEP:	12:Eg5TgRGYdTdhTSzVYnl/hitftEkpbHIBDZxSl:hTgIw1SzVaRkpMdxW
MD5:	10DC4876FC76694E6C05B8BAFA5FCE84
SHA1:	823BC6C4809270D2F5850137337620389052CFE1
SHA-256:	132BACADD2980D89EEDDD69187D529926991F44C2A1100FC3EA7D52AF286AADB
SHA-512:	478CD9B96E9A40AF4ABCAAA18FE6F45815CF195B90A911E38FBF99F0D504B4C26A8EF62E31D4EB530B20B369E090B87F962F72B5F08FF1F975113C024E01E10D
Malicious:	false
Preview:	...@IXOS.@.....@9,tY.@.....@.....@.....@.....@.....@......&.{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}..Your Application..740d3a.msi.@.....@.....@.....@........&.{D5C03FE6-2CB0-44BC-9C72-3578CFB89255}.....@.....@.....@.....@.......@.....@.....@.......@......Your Application......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........AI_LaunchChainer....J...AI_LaunchChainer.@....`.C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe...@.....@.....@....

C:\Windows\Installer\SourceHash{4B67D172-7CB6-417D-AB01-03B1F8C9B55C}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.162110438027243
Encrypted:	false
SSDEEP:	12:JSbX72FjjAGiLIlHVRpth/7777777777777777777777777vDHFC67XKpSl0i8Q:JNQI5pR7XoF
MD5:	760B1BEB7DDD2EE755A709006C08C314
SHA1:	2923571124E79AE58648CB2093462902FB678252
SHA-256:	905605B286C883F7C830798EB8D8A57C787ABC6E966EB635CEA6FF17B6182A8D
SHA-512:	BA3B0BA13C11E705533703460264746C1207F0AB9DD563ADDE60380C7D69F2525446E0F043684D8DED26B2216D43FB7E27EBDD0300BBA8EAD1FD688BBE39229C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5609463119081397
Encrypted:	false
SSDEEP:	48:98PhTuRc06WXJenT5F+fSlhAE4CywTfSlFyy/:ghT11nT7OVzCz
MD5:	422214F1E303609CE193156153D6AB18
SHA1:	DD97AA82D77626B6B99D405962C64F0684CEF05B
SHA-256:	7815B0BEB9610C8CE1CA89CD067C0545D8F0171EB1B88EDD375146365D350FEA
SHA-512:	6F89CF4BB2E750ED6C6174B1F076A0DCA7E301BA78E5F4914F442504E65C0A0BBF0D5AA5536EE0AD9C324C4FEBE5A27539A7118BE8629BE075E167D3FD3280B5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	945752
Entropy (8bit):	5.4113002084340405
Encrypted:	false
SSDEEP:	6144:TFfxq8RfKF0Dux6lvJ3c7v/3dd7kGcoyq+H2:TFfxq8xKCE6lVcbP7kGcj2
MD5:	672AEEE12A4D10FBBA63D5F258694824
SHA1:	97651CDBA9FC1F2A2193A8BB123BCBFD769F5AA9
SHA-256:	E6DC57D5D92EE61D614F2E92DB55C1DC37F9111A9EC9C25330BAA7A889728610
SHA-512:	3A14FD3EA7D281453C97C76104D5F7259B31B5C13247B6B9EE7BB09ED290B258CF8A0CAFFAE04894D318D3DE4E7469D6A2422EA17DB9B09056690024DBA55B46
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 09:59:37.236 [4684]: Command line: D:\wd\compilerTemp\BMT.i51yo0aa.beh\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 09:59:37.255 [4684]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 09:59:37.299 [4684]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 09:59:37.299 [4684]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 09:59:37.299 [

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\Temp\~DF02FB20D9317E68EE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0DA28791FD711971.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2508946393049043
Encrypted:	false
SSDEEP:	48:g0LuNO+CFXJ9T5i+fSlhAE4CywTfSlFyy/:9LpVTUOVzCz
MD5:	358A84CE55B466FD4E3B7991AAB964A7
SHA1:	66FA91AD95AD8D635D7156F918C7012923725F3A
SHA-256:	C8716152674849F413E848888A2C6EDABCC4435E73D2E0BC252A2022379B8D3A
SHA-512:	A124B92C90A7E5F5C0AD3818AAD6C1A18C4488A85365034BBB6BDB6D4295DE16221B7719B00FE2CCFEFF9787B31101D8854969A5B58E8380D799099DD931768F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4B9F0B120E67D1CC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2508946393049043
Encrypted:	false
SSDEEP:	48:g0LuNO+CFXJ9T5i+fSlhAE4CywTfSlFyy/:9LpVTUOVzCz
MD5:	358A84CE55B466FD4E3B7991AAB964A7
SHA1:	66FA91AD95AD8D635D7156F918C7012923725F3A
SHA-256:	C8716152674849F413E848888A2C6EDABCC4435E73D2E0BC252A2022379B8D3A
SHA-512:	A124B92C90A7E5F5C0AD3818AAD6C1A18C4488A85365034BBB6BDB6D4295DE16221B7719B00FE2CCFEFF9787B31101D8854969A5B58E8380D799099DD931768F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5D19B6315BF155E0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5FAB0F46AC770A6B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2508946393049043
Encrypted:	false
SSDEEP:	48:g0LuNO+CFXJ9T5i+fSlhAE4CywTfSlFyy/:9LpVTUOVzCz
MD5:	358A84CE55B466FD4E3B7991AAB964A7
SHA1:	66FA91AD95AD8D635D7156F918C7012923725F3A
SHA-256:	C8716152674849F413E848888A2C6EDABCC4435E73D2E0BC252A2022379B8D3A
SHA-512:	A124B92C90A7E5F5C0AD3818AAD6C1A18C4488A85365034BBB6BDB6D4295DE16221B7719B00FE2CCFEFF9787B31101D8854969A5B58E8380D799099DD931768F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF63F41F816F7066B7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06913493440520613
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOCE0O7XpiYtQVky6lS:2F0i8n0itFzDHFC67XfS
MD5:	054515D24A534599AE0802B60903105F
SHA1:	F27A778DBA04930D1F8AB514957C692807DC1DFB
SHA-256:	140247C06F0F48A7A2D793A7F4C8ABFD30BFAECEEF0370DB1F5B9EAC4AA6E7B7
SHA-512:	0A2AF47BC3E9DEB6562F0B1039982FA0A8047BFE790A2DF09426F27CC08CFBADA7446BCF878E94D9D21BCA2961AB52F8BE57E34EFB13CF29CC9D8EBBA0FC2779
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF661E094FAE149CB7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5609463119081397
Encrypted:	false
SSDEEP:	48:98PhTuRc06WXJenT5F+fSlhAE4CywTfSlFyy/:ghT11nT7OVzCz
MD5:	422214F1E303609CE193156153D6AB18
SHA1:	DD97AA82D77626B6B99D405962C64F0684CEF05B
SHA-256:	7815B0BEB9610C8CE1CA89CD067C0545D8F0171EB1B88EDD375146365D350FEA
SHA-512:	6F89CF4BB2E750ED6C6174B1F076A0DCA7E301BA78E5F4914F442504E65C0A0BBF0D5AA5536EE0AD9C324C4FEBE5A27539A7118BE8629BE075E167D3FD3280B5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF766EBEFD2708DDD6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13639250267793568
Encrypted:	false
SSDEEP:	24:x4yAB/5HXoIipVHXoSHXoIipVHXoKAEVHyjCywVjwGG8+:uyy/JfSlRfSlhAE4CywH
MD5:	96E652B0F3F9E0E6FF3BBD86B878252A
SHA1:	E688B27776D6F3A020DDFCCFE3A76F2B199BF518
SHA-256:	F7134CDCFB6C08BC8C82B6FFA48B7AE95571DA51D1A49200F8DFB345F4EE097A
SHA-512:	E9101C536BE40601B797AAAA12294235DC8E1AACF72DDBC03CAD5B9577343E1065F090FA391DABCD40CBB300EB188216DD039FAA8BCD697CABD8511E78AADFDC
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF80B06A820DCFDACA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF910053DAFBF89F09.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF93E5D8215F9602EA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9E8DF4E08AE9D424.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB41915344692978E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5609463119081397
Encrypted:	false
SSDEEP:	48:98PhTuRc06WXJenT5F+fSlhAE4CywTfSlFyy/:ghT11nT7OVzCz
MD5:	422214F1E303609CE193156153D6AB18
SHA1:	DD97AA82D77626B6B99D405962C64F0684CEF05B
SHA-256:	7815B0BEB9610C8CE1CA89CD067C0545D8F0171EB1B88EDD375146365D350FEA
SHA-512:	6F89CF4BB2E750ED6C6174B1F076A0DCA7E301BA78E5F4914F442504E65C0A0BBF0D5AA5536EE0AD9C324C4FEBE5A27539A7118BE8629BE075E167D3FD3280B5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE015963AFA2531C8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2508946393049043
Encrypted:	false
SSDEEP:	48:g0LuNO+CFXJ9T5i+fSlhAE4CywTfSlFyy/:9LpVTUOVzCz
MD5:	358A84CE55B466FD4E3B7991AAB964A7
SHA1:	66FA91AD95AD8D635D7156F918C7012923725F3A
SHA-256:	C8716152674849F413E848888A2C6EDABCC4435E73D2E0BC252A2022379B8D3A
SHA-512:	A124B92C90A7E5F5C0AD3818AAD6C1A18C4488A85365034BBB6BDB6D4295DE16221B7719B00FE2CCFEFF9787B31101D8854969A5B58E8380D799099DD931768F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\dbgbkfc\AutoIt3.exe

Download File

Process:	C:\Users\user\AppData\Local\clithe\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.621472142472864
Encrypted:	false
SSDEEP:	24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
MD5:	3F58A517F1F4796225137E7659AD2ADB
SHA1:	E264BA0E9987B0AD0812E5DD4DD3075531CFE269
SHA-256:	1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
SHA-512:	ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..\|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................\|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

C:\dbgbkfc\eeacadf.a3x

Download File

Process:	C:\Users\user\AppData\Local\clithe\file.exe
File Type:	data
Category:	dropped
Size (bytes):	532964
Entropy (8bit):	7.434809463000461
Encrypted:	false
SSDEEP:	12288:/Gulirt5PUlsJIG6QvzsHzdBD8Bf874LT49dbZXa1sLKj:/RliAZysHBBD8BfRObZXa1mKj
MD5:	B3BB51CF6BE5FBE8EBAA27F06DB4BDA7
SHA1:	E535B1B4A477ACB1068A4D019AA85A622AA48F4C
SHA-256:	40B6B58FBEB08A133B56E27C94B0AA7AF7862AFE386E9056744B06BA7B03BBAC
SHA-512:	A24FD46E30E8829A3CAF93D9B91D6B0A1FFA15E9B7A4F5684A540FC42C8545405E3DED9AF4C659849B806E3644963D3C7645B019AAB3F9311DA5674BD19B62DB
Malicious:	false
Preview:	["r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................["r.....................................

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	478
Entropy (8bit):	4.9404427828211634
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeTeT0s+sEAFSkIrxMVlmJHaVzvv:/2fAokItULVDv
MD5:	1D785D889CA617298A68D26DFEF974C4
SHA1:	1CC36474033E2767B059019B12782CE558F1EA34
SHA-256:	FE52FE8317F9F07F4AB830F6E3B1F1013BE4AA2A82DD5C86AA805648FC053230
SHA-512:	EF34C2479BE5BA45B41584887354DE53EA15EC53EA74D57042FF57EB8A609B93DAC9A55297300C29320CE14966FB7704C9952BDC7C6E2DDD0DCA929884091CF3
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {D5C03FE6-2CB0-44BC-9C72-3578CFB89255}, Number of Words: 10, Subject: Your Application, Author: Your Company, Name of Creating Application: Your Application, Template: ;1033, Comments: This installer database contains the logic and data required to install Your Application., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Oct 20 20:36:44 2024, Last Saved Time/Date: Sun Oct 20 20:36:44 2024, Last Printed: Sun Oct 20 20:36:44 2024, Number of Pages: 450
Entropy (8bit):	7.310993946697638
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	740d3a.msi
File size:	6'722'560 bytes
MD5:	64a6cf00b80fe77c16f6da137dd7a9d1
SHA1:	f9365c7876ac8934a48237499cf8774fe78ea196
SHA256:	630acefe136ea2e4bb95211a214e4829d8cb59d4d948b09221e61acd278854bf
SHA512:	fa1fcfb0e4cce82656a377ef00fb4424860d40b6891fca29af240866efdec5a20ba16b615488252be2b438e2415a068bd147a013aa140fe86e1eb061b4e1bc7c
SSDEEP:	196608:E0hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhV:E8eHZC6kP
TLSH:	D366D02176CBC03AE16D06725679EB6E503FBD220B3154C7A3E4796D9D307C12A3AA4F
File Content Preview:	........................>...................g............................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4..

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-20T11:34:52.363431+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	167.114.47.186	56001	192.168.11.20	49711	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 11:33:34.945573092 CET	80	49674	69.164.46.128	192.168.11.20
Nov 20, 2024 11:33:34.945913076 CET	49674	80	192.168.11.20	69.164.46.128
Nov 20, 2024 11:33:34.945980072 CET	80	49675	69.164.46.128	192.168.11.20
Nov 20, 2024 11:33:34.946291924 CET	49675	80	192.168.11.20	69.164.46.128
Nov 20, 2024 11:33:36.219628096 CET	80	49679	69.164.46.128	192.168.11.20
Nov 20, 2024 11:33:36.219960928 CET	49679	80	192.168.11.20	69.164.46.128
Nov 20, 2024 11:33:36.219960928 CET	49679	80	192.168.11.20	69.164.46.128
Nov 20, 2024 11:33:36.314059973 CET	80	49679	69.164.46.128	192.168.11.20
Nov 20, 2024 11:33:49.116588116 CET	49675	80	192.168.11.20	69.164.46.128
Nov 20, 2024 11:33:49.116588116 CET	49674	80	192.168.11.20	69.164.46.128
Nov 20, 2024 11:33:49.210643053 CET	80	49675	69.164.46.128	192.168.11.20
Nov 20, 2024 11:33:49.210652113 CET	80	49674	69.164.46.128	192.168.11.20
Nov 20, 2024 11:33:49.217911005 CET	49688	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.218091965 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.218112946 CET	443	49701	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.218532085 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.219264030 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.219274044 CET	443	49701	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.329637051 CET	443	49688	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.329739094 CET	443	49688	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.329921961 CET	49688	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.330079079 CET	49688	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.420934916 CET	443	49701	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.421180964 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.421272039 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.433195114 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.433211088 CET	443	49701	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.433542013 CET	443	49701	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.434076071 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.434163094 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.434185028 CET	443	49701	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.434215069 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.434264898 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.434273005 CET	443	49701	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.434426069 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.434572935 CET	443	49701	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.551666021 CET	49702	80	192.168.11.20	142.250.176.195
Nov 20, 2024 11:33:49.627253056 CET	443	49701	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.627495050 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.627926111 CET	443	49701	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.627976894 CET	443	49701	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.628144026 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.628247976 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.629704952 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.629704952 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.629719019 CET	443	49701	23.44.201.15	192.168.11.20
Nov 20, 2024 11:33:49.630325079 CET	49701	443	192.168.11.20	23.44.201.15
Nov 20, 2024 11:33:49.645757914 CET	80	49702	142.250.176.195	192.168.11.20
Nov 20, 2024 11:33:49.646030903 CET	49702	80	192.168.11.20	142.250.176.195
Nov 20, 2024 11:33:49.646301985 CET	49702	80	192.168.11.20	142.250.176.195
Nov 20, 2024 11:33:49.740355015 CET	80	49702	142.250.176.195	192.168.11.20
Nov 20, 2024 11:33:49.740804911 CET	80	49702	142.250.176.195	192.168.11.20
Nov 20, 2024 11:33:49.790997028 CET	49702	80	192.168.11.20	142.250.176.195
Nov 20, 2024 11:34:06.646905899 CET	49689	443	192.168.11.20	20.189.173.18
Nov 20, 2024 11:34:06.662317038 CET	49690	80	192.168.11.20	192.229.211.108
Nov 20, 2024 11:34:06.761303902 CET	80	49690	192.229.211.108	192.168.11.20
Nov 20, 2024 11:34:06.761523008 CET	49690	80	192.168.11.20	192.229.211.108
Nov 20, 2024 11:34:06.809968948 CET	443	49689	20.189.173.18	192.168.11.20
Nov 20, 2024 11:34:06.810322046 CET	49689	443	192.168.11.20	20.189.173.18
Nov 20, 2024 11:34:10.723892927 CET	49683	443	192.168.11.20	40.126.24.84
Nov 20, 2024 11:34:10.723896027 CET	49682	80	192.168.11.20	192.229.211.108
Nov 20, 2024 11:34:10.822858095 CET	80	49682	192.229.211.108	192.168.11.20
Nov 20, 2024 11:34:10.823100090 CET	49682	80	192.168.11.20	192.229.211.108
Nov 20, 2024 11:34:10.828077078 CET	443	49683	40.126.24.84	192.168.11.20
Nov 20, 2024 11:34:10.828298092 CET	49683	443	192.168.11.20	40.126.24.84
Nov 20, 2024 11:34:12.692271948 CET	49687	443	192.168.11.20	40.126.24.84
Nov 20, 2024 11:34:12.796392918 CET	443	49687	40.126.24.84	192.168.11.20
Nov 20, 2024 11:34:12.796591043 CET	49687	443	192.168.11.20	40.126.24.84
Nov 20, 2024 11:34:16.597676992 CET	49696	80	192.168.11.20	104.18.21.226
Nov 20, 2024 11:34:16.597680092 CET	49698	80	192.168.11.20	104.18.20.226
Nov 20, 2024 11:34:16.597680092 CET	49699	80	192.168.11.20	104.18.21.226
Nov 20, 2024 11:34:16.691777945 CET	80	49696	104.18.21.226	192.168.11.20
Nov 20, 2024 11:34:16.691978931 CET	49696	80	192.168.11.20	104.18.21.226
Nov 20, 2024 11:34:16.692100048 CET	80	49699	104.18.21.226	192.168.11.20
Nov 20, 2024 11:34:16.692224979 CET	49699	80	192.168.11.20	104.18.21.226
Nov 20, 2024 11:34:16.692236900 CET	80	49698	104.18.20.226	192.168.11.20
Nov 20, 2024 11:34:16.692488909 CET	49698	80	192.168.11.20	104.18.20.226
Nov 20, 2024 11:34:30.175888062 CET	443	49686	23.44.201.17	192.168.11.20
Nov 20, 2024 11:34:30.175971031 CET	443	49686	23.44.201.17	192.168.11.20
Nov 20, 2024 11:34:30.176100969 CET	49686	443	192.168.11.20	23.44.201.17
Nov 20, 2024 11:34:30.176165104 CET	49686	443	192.168.11.20	23.44.201.17
Nov 20, 2024 11:34:50.122231960 CET	49702	80	192.168.11.20	142.250.176.195
Nov 20, 2024 11:34:50.216460943 CET	80	49702	142.250.176.195	192.168.11.20
Nov 20, 2024 11:34:50.216630936 CET	49702	80	192.168.11.20	142.250.176.195
Nov 20, 2024 11:34:51.849390984 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:34:51.963126898 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:34:51.963351011 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:34:51.964349031 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:34:52.118817091 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:34:52.119026899 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:34:52.242650032 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:34:52.242726088 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:34:52.242980957 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:34:52.246674061 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:34:52.363430977 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:34:52.417797089 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:34:53.872780085 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:34:54.040870905 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:34:54.041070938 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:34:54.197096109 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:12.398910046 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:12.557087898 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:12.557255983 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:12.671948910 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:12.725843906 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:12.839494944 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:12.843405008 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:13.010334969 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:13.010585070 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:13.166520119 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:18.089365959 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:18.130902052 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:18.244549036 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:18.287127018 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:27.614851952 CET	443	49678	40.126.24.84	192.168.11.20
Nov 20, 2024 11:35:29.815287113 CET	443	49691	4.152.133.8	192.168.11.20
Nov 20, 2024 11:35:29.815295935 CET	443	49691	4.152.133.8	192.168.11.20
Nov 20, 2024 11:35:29.815551043 CET	49691	443	192.168.11.20	4.152.133.8
Nov 20, 2024 11:35:29.815630913 CET	49691	443	192.168.11.20	4.152.133.8
Nov 20, 2024 11:35:29.920031071 CET	443	49691	4.152.133.8	192.168.11.20
Nov 20, 2024 11:35:32.409658909 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:32.573534012 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:32.573678017 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:32.688894987 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:32.737063885 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:32.850770950 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:32.852704048 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:33.011082888 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:33.011223078 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:33.167325974 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:49.436697960 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:49.605478048 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:49.606705904 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:49.721451998 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:49.764535904 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:49.878511906 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:49.879210949 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:50.044089079 CET	56001	49711	167.114.47.186	192.168.11.20
Nov 20, 2024 11:35:50.044395924 CET	49711	56001	192.168.11.20	167.114.47.186
Nov 20, 2024 11:35:50.199460983 CET	56001	49711	167.114.47.186	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 11:33:49.454277992 CET	61276	53	192.168.11.20	1.1.1.1
Nov 20, 2024 11:33:49.549132109 CET	53	61276	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 11:33:49.454277992 CET	192.168.11.20	1.1.1.1	0xe7ad	Standard query (0)	c.pki.goog	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 11:33:49.549132109 CET	1.1.1.1	192.168.11.20	0xe7ad	No error (0)	c.pki.goog	pki-goog.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 11:33:49.549132109 CET	1.1.1.1	192.168.11.20	0xe7ad	No error (0)	pki-goog.l.google.com		142.250.176.195	A (IP address)	IN (0x0001)	false
Nov 20, 2024 11:33:49.841412067 CET	1.1.1.1	192.168.11.20	0xa80d	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 20, 2024 11:33:49.841412067 CET	1.1.1.1	192.168.11.20	0xa80d	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

c.pki.goog

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.11.20	49702	142.250.176.195	80

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 11:33:49.646301985 CET	200	OUT	GET /r/r1.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Nov 20, 2024 11:33:49.740804911 CET	223	IN	HTTP/1.1 304 Not Modified Date: Wed, 20 Nov 2024 10:08:35 GMT Expires: Wed, 20 Nov 2024 10:58:35 GMT Age: 1514 Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding

Target ID:	0
Start time:	05:33:38
Start date:	20/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\740d3a.msi"
Imagebase:	0x7ff689600000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:33:38
Start date:	20/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff689600000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	05:33:46
Start date:	20/11/2024
Path:	C:\Windows\System32\SrTasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:8
Imagebase:	0x7ff6a0410000
File size:	59'392 bytes
MD5 hash:	2694D2D28C368B921686FE567BD319EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:33:47
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ae1e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:33:48
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 5A82BF8611EA627E788B63841849825E
Imagebase:	0xb10000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:33:49
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe"
Imagebase:	0x240000
File size:	895'488 bytes
MD5 hash:	2C0130F614EA8C240320EC47D0008EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:33:50
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"
Imagebase:	0xa20000
File size:	3'306'790 bytes
MD5 hash:	35135E7F357C522D07DDD87307C0345C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:33:51
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-2VGF8.tmp\Vista Software.tmp" /SL5="$40454,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe"
Imagebase:	0x840000
File size:	3'615'232 bytes
MD5 hash:	584586C0CF548DB94F76F124046D58D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:33:51
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT
Imagebase:	0xa20000
File size:	3'306'790 bytes
MD5 hash:	35135E7F357C522D07DDD87307C0345C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:33:52
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-KGGGF.tmp\Vista Software.tmp" /SL5="$50454,2100953,1125376,C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\Vista Software\Vista Software.exe" /VERYSILENT
Imagebase:	0x920000
File size:	3'615'232 bytes
MD5 hash:	584586C0CF548DB94F76F124046D58D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:33:52
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1 -paths 'C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Your Company\Your Application\prerequisites\aipackagechainer.exe' -retry_count 10"
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:33:52
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ae1e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:33:52
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:33:53
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ae1e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:33:53
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0x570000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8104, Parent PID: 6352

General

Target ID:	18
Start time:	05:33:53
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ae1e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:33:53
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Imagebase:	0x7ff654940000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:33:53
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ae1e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:33:53
Start date:	20/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Imagebase:	0x7ff7bc1e0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:33:53
Start date:	20/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "wrsa.exe"
Imagebase:	0x7ff64ef80000
File size:	17'920 bytes
MD5 hash:	AE3F3DC3ED900F2A582BAD86A764508C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:33:53
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Imagebase:	0x7ff654940000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:33:54
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ae1e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	05:33:54
Start date:	20/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Imagebase:	0x7ff7bc1e0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:33:54
Start date:	20/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "opssvc.exe"
Imagebase:	0x7ff64ef80000
File size:	17'920 bytes
MD5 hash:	AE3F3DC3ED900F2A582BAD86A764508C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	05:33:54
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Imagebase:	0x7ff654940000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	05:33:54
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ae1e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	05:33:54
Start date:	20/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Imagebase:	0x7ff7bc1e0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	05:33:54
Start date:	20/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avastui.exe"
Imagebase:	0x7ff64ef80000
File size:	17'920 bytes
MD5 hash:	AE3F3DC3ED900F2A582BAD86A764508C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	05:33:54
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Imagebase:	0x7ff654940000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	05:33:54
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ae1e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	05:33:54
Start date:	20/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Imagebase:	0x7ff7bc1e0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	05:33:54
Start date:	20/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avgui.exe"
Imagebase:	0x7ff64ef80000
File size:	17'920 bytes
MD5 hash:	AE3F3DC3ED900F2A582BAD86A764508C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	05:33:55
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Imagebase:	0x7ff654940000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	05:33:55
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ae1e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	05:33:55
Start date:	20/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Imagebase:	0x7ff7bc1e0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	05:33:55
Start date:	20/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "nswscsvc.exe"
Imagebase:	0x7ff64ef80000
File size:	17'920 bytes
MD5 hash:	AE3F3DC3ED900F2A582BAD86A764508C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	05:33:55
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Imagebase:	0x7ff654940000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	05:33:55
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ae1e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	05:33:55
Start date:	20/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Imagebase:	0x7ff7bc1e0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	05:33:55
Start date:	20/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "sophoshealth.exe"
Imagebase:	0x7ff64ef80000
File size:	17'920 bytes
MD5 hash:	AE3F3DC3ED900F2A582BAD86A764508C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	05:33:56
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Local\clithe\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\clithe\\file.exe" "C:\Users\user\AppData\Local\clithe\\millhouse1.a3x"
Imagebase:	0xfb0000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	05:34:07
Start date:	20/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff622340000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	52
Start time:	05:34:36
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && file.exe C:\ProgramData\\kwZvl2ZDr.a3x && del C:\ProgramData\\kwZvl2ZDr.a3x
Imagebase:	0xa80000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	05:34:36
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ae1e0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	05:34:36
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 127.0.0.1
Imagebase:	0xb70000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	05:34:40
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Local\clithe\file.exe
Wow64 process (32bit):	true
Commandline:	file.exe C:\ProgramData\\kwZvl2ZDr.a3x
Imagebase:	0xfb0000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	05:34:44
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xb30000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000038.00000002.2180979684.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	57
Start time:	05:34:56
Start date:	20/11/2024
Path:	C:\dbgbkfc\AutoIt3.exe
Wow64 process (32bit):	true
Commandline:	"C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x
Imagebase:	0x5d0000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	05:34:59
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xbf0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000003A.00000002.1895490189.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	05:35:04
Start date:	20/11/2024
Path:	C:\dbgbkfc\AutoIt3.exe
Wow64 process (32bit):	true
Commandline:	"C:\dbgbkfc\AutoIt3.exe" C:\dbgbkfc\eeacadf.a3x
Imagebase:	0x5d0000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	05:35:07
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xc30000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	25

Executed Functions

Function 0025B5A0 Relevance: 32.1, APIs: 13, Strings: 5, Instructions: 599
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0025C420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,2DDDF7D7,00000000,?,?,002D98E6,000000FF), ref: 0025C474

FindFirstFileW.KERNELBASE(?,00000000,.ini,00000004,?,?,?,00000000,00000000,?,2DDDF7D7), ref: 0025B706
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0025B771
SetFilePointer.KERNELBASE(00000000,00000002,?,00000000), ref: 0025B7B7
ReadFile.KERNELBASE(00000000,?,?,?,00000000,00000078,?), ref: 0025B7F5
CloseHandle.KERNELBASE(00000000), ref: 0025B84E
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 0025B950
SetCurrentDirectoryW.KERNELBASE(00000000), ref: 0025BBBD
OpenMutexW.KERNEL32(00100000,00000000,Global\_MSIExecute), ref: 0025BBF7
GetLastError.KERNEL32 ref: 0025BC11
FindClose.KERNEL32(?), ref: 0025BCCC

Strings

Global\_MSIExecute, xrefs: 0025BBEB
0!$, xrefs: 0025B6FC, 0025BCC0
.ini, xrefs: 0025B6ED
h1, xrefs: 0025B8D2
2Svp1Sv, xrefs: 0025B706

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$CloseFindModuleName$CreateCurrentDirectoryErrorFirstHandleLastMutexOpenPointerRead
String ID: 2Svp1Sv$.ini$0!$$Global\_MSIExecute$h1
API String ID: 1061481847-673961966
Opcode ID: e0371bd4244a2033a06cc419548a6762a39536c0af84bbcf3bb053d55940ea30
Instruction ID: 8d66d8a22618b664c43fd3d48aac501cb533fc24915b385d01ffefe49e79967a
Opcode Fuzzy Hash: e0371bd4244a2033a06cc419548a6762a39536c0af84bbcf3bb053d55940ea30
Instruction Fuzzy Hash: 2032E230910249DFDB15DFA8CC88BAEBBB5BF04314F244168E815AB2D1DB749E19CFA1

Function 0028E3A0 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 291
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,00000004,?,00000000,?), ref: 0028E55E
GetForegroundWindow.USER32(?,00000004,?,00000000,?), ref: 0028E5D6
ShellExecuteExW.SHELL32(?), ref: 0028E5E3
ShellExecuteExW.SHELL32(?), ref: 0028E60C
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId), ref: 0028E641
GetProcAddress.KERNEL32(00000000), ref: 0028E648
GetProcessId.KERNELBASE ref: 0028E65B
AllowSetForegroundWindow.USER32(00000000), ref: 0028E65E

Strings

runas, xrefs: 0028E5A1
Kernel32.dll, xrefs: 0028E63C
.cmd, xrefs: 0028E51F
%s\System32\cmd.exe, xrefs: 0028E56B
open, xrefs: 0028E59C
GetProcessId, xrefs: 0028E637
/C ""%s" %s", xrefs: 0028E583
.bat, xrefs: 0028E4E5

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ExecuteForegroundShellWindow$AddressAllowDirectoryHandleModuleProcProcessWindows
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
API String ID: 2271306907-986041216
Opcode ID: 6b5f159f42f7681a21a1f8427e968b51764968bd380db44fed50d14f87c7c2cc
Instruction ID: 367ca6ee65dfbd0476c68f97af3f5a045d4daebe711a14295651a564a5fad1bb
Opcode Fuzzy Hash: 6b5f159f42f7681a21a1f8427e968b51764968bd380db44fed50d14f87c7c2cc
Instruction Fuzzy Hash: 2FB1CE74A11249CFDF04EFA8C888AADBBB9FF18314F144169E515EB391EB34A914CF61

Function 00264710 Relevance: 16.6, APIs: 11, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00264762
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0026476F
GetLastError.KERNEL32 ref: 00264779
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,002DAE75), ref: 0026479D
GetLastError.KERNEL32 ref: 002647A7
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,002DAE75,002DAE75,002DAE75), ref: 002647CD
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00264804
EqualSid.ADVAPI32(00000000,?), ref: 00264813
FreeSid.ADVAPI32(?), ref: 00264822
CloseHandle.KERNELBASE(00000000), ref: 0026485C

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
String ID:
API String ID: 695978879-0
Opcode ID: acc93b617648d426a2d1d2a33e25a78b6c0d44b053bab736bb88b77d82ad41fd
Instruction ID: 4e20325f062544a252d576f3127d190e3b24a26ced94a098a56ca48cb0214888
Opcode Fuzzy Hash: acc93b617648d426a2d1d2a33e25a78b6c0d44b053bab736bb88b77d82ad41fd
Instruction Fuzzy Hash: 0641467195425AEBDF11EFA0DC89BEEBBB8FF08314F104019E501B7290D7799A58CBA0

Function 0024AB00 Relevance: 15.9, APIs: 1, Strings: 9, Instructions: 926
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

Part of subcall function 00254840: GetCurrentThreadId.KERNEL32 ref: 00254850

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?,?,002F3AD2,?,?,?), ref: 0024B3BB

Part of subcall function 00269710: FormatMessageW.KERNEL32(00001300,00000000,00000007,00000400,?,00000000,00000000,2DDDF7D7,00000000,?), ref: 0026975B
Part of subcall function 00269710: GetLastError.KERNEL32 ref: 00269765

Strings

h1, xrefs: 0024B327
msixbundle, xrefs: 0024AE5C
msix, xrefs: 0024AE18
appx, xrefs: 0024AE9F
Return code of launched file:, xrefs: 0024B30C
Launching file:, xrefs: 0024ABBA
h1, xrefs: 0024ABF2
Launch failed. Error:, xrefs: 0024B21B
h1, xrefs: 0024B26C

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CurrentErrorFormatHeapLastMessageProcessSleepThread
String ID: Launch failed. Error:$Launching file:$Return code of launched file:$appx$h1$h1$h1$msix$msixbundle
API String ID: 290906889-2902177987
Opcode ID: 071ceb8d3d9a19a41c05f5c0c70447a6c9e6048dea8d95429daa67038c3355be
Instruction ID: d8f67ac0e3d03ea32d46b9b074624d5627ab8d80eb200d6aea585eff3ff6994b
Opcode Fuzzy Hash: 071ceb8d3d9a19a41c05f5c0c70447a6c9e6048dea8d95429daa67038c3355be
Instruction Fuzzy Hash: 0482EF70D10249CFDB18DFA8C855BEDBBB4AF48314F24829DE415AB382DB70AA55CF91

Function 002698C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 86
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,2DDDF7D7,00000007,00000007,?), ref: 002698FA
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00269920
GetSystemMetrics.USER32(0000000C), ref: 00269960
GetSystemMetrics.USER32(0000000B), ref: 00269978
LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 0026998B
FreeLibrary.KERNEL32(00000000), ref: 002699A9

Strings

LoadIconMetric, xrefs: 0026991A
ComCtl32.dll, xrefs: 002698EE

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoadMetricsSystem$AddressFreeImageProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 1983857168-764666640
Opcode ID: 23084bea9ede54ae22275db45af26e0c167987c19d625d756ab99b8ae6caf65b
Instruction ID: fe050093d720ce79b9fe03fd9684ee40e5f1fe66fc2e99ea4561092ea9a7cbfb
Opcode Fuzzy Hash: 23084bea9ede54ae22275db45af26e0c167987c19d625d756ab99b8ae6caf65b
Instruction Fuzzy Hash: F431AEB1A5421AABDB118F94DC58BBFBBB8FB45750F00022EF915A7390D7754D108B90

Function 0025DD10 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 271fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,2DDDF7D7,?,?,?,?,?,?,?,?,?,?,002D9EB6,000000FF), ref: 0025DD87
FindFirstFileW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,002D9EB6,000000FF), ref: 0025DF0E
FindNextFileW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,002D9EB6,000000FF), ref: 0025DF56
FindClose.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002D9EB6,000000FF), ref: 0025DF61
PathIsDirectoryW.SHLWAPI(00000000), ref: 0025DF9D

Strings

p2Sv3Sv, xrefs: 0025DF56
2Svp1Sv, xrefs: 0025DF0E

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: FileFind$CloseDeleteDirectoryFirstNextPath
String ID: 2Svp1Sv$p2Sv3Sv
API String ID: 3278268132-1357901002
Opcode ID: 95a3aca5657c240ac5e4424f01ec929f7e263b91bc25b409c8d0945b10b1a9e2
Instruction ID: 6a13783358f87a7bc21c7dfce5ebd865d953fac188473e6c0c1c8613dffdaab0
Opcode Fuzzy Hash: 95a3aca5657c240ac5e4424f01ec929f7e263b91bc25b409c8d0945b10b1a9e2
Instruction Fuzzy Hash: 68A1F3719106098FDB14DF68CC897EEB7B4FF48321F144229E825AB281DB74AA19CF94

Function 00274320 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 242fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00274650: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,00000000,00000000), ref: 0027478F
Part of subcall function 00274650: GetProcAddress.KERNEL32(00000000), ref: 00274796
Part of subcall function 00274650: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 002747D0

FindFirstFileW.KERNEL32(?,?), ref: 00274464
FindClose.KERNEL32(00000000), ref: 00274498
FindClose.KERNEL32(00000000), ref: 00274544

Strings

0!$, xrefs: 0027446C, 0027448E, 00274535
2Svp1Sv, xrefs: 00274464

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Find$Close$AddressCurrentFileFirstHandleModuleProcProcess
String ID: 2Svp1Sv$0!$
API String ID: 3560309239-655561941
Opcode ID: 446b187d5187029b3c60875f118c21dfa476e51f37c8dc83d08e4166b7cba230
Instruction ID: 8f6859212447e10cfb721e9497081d0e99a847995e58def456903fe5ce6afb68
Opcode Fuzzy Hash: 446b187d5187029b3c60875f118c21dfa476e51f37c8dc83d08e4166b7cba230
Instruction Fuzzy Hash: 8AA1B230915659CBCB24EF28C89876DBBB5EF45324F248399E42DA7391CB31AE51CF81

Function 00266BA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 00266C41
FindClose.KERNEL32(00000000,?,?), ref: 00266CA0

Part of subcall function 00243620: RtlAllocateHeap.NTDLL(00000000,00000000,?,2DDDF7D7,00000000,002D5110,000000FF,?,?,0030B028,?,?,00281A0D,80004005,2DDDF7D7,?), ref: 0024366A

Strings

0!$, xrefs: 00266C49, 00266C91
2Svp1Sv, xrefs: 00266C41

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: 2Svp1Sv$0!$
API String ID: 1673784098-655561941
Opcode ID: a88db5d78e9d6f827a6c73f88bcb28653f9908b1ffbe5b4983d710684df8ab41
Instruction ID: 64292d87343c64b9045efd07acf971a666b6d2ecc893808937832e86b01bdc7d
Opcode Fuzzy Hash: a88db5d78e9d6f827a6c73f88bcb28653f9908b1ffbe5b4983d710684df8ab41
Instruction Fuzzy Hash: A231B031918A19DBDB20DF54D94CB5AB7B4EB48324F20826BE859E7380E7719994CF80

Function 0027FF10 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 436registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

RegCreateKeyA.ADVAPI32(80000001,00000001,?), ref: 0027FF95
RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,?), ref: 0027FFAD

Part of subcall function 00243620: RtlAllocateHeap.NTDLL(00000000,00000000,?,2DDDF7D7,00000000,002D5110,000000FF,?,?,0030B028,?,?,00281A0D,80004005,2DDDF7D7,?), ref: 0024366A

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 002802C4

Strings

-, xrefs: 002800BC

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Heap$AllocateCreateOpenProcessValue
String ID: -
API String ID: 1583728613-2547889144
Opcode ID: 94d5c6eb4e59cb81d7e242f421b9b6dcddacbbeb27bbadf010e0e3a0aa02bfa7
Instruction ID: a55256bcd5a3f24f7c2b01d9281bdd00cc240ec9f18f383145357fa2fd5650c8
Opcode Fuzzy Hash: 94d5c6eb4e59cb81d7e242f421b9b6dcddacbbeb27bbadf010e0e3a0aa02bfa7
Instruction Fuzzy Hash: 7FE1B375A002199FDB00DF98CC85BAEBBB9FF48320F14422AE915E7391DB75AD15CB90

Function 002B1F2A Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,?,0027A67E), ref: 002B1F2F
HeapAlloc.KERNEL32(00000000), ref: 002B1F36
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002B1F7C
HeapFree.KERNEL32(00000000), ref: 002B1F83

Part of subcall function 002B1DC8: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,002B1F72,00000000), ref: 002B1DEC
Part of subcall function 002B1DC8: HeapAlloc.KERNEL32(00000000,?,002B1F72,00000000), ref: 002B1DF3

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: f9cc6f0c2d39dc3713edd2ca1c825b7713edae37071ac801a3e9587003dde0c2
Instruction ID: 46c6527384d88e77749426efb17300047b0351a8b0922739fe1733ca31e63b8d
Opcode Fuzzy Hash: f9cc6f0c2d39dc3713edd2ca1c825b7713edae37071ac801a3e9587003dde0c2
Instruction Fuzzy Hash: 24F0B43269871257C7212BB8BC6DAEB2968AF807E17554429F445CB680DF30C821C760

Function 00294B00 Relevance: 1.6, APIs: 1, Instructions: 100comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(002F13FC,00000000,00000001,002F8A3C,000000B0,2DDDF7D7,00000000,?,00000000,000000A0,-00000010,002E373C,000000FF,?,0028D39B), ref: 00294C6D

Part of subcall function 002B46AF: AcquireSRWLockExclusive.KERNEL32(0030FFB8,?,?,?,00243A56,00310848,2DDDF7D7,?,?,002D516D,000000FF,?,002810B6,2DDDF7D7,?), ref: 002B46BA
Part of subcall function 002B46AF: ReleaseSRWLockExclusive.KERNEL32(0030FFB8,?,?,00243A56,00310848,2DDDF7D7,?,?,002D516D,000000FF,?,002810B6,2DDDF7D7,?), ref: 002B46F4

Part of subcall function 002B465E: AcquireSRWLockExclusive.KERNEL32(0030FFB8,?,?,00243AC7,00310848,002E6460), ref: 002B4668
Part of subcall function 002B465E: ReleaseSRWLockExclusive.KERNEL32(0030FFB8,?,?,00243AC7,00310848,002E6460), ref: 002B469B
Part of subcall function 002B465E: WakeAllConditionVariable.KERNEL32(0030FFB4,?,?,00243AC7,00310848,002E6460), ref: 002B46A6

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$ConditionCreateInstanceVariableWake
String ID:
API String ID: 1170529896-0
Opcode ID: 8bfecfd2efe1466d80bdeea1ceb39b6e70775e32e2e73194dcda7dc55d372a08
Instruction ID: e8c8e9216244b897be3248aece9bc93a9d31f151b27406ec1c29ba26abecb61c
Opcode Fuzzy Hash: 8bfecfd2efe1466d80bdeea1ceb39b6e70775e32e2e73194dcda7dc55d372a08
Instruction Fuzzy Hash: 7A41DF706112419FEB15EF04EC86F8BBBB9FB08714F108129E4259B2D1D3B56961CB99

Function 0025CB20 Relevance: 65.6, APIs: 17, Strings: 20, Instructions: 820
threadsynchronizationregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

Part of subcall function 0024CB10: FindResourceW.KERNEL32(00000000,00000100,00000006,00000000,000000FF,?,00000000,0027A070,000000FF,?,?,?,2DDDF7D7,00000000,?,000000FF), ref: 0024CB4D
Part of subcall function 0024CB10: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000,000000FF,?,?,?,2DDDF7D7,00000000,?,000000FF), ref: 0024CB7E
Part of subcall function 0024CB10: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,?,00000000,00000000,00000000,?,?,?,2DDDF7D7,00000000,?,000000FF,000000FF), ref: 0024CBB5

CreateThread.KERNELBASE(00000000,00000000,Function_0004CE80,?,00000000,?), ref: 0025CC9A
GetLastError.KERNEL32 ref: 0025CCA7

Part of subcall function 0027B9E0: GetCurrentThreadId.KERNEL32 ref: 0027B9E9
Part of subcall function 0027B9E0: DestroyWindow.USER32(?), ref: 0027B9F8

Part of subcall function 0026A750: InitializeCriticalSection.KERNEL32(00310A68,2DDDF7D7,00000000,?), ref: 0026A78C
Part of subcall function 0026A750: EnterCriticalSection.KERNEL32(?,2DDDF7D7,00000000,?), ref: 0026A799
Part of subcall function 0026A750: WriteFile.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0026A7CB
Part of subcall function 0026A750: FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0026A7D4
Part of subcall function 0026A750: WriteFile.KERNEL32(00000000,?,?,000000FF,00000000,002F4EF4,00000001,?,?,000000FF,00000000), ref: 0026A86C
Part of subcall function 0026A750: FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0026A875

WaitForSingleObject.KERNEL32(?,?), ref: 0025CCCD
GetExitCodeThread.KERNEL32(?,?), ref: 0025CCE7
TerminateThread.KERNEL32(?,00000000), ref: 0025CCFF
CloseHandle.KERNEL32(?), ref: 0025CD08
GetActiveWindow.USER32 ref: 0025D16F
SetLastError.KERNEL32(0000000E,?,002F6134), ref: 0025D18C
WaitForSingleObject.KERNEL32(?,000000FF,?,002F6134), ref: 0025D197
CloseHandle.KERNEL32(?,?,002F6134), ref: 0025D1A0
GetCurrentThreadId.KERNEL32 ref: 0025D1D0
EnterCriticalSection.KERNEL32(00312C5C,?,002F6134), ref: 0025D1ED
LeaveCriticalSection.KERNEL32(00312C5C,?,002F6134), ref: 0025D210
DialogBoxParamW.USER32(000000D8,00000000,Function_0003BD70,00000000), ref: 0025D22D
WaitForSingleObject.KERNEL32(?,000000FF,?,002F6134), ref: 0025D23A
CloseHandle.KERNEL32(?,?,002F6134), ref: 0025D243

Part of subcall function 0026A750: WriteFile.KERNEL32(00000000,?,?,000000FF,00000000,?,?,000000FF,00000000), ref: 0026A8BD
Part of subcall function 0026A750: FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0026A8C6
Part of subcall function 0026A750: WriteFile.KERNEL32(00000000,?,?,000000FF,00000000,002F37E8,00000002,?,?,000000FF,00000000), ref: 0026A935
Part of subcall function 0026A750: FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0026A93E
Part of subcall function 0026A750: LeaveCriticalSection.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0026A97A

RegDeleteKeyA.ADVAPI32(80000001,?), ref: 0025D522

Strings

Reboot in Progress=, xrefs: 0025D43C
No prerequisite must be installed., xrefs: 0025CD92
true, xrefs: 0025D2D1, 0025D2F2, 0025D2F3, 0025D38F, 0025D3B0, 0025D3B1, 0025D44A, 0025D46F, 0025D470
h1, xrefs: 0025D2FF
Starting installing prerequisites in silent mode., xrefs: 0025CE8D
h1, xrefs: 0025D043
Starting installing prerequisites in basic UI mode., xrefs: 0025D036
After running prerequisites we have:, xrefs: 0025D2B1
4a/, xrefs: 0025CF68
false, xrefs: 0025D2D6, 0025D394, 0025D44F
\,1, xrefs: 0025D1D9
E/, xrefs: 0025CC11
Reboot was refused=, xrefs: 0025D37E
h1, xrefs: 0025CD9F
h1, xrefs: 0025CE9A
InterbootContext, xrefs: 0025CB83, 0025CB91
h1, xrefs: 0025D3BD
Reboot was required=, xrefs: 0025D2BD
h1, xrefs: 0025D47C
Ts/, xrefs: 0025D143

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$CriticalSectionThread$BuffersFlushWrite$CloseHandleObjectSingleWait$ByteCharCurrentEnterErrorLastLeaveMultiWideWindow$ActiveCodeCreateDeleteDestroyDialogExitFindHeapInitializeParamProcessResourceTerminate
String ID: Reboot in Progress=$ Reboot was refused=$ Reboot was required=$4a/$After running prerequisites we have:$InterbootContext$No prerequisite must be installed.$Starting installing prerequisites in basic UI mode.$Starting installing prerequisites in silent mode.$Ts/$\,1$false$h1$h1$h1$h1$h1$h1$true$E/
API String ID: 2565466407-3162991964
Opcode ID: 098dcc5b7cb3ac56de8811f89247f8edd49cd01cabe6d3514669f85404725312
Instruction ID: 3666601ea3e53e920019ab54321d1dfac576d42e24e4f34152e216f53f8ab976
Opcode Fuzzy Hash: 098dcc5b7cb3ac56de8811f89247f8edd49cd01cabe6d3514669f85404725312
Instruction Fuzzy Hash: 3972F130910249DFDB15DF68C848BADBBB4AF04324F1482A9F815AB3D1EB749E59CF91

Function 0026EF30 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 223
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 0026EFAA
RegQueryValueExW.KERNELBASE(00000000,ProductType,00000000,00000000,?,?), ref: 0026EFDF
RegQueryValueExW.KERNELBASE(00000000,ProductSuite,00000000,00000000,?,?), ref: 0026F05E
RegCloseKey.KERNELBASE(00000000), ref: 0026F23E

Strings

Small Business, xrefs: 0026F0A0
Compute Server, xrefs: 0026F1DC
ServerNT, xrefs: 0026F00C
CommunicationServer, xrefs: 0026F0EB
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 0026EFA0
Blade, xrefs: 0026F180
EmbeddedNT, xrefs: 0026F136
Personal, xrefs: 0026F169
Small Business(Restricted), xrefs: 0026F11D
Enterprise, xrefs: 0026F0B9
Storage Server, xrefs: 0026F1C5
ProductSuite, xrefs: 0026F053
ProductType, xrefs: 0026EFD4
BackOffice, xrefs: 0026F0D2
DataCenter, xrefs: 0026F14F
WinNT, xrefs: 0026EFE9
Terminal Server, xrefs: 0026F104
Embedded(Restricted), xrefs: 0026F197
Security Appliance, xrefs: 0026F1AE

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: ef55e6b4a751f21198341fe6c5766f9c8b05fa97a6307dcf8b6cbca9d45c590c
Instruction ID: a241c2c76f347957ca155e60400ead797f5cb23814efdb715dece023c865c1e4
Opcode Fuzzy Hash: ef55e6b4a751f21198341fe6c5766f9c8b05fa97a6307dcf8b6cbca9d45c590c
Instruction Fuzzy Hash: AC71EA30730319CBDF549F24EE557BAB6A8FB46380F1140B5AA0AAB681E774CDF58B41

Function 00280F80 Relevance: 39.4, APIs: 5, Strings: 17, Instructions: 865fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?), ref: 002814CE
CloseHandle.KERNEL32(00000000), ref: 002814F5
GetFileSize.KERNEL32(00000000,00000000), ref: 00281502
CloseHandle.KERNEL32(00000000), ref: 0028151A
DeleteFileW.KERNEL32(00000000), ref: 0028190E

Strings

h1, xrefs: 0028171C
Download was canceled., xrefs: 002818A8
[InternetShortcut]URL=%s, xrefs: 00281BB8
Downloaded file was rejected.(Invalid size or MD5)., xrefs: 0028194C
Download completed succesfully., xrefs: 0028144E
Launching URL:, xrefs: 00282176
!, xrefs: 00281943
h1, xrefs: 0028161B
Starting download of:, xrefs: 0028135D
h1, xrefs: 0028145B
h1, xrefs: 00281959
h1, xrefs: 002821AC
h1, xrefs: 002818B5
open, xrefs: 00281C32
Download failed. Error:, xrefs: 002816D2
Downloaded file was accepted., xrefs: 0028160E
h1, xrefs: 002813B3

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$CloseHandle$CreateDeleteSize
String ID: !$Download completed succesfully.$Download failed. Error:$Download was canceled.$Downloaded file was accepted.$Downloaded file was rejected.(Invalid size or MD5).$Launching URL:$Starting download of:$[InternetShortcut]URL=%s$h1$h1$h1$h1$h1$h1$h1$open
API String ID: 3145970413-2650351814
Opcode ID: 0e74d535df7fb693d44eb39224940c7c8117dde793619728972dbff76efba7d4
Instruction ID: d4558bea9e0b3ce36206924fd151f6f48ca470d1aeb3de1124c7d609b6d16c8a
Opcode Fuzzy Hash: 0e74d535df7fb693d44eb39224940c7c8117dde793619728972dbff76efba7d4
Instruction Fuzzy Hash: E772E434A11255CFCB05DF68C894AADBBB9FF48310F184259E915AB3D1DB30AD66CF90

Function 0026EB80 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 227
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 0026EBF8
RegQueryValueExW.KERNELBASE(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 0026EC39
RegQueryValueExW.KERNELBASE(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 0026EC5C
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 0026EC8F
RegQueryValueExW.KERNELBASE(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 0026ED08
RegQueryValueExW.KERNELBASE(00000000,ReleaseId,00000000,00000000,?,?), ref: 0026ED7E
RegQueryValueExW.KERNELBASE(00000000,CSDVersion,00000000,00000000,?,?), ref: 0026EDD3
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 0026EE73
GetProcAddress.KERNEL32(00000000), ref: 0026EE7A
GetCurrentProcess.KERNEL32(?), ref: 0026EEB1
IsWow64Process.KERNEL32 ref: 0026EEC0
RegCloseKey.ADVAPI32(00000000), ref: 0026EEFA

Strings

CSDVersion, xrefs: 0026EDC8
CurrentMinorVersionNumber, xrefs: 0026EC51
IsWow64Process, xrefs: 0026EE69
CurrentVersion, xrefs: 0026EC84
CurrentBuildNumber, xrefs: 0026ECFD
,1, xrefs: 0026EDE4
ReleaseId, xrefs: 0026ED73
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 0026EBEE
kernel32, xrefs: 0026EE6E
CurrentMajorVersionNumber, xrefs: 0026EC2E

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32$,1
API String ID: 2654979339-921361743
Opcode ID: c47852cc4f72da2cfcc59ca6ce704d02d7925157e05b7acaaff5a67f304357be
Instruction ID: 8fa86b05672c5fb7f2e2048066e52ba0a89e6b124f6f68e78891e1e9788c1d1a
Opcode Fuzzy Hash: c47852cc4f72da2cfcc59ca6ce704d02d7925157e05b7acaaff5a67f304357be
Instruction Fuzzy Hash: 58A18FB49106299FDF21CF50DC49BEEB7B9FB48711F0042A6E509A7290EB725AE4CF40

Function 00274650 Relevance: 35.4, APIs: 3, Strings: 17, Instructions: 447
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00285180: GetSystemDefaultLangID.KERNEL32(2DDDF7D7,00000000,?,?,?,2DDDF7D7), ref: 002851B7

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,00000000,00000000), ref: 0027478F
GetProcAddress.KERNEL32(00000000), ref: 00274796
GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 002747D0

Strings

Search result:, xrefs: 00274A76
h1, xrefs: 00274BC0
No acceptable version found. It must be installed from package., xrefs: 00274AB0
IsWow64Process2, xrefs: 00274785
No acceptable version found., xrefs: 00274AD3
No acceptable version found. It is already downloaded and it will be installed., xrefs: 00274ACC
Undefined, xrefs: 00274AE1
Wrong OS or Os language for:, xrefs: 00274B8F
No acceptable version found. It must be downloaded manually from a site., xrefs: 00274ABE
No acceptable version found. It must be downloaded., xrefs: 00274AB7
No acceptable version found. Operating System not supported., xrefs: 00274AC5
h1, xrefs: 00274B0C
Searching for:, xrefs: 002748D5
Not selected for install., xrefs: 00274ADA, 00274AFF, 00274B00
An acceptable version was found., xrefs: 00274AA9
kernel32, xrefs: 0027478A
h1, xrefs: 00274920

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AddressCurrentDefaultHandleLangModuleProcProcessSystem
String ID: An acceptable version was found.$IsWow64Process2$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$h1$h1$h1$kernel32
API String ID: 323535258-3954559956
Opcode ID: 7450f7442b50b35c9eccde882de167ae8bb0d8edf790f2427e3d0397c19a91c3
Instruction ID: a682b5697ef1bebc5ad35c28b3866c51a71149a9ee0999906e81bcb9fd5f4907
Opcode Fuzzy Hash: 7450f7442b50b35c9eccde882de167ae8bb0d8edf790f2427e3d0397c19a91c3
Instruction Fuzzy Hash: B802E234920609DFCB14EF68C858BAEB7B5FF44310F148219E51AAB391DB70AD61CF81

Function 00244450 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 268
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W), ref: 00244547
GetProcAddress.KERNEL32(00000000), ref: 0024454E
GetWindowsDirectoryW.KERNEL32(?,00000104,2DDDF7D7,00000000), ref: 00244594
PathFileExistsW.SHLWAPI(?), ref: 002445BC
CreateDirectoryW.KERNEL32(?,?,S-1-5-32-544,?,00000001,S-1-5-18,?,00000001), ref: 0024463F

Part of subcall function 002B46AF: AcquireSRWLockExclusive.KERNEL32(0030FFB8,?,?,?,00243A56,00310848,2DDDF7D7,?,?,002D516D,000000FF,?,002810B6,2DDDF7D7,?), ref: 002B46BA
Part of subcall function 002B46AF: ReleaseSRWLockExclusive.KERNEL32(0030FFB8,?,?,00243A56,00310848,2DDDF7D7,?,?,002D516D,000000FF,?,002810B6,2DDDF7D7,?), ref: 002B46F4

GetTempPathW.KERNEL32(00000104,?,2DDDF7D7,00000000), ref: 00244662

Part of subcall function 002B465E: AcquireSRWLockExclusive.KERNEL32(0030FFB8,?,?,00243AC7,00310848,002E6460), ref: 002B4668
Part of subcall function 002B465E: ReleaseSRWLockExclusive.KERNEL32(0030FFB8,?,?,00243AC7,00310848,002E6460), ref: 002B469B
Part of subcall function 002B465E: WakeAllConditionVariable.KERNEL32(0030FFB4,?,?,00243AC7,00310848,002E6460), ref: 002B46A6

Strings

Kernel32.dll, xrefs: 00244542
\SystemTemp\, xrefs: 0024459A
GetTempPath2W, xrefs: 0024453D
S-1-5-18, xrefs: 002445DF
URL, xrefs: 00244450, 0024480D
0, xrefs: 002446D0
S-1-5-32-544, xrefs: 002445F2

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ExclusiveLock$AcquireDirectoryPathRelease$AddressConditionCreateExistsFileHandleModuleProcTempVariableWakeWindows
String ID: 0$GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$URL$\SystemTemp\
API String ID: 3143601600-938883808
Opcode ID: 1a708b7d226706cb004689f70634c3fe0d41e29bcce0b7a649c82aacf3390a2c
Instruction ID: 8970f9f4ef085aff94cd8b8010a89b843157d6c36e50b4fa75a28422cc2b6c73
Opcode Fuzzy Hash: 1a708b7d226706cb004689f70634c3fe0d41e29bcce0b7a649c82aacf3390a2c
Instruction Fuzzy Hash: 80B1F5B1D10218EBDB14EFA4DC89BDEB7B8EF09310F1042A9E509A7281DB746E54CF91

Function 0027A610 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 184
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 0027A64A
SetLastError.KERNEL32(0000000E), ref: 0027A687
GetCurrentThreadId.KERNEL32 ref: 0027A712
SetWindowTextW.USER32(?,00000000), ref: 0027A79E
GetDlgItem.USER32(?,000003E9), ref: 0027A7AC
SetWindowTextW.USER32(00000000,?), ref: 0027A7B8

Part of subcall function 0027BA50: GetDlgItem.USER32(?,00000002), ref: 0027BA6D
Part of subcall function 0027BA50: GetWindowRect.USER32(00000000,?), ref: 0027BA83
Part of subcall function 0027BA50: ShowWindow.USER32(00000000,00000000,?,?,?,?,0027A66A), ref: 0027BA98
Part of subcall function 0027BA50: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,0027A66A), ref: 0027BAA3
Part of subcall function 0027BA50: GetDlgItem.USER32(?,000003E9), ref: 0027BAB1
Part of subcall function 0027BA50: GetWindowRect.USER32(00000000,?), ref: 0027BAC7
Part of subcall function 0027BA50: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,0027A66A), ref: 0027BB06

Strings

\,1, xrefs: 0027A6B2

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$ItemRect$Text$ActiveCurrentErrorInvalidateLastShowThread
String ID: \,1
API String ID: 2012338523-4060636498
Opcode ID: 39a6ef230267174e5f8a7f3a73f8e6a3d1b0bd9a6eabf27818de6f475a9cda8c
Instruction ID: 388241b4c02d7698be011bf629cfb20ded0bbaea4fff24973d4daaa7a68e08f2
Opcode Fuzzy Hash: 39a6ef230267174e5f8a7f3a73f8e6a3d1b0bd9a6eabf27818de6f475a9cda8c
Instruction Fuzzy Hash: 2471EE30A14745DFDB15DF68EC88B9EBBB8FF48720F108669E8199B291D770A910CB91

Function 002B1934 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 218
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002B19B8
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 002B1A44
GetLastError.KERNEL32 ref: 002B1A50
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002B1A90

Strings

$, xrefs: 002B194C

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 2919bafcffe2fc5e6fc03327e99089bdd1d60acdc8a7e92b8c89b1d540cd93f6
Instruction ID: 15b435fc07ed1d3e5cca425a8d27f955f4c5ad47ae0045b649ccb7c32376c91c
Opcode Fuzzy Hash: 2919bafcffe2fc5e6fc03327e99089bdd1d60acdc8a7e92b8c89b1d540cd93f6
Instruction Fuzzy Hash: 04819071D1120AAFDB11CF94D898AEEB7B9FF54394F55402AE904AB350DB70DD21CB90

Function 0027AA70 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 407
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempFileNameW.KERNELBASE(?,AI_,00000000,?,?,?,?,?,?,?,?,?,?,002DF0F5,000000FF), ref: 0027ABD7
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,002DF0F5,000000FF), ref: 0027AC0F

Strings

.ps1, xrefs: 0027AC3F, 0027AC51, 0027AC5B
-NoProfile -NonInteractive -NoLogo -ExecutionPolicy %s -Command "%s", xrefs: 0027AD48
AI_, xrefs: 0027ABCF
%s -paths %s -retry_count %d, xrefs: 0027AD03
RemoteSigned, xrefs: 0027AD43

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$DeleteNameTemp
String ID: %s -paths %s -retry_count %d$-NoProfile -NonInteractive -NoLogo -ExecutionPolicy %s -Command "%s"$.ps1$AI_$RemoteSigned
API String ID: 1648863064-656004915
Opcode ID: c307b0df97e956ef6dbe5a05d48bce557555b599cc2c2beaaa2d67c75cb3d96e
Instruction ID: 0e65399b5315e5a6d55b3346e14cd9a27df28edbc4ecd1ce6f8d63b968fb3aa2
Opcode Fuzzy Hash: c307b0df97e956ef6dbe5a05d48bce557555b599cc2c2beaaa2d67c75cb3d96e
Instruction Fuzzy Hash: F0E10631A10649DFCB05DF68CC58AAEBBB5EF88320F188169E415A7391DB74AE11CF91

Function 002B1CBC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,002B2002,0030F82C,?,?,?,0028D485,00000000,2DDDF7D7,?), ref: 002B1CCE
LoadLibraryExA.KERNELBASE(atlthunk.dll,00000000,00000800,?,?,?,002B2002,0030F82C,?,?,?,0028D485,00000000,2DDDF7D7,?), ref: 002B1CE3
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002B1D5F

Strings

AtlThunk_FreeData, xrefs: 002B1D39
AtlThunk_DataToCode, xrefs: 002B1D22
AtlThunk_InitData, xrefs: 002B1D0B
atlthunk.dll, xrefs: 002B1CDE
AtlThunk_AllocateData, xrefs: 002B1CF4

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 6696204797d9d822295a7b1cdfd3593b8a89e3742b00fc1d7dacd391eefd8928
Instruction ID: 59fb628fbb3dea3cc675704bb2801fec5f62a16ac355e010e6b2ac427cdd4a5c
Opcode Fuzzy Hash: 6696204797d9d822295a7b1cdfd3593b8a89e3742b00fc1d7dacd391eefd8928
Instruction Fuzzy Hash: 9B01D2306B13567FCE32AB20AC27BD93B989B03B94FC40061FC446A2D6D7A19939C6C5

Function 0026F8E0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?,2DDDF7D7,00000000,?,?,00000000,002DCCC5,000000FF,?,0027A745), ref: 0026F945
GetFileVersionInfoW.KERNELBASE(?,?,00000000,0027A745,00000000,?,00000000,002DCCC5,000000FF,?,0027A745), ref: 0026F993
VerQueryValueW.VERSION(0027A745,\VarFileInfo\Translation,002DCCC5,000000FF,?,00000000,002DCCC5,000000FF,?,0027A745), ref: 0026F9DB
VerQueryValueW.VERSION(0027A745,?,?,00000000,?,?,?,?,?,00000000,002DCCC5,000000FF,?,0027A745), ref: 0026FA3A

Strings

\VarFileInfo\Translation, xrefs: 0026F9D5
ProductName, xrefs: 0026FA01
\StringFileInfo\%04x%04x\%s, xrefs: 0026FA0B

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: FileInfoQueryValueVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2099394744-2149928195
Opcode ID: 9f80ffea79c66e8d5f9101d1fbd25b8d7d34a440fb8afa546c3e6e903338d7a6
Instruction ID: 15f52f1b76666d3a84799724d81cc219896e7e66e20e830f7eef5b40d7cb6abf
Opcode Fuzzy Hash: 9f80ffea79c66e8d5f9101d1fbd25b8d7d34a440fb8afa546c3e6e903338d7a6
Instruction Fuzzy Hash: 7071E231A1064ADFCF04DFA8D988AAEBBB8FF05314F144169E916A7391DB309D55CFA0

Function 00267BD0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 173synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00267D54
GetLastError.KERNEL32 ref: 00267D65
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00267D7B
GetExitCodeProcess.KERNELBASE(00000000,00000000), ref: 00267D8C
CloseHandle.KERNEL32(00000000), ref: 00267D9A

Strings

N/, xrefs: 00267C41

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CloseCodeErrorExecuteExitHandleLastObjectProcessShellSingleWait
String ID: N/
API String ID: 1481985272-555404110
Opcode ID: 77ed4d5180d782a20616ec10996795c9495b9f804fbd5477e4a56e983b065381
Instruction ID: e44b46482f5e15cdddc946d4521b8fdc171dfdf1b2897e1eec4d00a47a4de1d3
Opcode Fuzzy Hash: 77ed4d5180d782a20616ec10996795c9495b9f804fbd5477e4a56e983b065381
Instruction Fuzzy Hash: F461AE70A1464A8FDB04CFA8D8487ADBBB4FF49328F148259E825A73D0DB74AD41CF90

Function 0027BA50 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 0027BA6D
GetWindowRect.USER32(00000000,?), ref: 0027BA83
ShowWindow.USER32(00000000,00000000,?,?,?,?,0027A66A), ref: 0027BA98
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,0027A66A), ref: 0027BAA3
GetDlgItem.USER32(?,000003E9), ref: 0027BAB1
GetWindowRect.USER32(00000000,?), ref: 0027BAC7
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,0027A66A), ref: 0027BB06

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: 32082e1201310567aa31416d0f17f63c7ea1fdc66d81837c9abcc74fdd5cea15
Instruction ID: 05ac6aabd81a1deaa50e8087e0c5f2d0ffc6dd70558aaf2531f2203e4a97996f
Opcode Fuzzy Hash: 32082e1201310567aa31416d0f17f63c7ea1fdc66d81837c9abcc74fdd5cea15
Instruction Fuzzy Hash: DF21AF71658301AFE300DF34ED89BABBBE8EF89700F008659F855D6590E770AD508B92

Function 00283FD0 Relevance: 7.7, APIs: 5, Instructions: 168threadCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 0028411A

Part of subcall function 0028CA00: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0028CA3E
Part of subcall function 0028CA00: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0028CA4D

Part of subcall function 0027BEA0: GetWindowLongW.USER32(?,000000F0), ref: 0027BEE7
Part of subcall function 0027BEA0: GetParent.USER32(00000000), ref: 0027BEFA
Part of subcall function 0027BEA0: GetWindowRect.USER32(?,80004055), ref: 0027BF13
Part of subcall function 0027BEA0: GetWindowLongW.USER32(00000000,000000F0), ref: 0027BF26
Part of subcall function 0027BEA0: MonitorFromWindow.USER32(?,00000002), ref: 0027BF3E
Part of subcall function 0027BEA0: GetMonitorInfoW.USER32(00000000,8000402D), ref: 0027BF54

SetWindowTextW.USER32(?,?), ref: 00284031

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

Part of subcall function 00245350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0025E648,-00000010), ref: 00245373

GetDlgItem.USER32(00000001,0000040A), ref: 0028407B
SetWindowTextW.USER32(00000000,?), ref: 00284086

Part of subcall function 00294D20: GetWindowLongW.USER32(?,000000F0), ref: 00294D35
Part of subcall function 00294D20: GetParent.USER32(?), ref: 00294D43

CreateThread.KERNELBASE(00000000,00000000,Function_000444A0,?,00000000,?), ref: 002840AA

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$MessageMonitorParentSendText$CreateDialogFindFromHeapInfoItemProcessRectResourceThread
String ID:
API String ID: 758803202-0
Opcode ID: e7b5d0cf08fb1152301b81c5ce56bb0fa1ec6b6666cc63fa01f32ac716b8cd5c
Instruction ID: b150a9d61ec3d4bacdf944037afd8792083eec808afd5e338851f4921b6584e9
Opcode Fuzzy Hash: e7b5d0cf08fb1152301b81c5ce56bb0fa1ec6b6666cc63fa01f32ac716b8cd5c
Instruction Fuzzy Hash: F251F536A1460AAFD700EF58EC45B99BBA4FB18320F00416AED15D77D0DB71A860CFD0

Function 00267A00 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,000000FF,000000FF,000005FF,00000004), ref: 00267A17
PeekMessageW.USER32(?,00000000), ref: 00267A48
TranslateMessage.USER32(00000000), ref: 00267A57
DispatchMessageW.USER32(00000000), ref: 00267A62
MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00267A78

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: 74463faaa249b82b7fa04f28499bab67e1418a7210f4ddbe9697eb6436d07fe9
Instruction ID: 25970d334eab7841958e46f42e95bfc4ba35aa884ad23629b24cf8bfb9ed2fd8
Opcode Fuzzy Hash: 74463faaa249b82b7fa04f28499bab67e1418a7210f4ddbe9697eb6436d07fe9
Instruction Fuzzy Hash: B801D470A883027FE710CFA1EC89B7B77ECAB58B14F544629BA64D51C0F774DA848B52

Function 0027A920 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,2DDDF7D7,?,00000000,?,002DEFEE,000000FF), ref: 0027A975
PathAppendW.SHLWAPI(00000000,WindowsPowerShell\v1.0\powershell.exe), ref: 0027A98C
PathFileExistsW.KERNELBASE(00000000), ref: 0027A99A

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

Part of subcall function 00245350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0025E648,-00000010), ref: 00245373

Strings

WindowsPowerShell\v1.0\powershell.exe, xrefs: 0027A983

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Path$AppendExistsFileFindFolderHeapProcessResource
String ID: WindowsPowerShell\v1.0\powershell.exe
API String ID: 2424349261-2665178159
Opcode ID: 374e5e25d3dca721a6ee901ae59e18bafb75bf28f1756af9451941fba9492cb4
Instruction ID: 64a0a2f9bcca3b10c5fea9573c5d951a0515196e8b938048838f24e030f51262
Opcode Fuzzy Hash: 374e5e25d3dca721a6ee901ae59e18bafb75bf28f1756af9451941fba9492cb4
Instruction Fuzzy Hash: 2C51F571610249DFCB24DF64DC89BEE77B8FB48710F10852AE90ADB381EB74AA14CB51

Function 002C710D Relevance: 6.1, APIs: 4, Instructions: 83memorylibraryloaderCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00317000,00000080,00000004,00000000,?,?,002C7268,0000001A,AppPolicyGetProcessTerminationMethod,002ED708,AppPolicyGetProcessTerminationMethod,00000000,?,002C986F,00000000), ref: 002C7176
VirtualProtect.KERNELBASE(00317000,00000080,00000002,00000000,?,?,002C7268,0000001A,AppPolicyGetProcessTerminationMethod,002ED708,AppPolicyGetProcessTerminationMethod,00000000,?,002C986F,00000000), ref: 002C719E
FreeLibrary.KERNEL32(00000000,?,?,?,?,002C7268,0000001A,AppPolicyGetProcessTerminationMethod,002ED708,AppPolicyGetProcessTerminationMethod,00000000,?,002C986F,00000000), ref: 002C71C0
GetProcAddress.KERNEL32(00000000,?), ref: 002C71CA

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ProtectVirtual$AddressFreeLibraryProc
String ID:
API String ID: 3998452802-0
Opcode ID: 669ead2da76c3d0fb20eeff0a3c93bed16b5c086b2b69acb2d30f342f093f30d
Instruction ID: 65565eaa6b45896a2ef810a77da2e84d42eb793f25eaf6ba4acfa48d50de0bab
Opcode Fuzzy Hash: 669ead2da76c3d0fb20eeff0a3c93bed16b5c086b2b69acb2d30f342f093f30d
Instruction Fuzzy Hash: DF210D326182556BDB268F69EC85F5A3768EF01770F28032EFD199B180DAA0DD11CE90

Function 0027B9E0 Relevance: 6.0, APIs: 4, Instructions: 28threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0027B9E9
DestroyWindow.USER32(?), ref: 0027B9F8
PostMessageW.USER32(?,00000401,00000000,00000000), ref: 0027BA15
IsWindow.USER32(?), ref: 0027BA23

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$CurrentDestroyMessagePostThread
String ID:
API String ID: 3186974096-0
Opcode ID: 31726b115e9d8bad10f4b0200bd17ab5435ead7b67195226b4320553b5022f81
Instruction ID: d4493d41be551d6fd58376bb24148cef15e3f8f505c99d428f3be2d06fe6906d
Opcode Fuzzy Hash: 31726b115e9d8bad10f4b0200bd17ab5435ead7b67195226b4320553b5022f81
Instruction Fuzzy Hash: BCF082300657809FD771AF24FE4CB53BBD17B08B00F44988CE48A8A990C770F840CB54

Function 002804A0 Relevance: 4.6, APIs: 3, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?,2DDDF7D7), ref: 002804E0
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00280528
RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,0000000C,?), ref: 00280579

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Open$InfoQuery
String ID:
API String ID: 223210943-0
Opcode ID: fe0d1460227b8d4f4688b32bb7a43f59b6f2ead197632402d12d7b54d0bbddb9
Instruction ID: 5062a4ff43a7ba8ffe55d6834a45e8c8304a54f05ebddfac69c20aa3242733bc
Opcode Fuzzy Hash: fe0d1460227b8d4f4688b32bb7a43f59b6f2ead197632402d12d7b54d0bbddb9
Instruction Fuzzy Hash: 6E218275A44609EFEB10DF94DC41FA9FBB8FB08720F10416AF615A72C0D7B16914CBA1

Function 0025F680 Relevance: 4.6, APIs: 3, Instructions: 52COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0025F6B7
DefWindowProcW.USER32(00000000,00000000,00000000,00000000,?,?,?,?,002DA415,000000FF), ref: 0025F6D2

Part of subcall function 0025F980: GetCurrentThreadId.KERNEL32 ref: 0025F9E5

Part of subcall function 0025F7F0: EnterCriticalSection.KERNEL32(00310A1C,2DDDF7D7), ref: 0025F82F
Part of subcall function 0025F7F0: DestroyWindow.USER32(00000000), ref: 0025F84D
Part of subcall function 0025F7F0: LeaveCriticalSection.KERNEL32(00310A1C), ref: 0025F896

CoUninitialize.COMBASE ref: 0025F715

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalSectionWindow$CurrentDestroyEnterInitializeLeaveProcThreadUninitialize
String ID:
API String ID: 2072714735-0
Opcode ID: 94d025f6523991c6ca2b2a92426d9a3fdbdd42cb0429248fc04b1f760d00a4db
Instruction ID: ee657fe7af5a012ddae3d8bf4714ba96f080b906ef3a716508cb1e1067e711ad
Opcode Fuzzy Hash: 94d025f6523991c6ca2b2a92426d9a3fdbdd42cb0429248fc04b1f760d00a4db
Instruction Fuzzy Hash: 0A11E231665288BFEB20EF68DD05BDDBB78EF05710F104199FC199B2C1DB701618CA56

Function 00284290 Relevance: 4.5, APIs: 3, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040B), ref: 0028429D
SendMessageW.USER32(00000000,00000401,00000000), ref: 002842B8
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 002842C8

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 6015cd2555b180452016ea2114945cf59c5ca8d729613c1a6c0736001c452574
Instruction ID: b3b6958c56b6a6661df2a2bc10c6e33443ceb88f15d9e40aaf8b190bbc2b01b4
Opcode Fuzzy Hash: 6015cd2555b180452016ea2114945cf59c5ca8d729613c1a6c0736001c452574
Instruction Fuzzy Hash: 76F06CB12443106FF7509F15AC8DF567799EF88710F218055F700AD2D5C3F558019B68

Function 002C41A3 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,002C419D,?,?,002B96A2), ref: 002C41B1
TerminateProcess.KERNEL32(00000000,?,002C419D,?,?,002B96A2), ref: 002C41B8
ExitProcess.KERNEL32 ref: 002C41CA

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f04c46dc1bdd455dea8f6b5098aaacb654a486fb26a3ebca847de882214782b3
Instruction ID: 0a5c4b728cb4dd046eead6ae149b0dafa9d79a6384347ae5294d02a60037adc3
Opcode Fuzzy Hash: f04c46dc1bdd455dea8f6b5098aaacb654a486fb26a3ebca847de882214782b3
Instruction Fuzzy Hash: 5AD09E71058288BBDF062F65ED4DA993F65EB40351F048054BA4D4D471CB7599E2DF40

Function 0027BB30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,00000000,?), ref: 0027BC0E

Strings

$, xrefs: 0027BB61

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: LongWindow
String ID: $
API String ID: 1378638983-3993045852
Opcode ID: 3a02b4fcde62d0215f979d8eca75ab4fe6249f4ffe5adf7d81c55633df6d99cd
Instruction ID: 20f1bc8967a808cce19120cc7928f28f77e0383b313dffb9e14e0af09cc07749
Opcode Fuzzy Hash: 3a02b4fcde62d0215f979d8eca75ab4fe6249f4ffe5adf7d81c55633df6d99cd
Instruction Fuzzy Hash: 453136716183499FDB12CF19D888B6ABBF4FB88714F14881EF9488B2A0C775DD548B92

Function 00280631 Relevance: 3.3, APIs: 2, Instructions: 303registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.KERNELBASE(?,?,?,?,00000000,?,00000000,?,2DDDF7D7), ref: 002806C8
RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?,?), ref: 002806F8

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

Part of subcall function 0024CB10: FindResourceW.KERNEL32(00000000,00000100,00000006,00000000,000000FF,?,00000000,0027A070,000000FF,?,?,?,2DDDF7D7,00000000,?,000000FF), ref: 0024CB4D
Part of subcall function 0024CB10: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000,000000FF,?,?,?,2DDDF7D7,00000000,?,000000FF), ref: 0024CB7E
Part of subcall function 0024CB10: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,?,00000000,00000000,00000000,?,?,?,2DDDF7D7,00000000,?,000000FF,000000FF), ref: 0024CBB5

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ByteCharEnumMultiValueWide$FindHeapProcessResource
String ID:
API String ID: 4070800961-0
Opcode ID: 95f45cdd6c8ce600f395f37f0e95b6579d276db1c42fd650f9aba011212fce51
Instruction ID: f562c29bdf8d56b07b001d82156ae41973707307e5cfa351ccebb7b021323b14
Opcode Fuzzy Hash: 95f45cdd6c8ce600f395f37f0e95b6579d276db1c42fd650f9aba011212fce51
Instruction Fuzzy Hash: 05B1D375A00649DFDB04DF58C884BAEBBB9FF48320F144169E915AB391DB34AE05CFA1

Function 0028D4C0 Relevance: 3.2, APIs: 2, Instructions: 158COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0028D512
EndDialog.USER32(00000000,00000001), ref: 0028D521

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: bef9cc10fb63d379db210b084317cb45da15899c07c8e788d9418969e74343dc
Instruction ID: ec19aa0e8af3deab1094b8ce95b5a35bac3c6c8c1e06fad83db69f5bd339e31e
Opcode Fuzzy Hash: bef9cc10fb63d379db210b084317cb45da15899c07c8e788d9418969e74343dc
Instruction Fuzzy Hash: F561AD34A02645DFCB05DF68C94876CBBB4FF09324F1582A9E819AB3D1DB749E05CB91

Function 00267C78 Relevance: 3.1, APIs: 2, Instructions: 103synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00267D54
GetLastError.KERNEL32 ref: 00267D65
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00267D7B
GetExitCodeProcess.KERNELBASE(00000000,00000000), ref: 00267D8C
CloseHandle.KERNEL32(00000000), ref: 00267D9A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CloseCodeErrorExecuteExitHandleLastObjectProcessShellSingleWait
String ID:
API String ID: 1481985272-0
Opcode ID: efec1f0ef4d8596504f2535fd5396961d194ad3b527bffcdda0c797225302435
Instruction ID: 26c4045b3b10f85522671b294d0862f3fe864616824532fa1d9669f6e8b7d521
Opcode Fuzzy Hash: efec1f0ef4d8596504f2535fd5396961d194ad3b527bffcdda0c797225302435
Instruction Fuzzy Hash: 9041A031A05A468FDB15CF68D85826DBBB0FF45334F288759E825AB3D1DB34AD41CB90

Function 002841C0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00284209

Strings

Ts/, xrefs: 002841F3

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CloseHandle
String ID: Ts/
API String ID: 2962429428-993478674
Opcode ID: dcfed630f9bba46b7964528cabd03caf2616a9b40f37cf63cd81dd87499ce440
Instruction ID: af961677bca6d153f4d07f9e09e983adb5cedd8a9fc47681ac24f24e0e76a50d
Opcode Fuzzy Hash: dcfed630f9bba46b7964528cabd03caf2616a9b40f37cf63cd81dd87499ce440
Instruction Fuzzy Hash: 7D21B070A09246EFCB14DFA9D988B5ABBB8FF04724F1402AAE815D73D0D770A914CB91

Function 0027B780 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000000), ref: 0027B7F1

Part of subcall function 0028CA00: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0028CA3E
Part of subcall function 0028CA00: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0028CA4D

Part of subcall function 0027BA50: GetDlgItem.USER32(?,00000002), ref: 0027BA6D
Part of subcall function 0027BA50: GetWindowRect.USER32(00000000,?), ref: 0027BA83
Part of subcall function 0027BA50: ShowWindow.USER32(00000000,00000000,?,?,?,?,0027A66A), ref: 0027BA98
Part of subcall function 0027BA50: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,0027A66A), ref: 0027BAA3
Part of subcall function 0027BA50: GetDlgItem.USER32(?,000003E9), ref: 0027BAB1
Part of subcall function 0027BA50: GetWindowRect.USER32(00000000,?), ref: 0027BAC7
Part of subcall function 0027BA50: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,0027A66A), ref: 0027BB06

Part of subcall function 0027BEA0: GetWindowLongW.USER32(?,000000F0), ref: 0027BEE7
Part of subcall function 0027BEA0: GetParent.USER32(00000000), ref: 0027BEFA
Part of subcall function 0027BEA0: GetWindowRect.USER32(?,80004055), ref: 0027BF13
Part of subcall function 0027BEA0: GetWindowLongW.USER32(00000000,000000F0), ref: 0027BF26
Part of subcall function 0027BEA0: MonitorFromWindow.USER32(?,00000002), ref: 0027BF3E
Part of subcall function 0027BEA0: GetMonitorInfoW.USER32(00000000,8000402D), ref: 0027BF54

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$ItemLongMessageMonitorSend$EnableFromInfoInvalidateParentShow
String ID:
API String ID: 2603943895-0
Opcode ID: 786fe7f6e98d3665ea4e5e2c3290ae259e68b3747872ad5b709bfeabc6b34525
Instruction ID: 031d8bfc708670957b30a8fa15806a5bd3b6b56140b1ea49f8d59458816e6cd1
Opcode Fuzzy Hash: 786fe7f6e98d3665ea4e5e2c3290ae259e68b3747872ad5b709bfeabc6b34525
Instruction Fuzzy Hash: 2811B67662010A5BD7219F08EC41BAA7798EB55320F008267FC19C7691D7B5EC71DBE2

Function 0028CA00 Relevance: 3.0, APIs: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002698C0: LoadLibraryW.KERNEL32(ComCtl32.dll,2DDDF7D7,00000007,00000007,?), ref: 002698FA
Part of subcall function 002698C0: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00269920
Part of subcall function 002698C0: FreeLibrary.KERNEL32(00000000), ref: 002699A9

Part of subcall function 002698C0: GetSystemMetrics.USER32(0000000C), ref: 00269960
Part of subcall function 002698C0: GetSystemMetrics.USER32(0000000B), ref: 00269978
Part of subcall function 002698C0: LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 0026998B

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0028CA3E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0028CA4D

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoadMessageMetricsSendSystem$AddressFreeImageProc
String ID:
API String ID: 852476325-0
Opcode ID: b875771a9a54a58a4afe3af9c59217afa08ba8594859e6d9c34bb2307846067f
Instruction ID: aaeeba70ff6085e76ae73fe87e0358de71d9b2c30da213f9a9270588cb054586
Opcode Fuzzy Hash: b875771a9a54a58a4afe3af9c59217afa08ba8594859e6d9c34bb2307846067f
Instruction Fuzzy Hash: 9DF0A07279131033F62012296C4BF67664DD781B61F144264FA84AF2C1ECE26C0082E8

Function 00266150 Relevance: 2.6, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,002F38A1,000000FF,00000000,00000000,00000000,?,?,002783BC,002F38A1), ref: 00266168
MultiByteToWideChar.KERNEL32(00000003,00000000,002F38A1,000000FF,?,-00000001,?,002783BC,002F38A1), ref: 0026619A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 63667cce62133a541d16e142d52717a8bed0d6945f22b59d5890497608fde954
Instruction ID: 1aed98975d4eafb100b82eec37a6696da5cb2ba11605e6031c83ff37192eff1a
Opcode Fuzzy Hash: 63667cce62133a541d16e142d52717a8bed0d6945f22b59d5890497608fde954
Instruction Fuzzy Hash: D501F532301222AFD6149F49EC9DF1EB75AEF85725F20411DF218EB3D1CB216D218BA4

Function 002844A0 Relevance: 2.5, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002844C5
CoUninitialize.OLE32(00000000,?,?,?,002E0B9D,000000FF), ref: 002844F2

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: InitializeUninitialize
String ID:
API String ID: 3442037557-0
Opcode ID: ea4c14ff62c8e7c3574c5b01dcf174a8d3758cef17c37ad5b2175eebdc041c9d
Instruction ID: e2ebb5b1e45a96c763787b97b36d30888391a927f2e5ac2f9e78a45f2f5a320c
Opcode Fuzzy Hash: ea4c14ff62c8e7c3574c5b01dcf174a8d3758cef17c37ad5b2175eebdc041c9d
Instruction Fuzzy Hash: 80F06275A59288EFD711DF68E948B59BBF8FB09714F004699E8158B6D0CB345904CB50

Function 0025AFD0 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,2DDDF7D7,?,?,?,002D922D,000000FF), ref: 0025B005

Part of subcall function 00258780: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00258890

Part of subcall function 002B3148: GetCurrentThreadId.KERNEL32 ref: 002B3173

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CurrentFolderInitializePathThread
String ID:
API String ID: 2098070997-0
Opcode ID: 95deaaa54bf7e84f6fb34103723db2e415ffe0c6f8531f73c79c6554fdfc4c09
Instruction ID: 49f0e2bbeb85e6228af44eb5b60e7525c066fe4a7084287eac638b51f3ddd195
Opcode Fuzzy Hash: 95deaaa54bf7e84f6fb34103723db2e415ffe0c6f8531f73c79c6554fdfc4c09
Instruction Fuzzy Hash: C421AE71A20710AFD721EF64DC45F6BB7E8EB48B20F104A5AFD25977D0DB71A9108BA0

Function 002B17EC Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,?,002B1944,0030F7DC,?,?,?,?,?,?,?,?,002B1642,00000000,00000000,00000004), ref: 002B187E

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a8b8aba925e936ac3397d84985efd32847720bdc11d25eb71675724490e99504
Instruction ID: d57a9846a950eb4d92f695dd814b05af7320e67b939ed45c981cfdc643d0704f
Opcode Fuzzy Hash: a8b8aba925e936ac3397d84985efd32847720bdc11d25eb71675724490e99504
Instruction Fuzzy Hash: 6611D37652020AAEEB218E40A970BEB776DFF49794F64002AF9016B141DBB0DD319A60

Function 002842F1 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000002), ref: 0028432F

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Dialog
String ID:
API String ID: 1120787796-0
Opcode ID: 9631375a448a9d951a1a6568970df296dd31b857317c866936f6b24195fb0503
Instruction ID: 2507d289a9734e74bbe9703f872cd7f7c109374deea85ae050660110e959c9c5
Opcode Fuzzy Hash: 9631375a448a9d951a1a6568970df296dd31b857317c866936f6b24195fb0503
Instruction Fuzzy Hash: 4F01D174629202EFC704AF24EC48B4AFBE5FF84705F1485ADE8085BAE1C770A821DF40

Function 00280400 Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,0000000C), ref: 00280472

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: bf897b612b1f7b1e8fe7d3f2d8a3783dd4130c757f0a02ecd3ec93eaf6ee7d89
Instruction ID: 0595b822a2616a622d5233573a0503c6b09cf7b88ee9b16f5dfa3ce163e9af7b
Opcode Fuzzy Hash: bf897b612b1f7b1e8fe7d3f2d8a3783dd4130c757f0a02ecd3ec93eaf6ee7d89
Instruction Fuzzy Hash: 79019AB2904648EFE710DF88DC01B9AFBE8FB05720F10466AE825977C0E7B56914CB90

Function 00243620 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002B6215: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,00000000,80004005,2DDDF7D7,?), ref: 002B6275

RtlAllocateHeap.NTDLL(00000000,00000000,?,2DDDF7D7,00000000,002D5110,000000FF,?,?,0030B028,?,?,00281A0D,80004005,2DDDF7D7,?), ref: 0024366A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: b6a8edaa57192d7a926f51acb70b552d53541c467e1b2e772abd6d9ae3d2e755
Instruction ID: e934cc4eee217784c5f3b9453b5f0e47c18e41d830d4ed7baf0177e988f94513
Opcode Fuzzy Hash: b6a8edaa57192d7a926f51acb70b552d53541c467e1b2e772abd6d9ae3d2e755
Instruction Fuzzy Hash: F3F0E271648208FFDB05CF00DC06F5ABBA8EB04B00F008A6AF814C3690D776A8148B44

Function 002C6E40 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,002C97C5,?,00000000,?,002BFA29,?,00000004,00000000,00000000,?,?,002C4979), ref: 002C6E75

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6323641ab8148d5955e7f5c48e0a8c9f58d0f93b7273499c162912670a8a2a02
Instruction ID: d3461468609535123ce99b138670b6039429b132639dd6cc1bf3e5eca1895506
Opcode Fuzzy Hash: 6323641ab8148d5955e7f5c48e0a8c9f58d0f93b7273499c162912670a8a2a02
Instruction Fuzzy Hash: 8CF0E53693462366DB203A79DC09F9B36889F497A0F11432AEC04D6180DF61CC6186F0

Function 002C7620 Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00317000,00000080,00000002,?), ref: 002C7636

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0460f4df330554c394d8749da5b3cef7c59005c91380aac9be8c362434f1a31a
Instruction ID: 619aa62cf89aa23830971923aae1df50f9f6974f308d6574deb253107a901d32
Opcode Fuzzy Hash: 0460f4df330554c394d8749da5b3cef7c59005c91380aac9be8c362434f1a31a
Instruction Fuzzy Hash: 20C08C31388308B7E7118792AC0BF8B36ACE784FA0F148114F605EA0C0D9E0EE044220

Non-executed Functions

Function 00272540 Relevance: 51.6, APIs: 11, Strings: 18, Instructions: 858libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,?,?,?,?,SystemFolder,0000000C), ref: 00272756
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0027285F
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D), ref: 0027298C

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D), ref: 00272ABC

Part of subcall function 00245350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0025E648,-00000010), ref: 00245373

GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D), ref: 00272C2C
SHGetSpecialFolderLocation.SHELL32(00000000,0000000D,WindowsVolume,0000000D), ref: 00272D12
LoadLibraryW.KERNEL32(shfolder.dll), ref: 00272DA0
GetProcAddress.KERNEL32(?,SHGetFolderPathW), ref: 00272DDC
GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104), ref: 00272FD0
SHGetPathFromIDListW.SHELL32(?,?), ref: 00273059
SHGetMalloc.SHELL32(00000000), ref: 00273072

Strings

SystemFolder, xrefs: 00272699, 002726AE, 002726B8
ProgramFiles, xrefs: 00272F2F
ProgramFiles64Folder, xrefs: 0027257E
AppDataFolder, xrefs: 00272F41, 00272F7B
System32Folder, xrefs: 002727AB, 002727C0, 002727CA
ProgramFilesFolder, xrefs: 00272EF6
shfolder.dll, xrefs: 00272D9B
APPDATA, xrefs: 00272FC7, 00272FCF
SETUPEXEDIR, xrefs: 00272BD6
WindowsVolume, xrefs: 00272A04, 00272A19, 00272A23
001, xrefs: 00272DC3
Shell32.dll, xrefs: 00272E47
PROGRAMFILES, xrefs: 00272FAD
SHGetFolderPathW, xrefs: 00272DD6
Shlwapi.dll, xrefs: 00272E17
WindowsFolder, xrefs: 002728D7, 002728EC, 002728F6
TempFolder, xrefs: 00272AFD
ProgramW6432, xrefs: 002725D6

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Directory$FolderPathWindows$AddressEnvironmentFileFindFromHeapLibraryListLoadLocationMallocModuleNameProcProcessResourceSpecialSystemVariable
String ID: 001$APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 700146523-3411744261
Opcode ID: 388137aff68e5399d199521e48cb5a1f67deca676ff9afbb5348c1855d17420c
Instruction ID: a2b00999edd6d2d2c3ff11bd7a931499586185080ea0b53a3b3c1730cbbe5deb
Opcode Fuzzy Hash: 388137aff68e5399d199521e48cb5a1f67deca676ff9afbb5348c1855d17420c
Instruction Fuzzy Hash: 8F623831620216CBDB24DF24CC54BBAB3B6FF64354F5481ACD90A97391EB329E69CB50

Function 0026AAA0 Relevance: 40.8, APIs: 14, Strings: 9, Instructions: 524fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00310A8C,C0000000,00000003,00000000,00000004,00000080,00000000,2DDDF7D7,00000000,00310A80,00310A68), ref: 0026AB18
GetLastError.KERNEL32 ref: 0026AB40
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 0026ABC5
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 0026ACF2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 0026AD8E

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 0026AE31
WriteFile.KERNEL32(00000000,002DC02D,00000002,00000002,00000000,?,0000001D), ref: 0026AEDA
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 0026AEE3
WriteFile.KERNEL32(00000000,00310864,00000000,00000002,00000000,?,0000001D), ref: 0026AF05
WriteFile.KERNEL32(00000000,000000FF,?,00000002,00000000,002F37E8,00000002), ref: 0026AFC4
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 0026AFCD
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 0026AF0E

Part of subcall function 00245350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0025E648,-00000010), ref: 00245373

WriteFile.KERNEL32(00000000,000000FF,?,00000002,00000000,002F37E8,00000002), ref: 0026B079
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 0026B082

Strings

LOGGER->failed to create LOG at:, xrefs: 0026AB80, 0026AB92, 0026AB9C
LOGGER->Reusing LOG file at:, xrefs: 0026AC97, 0026ACA9, 0026ACB3
x64, xrefs: 0026AF5E, 0026AF6A
LOGGER->Creating LOG file at:, xrefs: 0026ADD6, 0026ADE8, 0026ADF2
workstation, xrefs: 0026AF6B
server, xrefs: 0026AF70, 0026AF78
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 0026AF94
x86, xrefs: 0026AF55
7/, xrefs: 0026B039

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$CreateErrorFindHeapLastPointerProcessResource
String ID: LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86$7/
API String ID: 611875259-2793722445
Opcode ID: ffadc3463089c49c698b135a69dd3f442bfe569e2bc0b7a0e9d3690bce285e8e
Instruction ID: df842fd0cba8745a3b7fff7dbff2813439dff585fe849a9acfba1ba3726d1a72
Opcode Fuzzy Hash: ffadc3463089c49c698b135a69dd3f442bfe569e2bc0b7a0e9d3690bce285e8e
Instruction Fuzzy Hash: F012EE70A106059BDB05DF68CC88B6EBBB5FF44320F144268E925AB3D1DB74AE51CF91

Function 002AF400 Relevance: 32.7, APIs: 21, Instructions: 1155synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 002AF45E
GetLastError.KERNEL32 ref: 002AF469
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002AF953
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002AF997
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002AFAFE
SetEvent.KERNEL32(?), ref: 002AFE21
GetLastError.KERNEL32 ref: 002AFE2F
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002B01B9
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002B020F
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 002B0250
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002B025B
EnterCriticalSection.KERNEL32(?), ref: 002B0381
LeaveCriticalSection.KERNEL32(?), ref: 002B0418
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002B04BF
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002B050F
SetEvent.KERNEL32(?), ref: 002B05AB
GetLastError.KERNEL32 ref: 002B05B9
SetEvent.KERNEL32(?), ref: 002B05CE
GetLastError.KERNEL32 ref: 002B05D8
SetEvent.KERNEL32(?), ref: 002B0608
GetLastError.KERNEL32 ref: 002B0616

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$ErrorLast$EnterEventLeave$ObjectSingleWait
String ID:
API String ID: 3699643388-0
Opcode ID: 0d807ff8b354ad0ddf1c089ef064877851c2541f2639a447988ab38174798d5f
Instruction ID: 2eb584a437768d5841e0881ca0801932e0fb471e9704cd2fa5d234ed7d7f8ae5
Opcode Fuzzy Hash: 0d807ff8b354ad0ddf1c089ef064877851c2541f2639a447988ab38174798d5f
Instruction Fuzzy Hash: D6C2E070A183828FD764CF69C580B9BFBE1BF89344F14492EE99987351EB74A854CF42

Function 00299050 Relevance: 25.2, APIs: 9, Strings: 5, Instructions: 709fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,?), ref: 0029949D
CloseHandle.KERNEL32(00000000), ref: 002994AF
GetLastError.KERNEL32 ref: 002994B9
CloseHandle.KERNEL32(FFFFFFFF), ref: 002994F9

Strings

?, xrefs: 0029921C
$, xrefs: 00299B96
NUMBER_OF_PROCESSORS, xrefs: 0029976F
\, xrefs: 00299167
\, xrefs: 00299212

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CloseHandle$CreateErrorFileLast
String ID: $$?$NUMBER_OF_PROCESSORS$\$\
API String ID: 3884794734-3915631646
Opcode ID: 8bc803ea8f15a8462153df59cf02938efede92ca939f4a89b0ab512b8cff440a
Instruction ID: 240c1dc156244329fa543063d7d368aceced23c63dfd996792c291003eb944d5
Opcode Fuzzy Hash: 8bc803ea8f15a8462153df59cf02938efede92ca939f4a89b0ab512b8cff440a
Instruction Fuzzy Hash: 7D724570810669DBDB24DF28CC44BADBBF4BF48314F1481E9E489A7291DB75AE94CF90

Function 00263B60 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 397fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,00000000), ref: 00263BC5
PathIsUNCW.SHLWAPI(2DDDF7D7,*.*,00000000), ref: 00263C8B
FindFirstFileW.KERNEL32(2DDDF7D7,?,*.*,00000000), ref: 00263E1B
GetFullPathNameW.KERNEL32(2DDDF7D7,00000000,00000000,00000000), ref: 00263E35
GetFullPathNameW.KERNEL32(2DDDF7D7,00000000,?,00000000), ref: 00263E68
FindClose.KERNEL32(00000000,?,00000000), ref: 00263ED0
SetLastError.KERNEL32(0000007B,?,00000000), ref: 00263EDA

Strings

\\?\UNC\, xrefs: 00263CAB, 00263D83
*.*, xrefs: 00263BEF, 00263C58, 00263C59
\\?\, xrefs: 00263D99, 00263E03
2Svp1Sv, xrefs: 00263E1B

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: FindPath$CloseFullName$ErrorFileFirstLast
String ID: 2Svp1Sv$*.*$\\?\$\\?\UNC\
API String ID: 539638818-2136517478
Opcode ID: 32b94afc3951d622e64a9aadd7ade49d9296551e66e0ea7f30358fb7d92fbd44
Instruction ID: 294c567550b4173dafe8714f2ac304adad4d941fe7b4cdd8c8f9476cbd3b3dba
Opcode Fuzzy Hash: 32b94afc3951d622e64a9aadd7ade49d9296551e66e0ea7f30358fb7d92fbd44
Instruction Fuzzy Hash: 42E1F370A106129BDB08DF68CC89BAEB7B1FF44314F14416DE9169B3D1DB76AEA0CB40

Function 0028AC60 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 214fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,-00000010,?,2DDDF7D7,?,?,00000000), ref: 0028AD09
FindNextFileW.KERNEL32(?,00000000,?,00000000), ref: 0028AD24

Strings

0!$, xrefs: 0028AD0F, 0028B33A
@9/, xrefs: 0028B19F
p2Sv3Sv, xrefs: 0028AD24, 0028B288, 0028B31E
2Svp1Sv, xrefs: 0028AD09, 0028B25A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: FileFind$FirstNext
String ID: 2Svp1Sv$0!$$@9/$p2Sv3Sv
API String ID: 1690352074-2548255900
Opcode ID: 8014dc3e209f79b0ffa4d8fe971407387b62cb11135ffc934b6db6d2270817e4
Instruction ID: 269c8e9f5d4b005f5514fa58ca27b6885afff49463df8bd8b72f40b08cd613be
Opcode Fuzzy Hash: 8014dc3e209f79b0ffa4d8fe971407387b62cb11135ffc934b6db6d2270817e4
Instruction Fuzzy Hash: A681AB75D01689DFDB01DFA8DC98AEDBBB4FF09320F148169E815AB291DB309A15CF50

Function 00297CA0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 200libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00000000), ref: 00297CCD
GetProcessAffinityMask.KERNEL32(00000000), ref: 00297CD4
GetSystemInfo.KERNEL32(?), ref: 00297D55
GetModuleHandleA.KERNEL32 ref: 00297DA4
GetProcAddress.KERNEL32(00000000), ref: 00297DAB
GlobalMemoryStatus.KERNEL32(?), ref: 00297E05

Strings

@, xrefs: 00297D9C
kernel32.dll, xrefs: 00297D64
GlobalMemoryStatusEx, xrefs: 00297D5F
, xrefs: 00297DFC

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Process$AddressAffinityCurrentGlobalHandleInfoMaskMemoryModuleProcStatusSystem
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 3120231856-802862622
Opcode ID: 1b873502bde0cc12b4672f6e342ef6ecf39c85f5c33e728cb1c80a2d7a193723
Instruction ID: dd20a3a56b488cba97858a6e4d3a93c12ce47504b4a84091992b6a3a72ea031c
Opcode Fuzzy Hash: 1b873502bde0cc12b4672f6e342ef6ecf39c85f5c33e728cb1c80a2d7a193723
Instruction Fuzzy Hash: 4B718CB2A183118FD708CF19D89475ABBE5BFC8314F05896DE899CB350D7B4D904CB86

Function 00262720 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000060,2DDDF7D7,8007000E,00000000,?,?,?,?,?,?,?,?,002DA915,000000FF), ref: 00262799
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,?,?,?,?,?,?,?,?,002DA915,000000FF), ref: 002627AC
FindResourceW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,002DA915,000000FF), ref: 002627CC
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,002DA915,000000FF), ref: 002627E4

Part of subcall function 00260A20: GetLastError.KERNEL32(2DDDF7D7,00000000,002D5110,000000FF,?,8007000E), ref: 00260A42

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,002DA915,000000FF), ref: 002628C5

Strings

REGISTRY, xrefs: 00262D0F
Module, xrefs: 00262C16
Module_Raw, xrefs: 00262C6F

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID: Module$Module_Raw$REGISTRY
API String ID: 328770362-549000027
Opcode ID: 09062f0262b0346dec574fa0bc35da87c531754c61ec9538b20cc4f1407e9ccc
Instruction ID: c09c005799b3d0a2b7a961286f5f9f8c5eef380018268ab56e29f7e410d2b9d7
Opcode Fuzzy Hash: 09062f0262b0346dec574fa0bc35da87c531754c61ec9538b20cc4f1407e9ccc
Instruction Fuzzy Hash: 6551D371920649EFDB21DF54CC84BEE77B9FF44310F204129E905AB280DB708A988B75

Function 002ADA30 Relevance: 16.8, APIs: 11, Instructions: 273synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 002ADA77
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 002ADA87
GetLastError.KERNEL32 ref: 002ADA98
ResetEvent.KERNEL32(?), ref: 002ADAB8
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 002ADAC8
GetLastError.KERNEL32 ref: 002ADAD9
GetLastError.KERNEL32 ref: 002ADB1A
SetEvent.KERNEL32(?), ref: 002ADB56
GetLastError.KERNEL32 ref: 002ADB60
WaitForSingleObject.KERNEL32(?,000000FF,?), ref: 002ADBA8
GetLastError.KERNEL32 ref: 002ADBB3

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorEventLast$CreateReset$ObjectSingleWait
String ID:
API String ID: 3708806560-0
Opcode ID: 68251e8fb3df5a8d9dcae640b7920f665c2659ce37cce386e41cfbab648c955f
Instruction ID: 06cc94c176e50e4ee49fcffff3fd2013583d3ef7a2e61c42e3325d1858013864
Opcode Fuzzy Hash: 68251e8fb3df5a8d9dcae640b7920f665c2659ce37cce386e41cfbab648c955f
Instruction Fuzzy Hash: A391E6313647028FE7248F29D894B2673D6FB86325F15492EE557CBAA1DF71E860CB20

Function 0026DEC0 Relevance: 16.4, APIs: 7, Strings: 2, Instructions: 603COMMON

Download Yara Rule

APIs

Part of subcall function 002B46AF: AcquireSRWLockExclusive.KERNEL32(0030FFB8,?,?,?,00243A56,00310848,2DDDF7D7,?,?,002D516D,000000FF,?,002810B6,2DDDF7D7,?), ref: 002B46BA
Part of subcall function 002B46AF: ReleaseSRWLockExclusive.KERNEL32(0030FFB8,?,?,00243A56,00310848,2DDDF7D7,?,?,002D516D,000000FF,?,002810B6,2DDDF7D7,?), ref: 002B46F4

GetStdHandle.KERNEL32(000000F5,?,?,?), ref: 0026E2EA
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 0026E2F1
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 0026E305
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 0026E30C

Strings

Error, xrefs: 0026E62B
F^&, xrefs: 0026E31B

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ConsoleExclusiveHandleLock$AcquireAttributeBufferInfoReleaseScreenText
String ID: Error$F^&
API String ID: 719367182-810301205
Opcode ID: 2f9979a925e09aae5e4da4f3a77c96c030ba0b0facd245799ac11cc7edd29157
Instruction ID: a0e36e80eb161521fa0da7f78034b9d94fd2d9e411ebd2f4195ab421b2105e16
Opcode Fuzzy Hash: 2f9979a925e09aae5e4da4f3a77c96c030ba0b0facd245799ac11cc7edd29157
Instruction Fuzzy Hash: 7A427B70D1025ADFDB24DF64CC44BEEBBB4BF48314F1042A9E519A7291EB74AA94CF90

Function 002880E0 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 465COMMON

Download Yara Rule

APIs

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00288320
GetDriveTypeW.KERNEL32(?), ref: 0028833A
Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 002883E3
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00288686

Strings

\/, xrefs: 002882E4
0!$, xrefs: 00289634, 002897A0
]%!, xrefs: 002882B8
p2Sv3Sv, xrefs: 00289650, 00289740
2Svp1Sv, xrefs: 00289628

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Wow64$DriveRedirection$DisableHeapLogicalProcessRevertStringsType
String ID: 2Svp1Sv$0!$$]%!$p2Sv3Sv$\/
API String ID: 4157823300-3308461500
Opcode ID: c696f40ebed0c95f71e786da6a1ffa00c7b85f342c3c8f593605c33888cdf908
Instruction ID: 61d288f296d9f5093e29d5bb5d0c144e96c57c313ff6596d1aa190fe7692d01b
Opcode Fuzzy Hash: c696f40ebed0c95f71e786da6a1ffa00c7b85f342c3c8f593605c33888cdf908
Instruction Fuzzy Hash: 7302033591166ACFDB24EF28CC84BADB7B5AF04310F5485E9D91AA72C1DB709E90CF90

Function 0024C3A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175windowshutdownCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(2DDDF7D7,?,?), ref: 0024C402
MessageBoxW.USER32(00000000,?,?,00000044), ref: 0024C40D
GetCurrentProcess.KERNEL32 ref: 0024C4FB
OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 0024C508
CloseHandle.KERNEL32(00000000), ref: 0024C528
GetLastError.KERNEL32 ref: 0024C56D
ExitWindowsEx.USER32(00000006,80040002), ref: 0024C57E
CloseHandle.KERNEL32(00000000), ref: 0024C59E

Strings

SeShutdownPrivilege, xrefs: 0024C53D

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CloseHandleProcess$CurrentErrorExitForegroundLastMessageOpenTokenWindowWindows
String ID: SeShutdownPrivilege
API String ID: 1440564136-3733053543
Opcode ID: 440df4030d0a141ca7f78470c6a2b2b3137481fa36c9e25e84a8bfce86f8a630
Instruction ID: d0ee83390064acb1a8f89ec3f96b4e4ad66ccfd74a1f2066141aa3f6cdc09030
Opcode Fuzzy Hash: 440df4030d0a141ca7f78470c6a2b2b3137481fa36c9e25e84a8bfce86f8a630
Instruction Fuzzy Hash: 5B618070A516499BDB04DFA9DC88BADBBB8EF09320F244159E811BB3D0CB75AD05CF60

Function 0026DDB0 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 495COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?), ref: 0026E2EA
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 0026E2F1
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 0026E305
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 0026E30C
GetStdHandle.KERNEL32(000000F5,?,?,00000000,?,00000000,002F37E8,00000002,?,?), ref: 0026E3CA
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 0026E3D1

Strings

F^&, xrefs: 0026E31B
*** Stack Trace (x86) ***, xrefs: 0026DE05

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ConsoleHandle$AttributeText$BufferInfoScreen
String ID: *** Stack Trace (x86) ***$F^&
API String ID: 575076100-3799682818
Opcode ID: 1f0befab80280998540c97373a73c320b1333995e11da660db6f8ea43aa0a759
Instruction ID: a81752241341ffcab121a2cd622c55e70bac56413537d768bb8a257367c793a1
Opcode Fuzzy Hash: 1f0befab80280998540c97373a73c320b1333995e11da660db6f8ea43aa0a759
Instruction Fuzzy Hash: 6B228D70D1025ADFDB24DF68C845BEEBBB8FF48314F1042A9E515A7291EB706A94CF90

Function 0026F270 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 352fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,2DDDF7D7,00000000,00000000,?), ref: 0026F2CB
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,?,00000000,00000000), ref: 0026F444
Wow64DisableWow64FsRedirection.KERNEL32(00000000,?,?,00000000,00000000), ref: 0026F4F1
CopyFileW.KERNEL32(?,?,00000000,?,?,00000000,00000000), ref: 0026F513
Wow64RevertWow64FsRedirection.KERNEL32(00000000,?,?,00000000), ref: 0026F59E
DeleteFileW.KERNEL32(?,2DDDF7D7,?,00000000,002D4F60,000000FF,?,80004005,?), ref: 0026F6AD

Strings

shim_clone, xrefs: 0026F43E

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Wow64$File$Redirection$CopyDeleteDisableFolderNamePathRevertTemp
String ID: shim_clone
API String ID: 3507832535-3944563459
Opcode ID: 2e7e19075f61df3a6c410ce8ce5d11c173ef231cc58f66f0068e1be5d39d0b8d
Instruction ID: 5b94729c6b3a596ee5315b1ed4c865a56c9d6580eb3a39dcf51a3eadf4ba775b
Opcode Fuzzy Hash: 2e7e19075f61df3a6c410ce8ce5d11c173ef231cc58f66f0068e1be5d39d0b8d
Instruction Fuzzy Hash: C8C10370A106968FCF28EF28DD857AA77B8EF05300F1440F9E506DB292EB349E95CB54

Function 00289440 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

0!$, xrefs: 00289634, 002897A0
p2Sv3Sv, xrefs: 00289650, 00289740
2Svp1Sv, xrefs: 00289628

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: FileFindFirstHeapProcess
String ID: 2Svp1Sv$0!$$p2Sv3Sv
API String ID: 284326027-1571709011
Opcode ID: bc666efb8c7ef30163bb9b3db38754e23621729efd32997da7d74258f1f0a15f
Instruction ID: d0a596343f49ba3e7ebe6df0283b322f85ebfa514447c41ca8cc52866f2f1023
Opcode Fuzzy Hash: bc666efb8c7ef30163bb9b3db38754e23621729efd32997da7d74258f1f0a15f
Instruction Fuzzy Hash: A591BF759122599BDB10DF28CC8C7ACBBB4AF05320F1882D9E419A72D2DB309E94CF91

Function 00241950 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 207fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,2DDDF7D7,?), ref: 00241A49
FindClose.KERNEL32(000000FF,?), ref: 00241C12

Strings

0!$, xrefs: 002419A1, 00241C03
p2Sv3Sv, xrefs: 00241BB3
2Svp1Sv, xrefs: 00241A49

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 2Svp1Sv$0!$$p2Sv3Sv
API String ID: 2295610775-1571709011
Opcode ID: 4fc49d3a7c25d9b8f1d8d36f1589246f6127def46bedbc0c9104841241519a2c
Instruction ID: de4659ba1afc6f4e8be7b0d2ae49b530598ad13e5941c0fe95f9dc220f524fb5
Opcode Fuzzy Hash: 4fc49d3a7c25d9b8f1d8d36f1589246f6127def46bedbc0c9104841241519a2c
Instruction Fuzzy Hash: 9E91CD70D11259DFDB28DF64C899BEEBBB4EF44300F508299D419A7291EB706EA4CF50

Function 002A3190 Relevance: 10.6, APIs: 6, Instructions: 1566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373c2003a9924758b754d1433529d2ba4aec40247231dd733dbe93b3ceb04ac5
Instruction ID: 41b45b13798388c97131f7db9f706814e78690b804e822c1d30809acb33a3a0e
Opcode Fuzzy Hash: 373c2003a9924758b754d1433529d2ba4aec40247231dd733dbe93b3ceb04ac5
Instruction Fuzzy Hash: 39E27870A10259DFDF10DF68C884BADBBB5BF4A304F1481A9E805AB391CB74AE55CF91

Function 002B1EBE Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,002B1DDA,00000000,?,002B1F72,00000000), ref: 002B1EC0
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,002B1F72,00000000), ref: 002B1EE7
HeapAlloc.KERNEL32(00000000,?,002B1F72,00000000), ref: 002B1EEE
InitializeSListHead.KERNEL32(00000000,?,002B1F72,00000000), ref: 002B1EFB
GetProcessHeap.KERNEL32(00000000,00000000,?,002B1F72,00000000), ref: 002B1F10
HeapFree.KERNEL32(00000000,?,002B1F72,00000000), ref: 002B1F17

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: cd80acdcc0440669a3c75669f95756adb4c67e8e7dfa3f7d269abafa5d325bfd
Instruction ID: 06a61727bef3cfd0105af3e14e0997784a213a525448c754a844f3bd6d9b51af
Opcode Fuzzy Hash: cd80acdcc0440669a3c75669f95756adb4c67e8e7dfa3f7d269abafa5d325bfd
Instruction Fuzzy Hash: 39F0AF312942429FEB219F39FC5CB6676ACBB95752F008029F985C7250EB308821CB90

Function 00289880 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 181fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,00000010), ref: 00289916
FindClose.KERNEL32(00000000), ref: 00289A99

Part of subcall function 00243620: RtlAllocateHeap.NTDLL(00000000,00000000,?,2DDDF7D7,00000000,002D5110,000000FF,?,?,0030B028,?,?,00281A0D,80004005,2DDDF7D7,?), ref: 0024366A

Strings

0!$, xrefs: 0028991E, 00289A8A
%d.%d.%d.%d, xrefs: 00289A12
2Svp1Sv, xrefs: 00289916

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: 2Svp1Sv$%d.%d.%d.%d$0!$
API String ID: 1673784098-2977300667
Opcode ID: 59fa8fdeb75162bbe4281d8da053442abcb270323a8c5256514713cc72225cba
Instruction ID: 55738cdad2a76fee8756797ffa3f2aade2514df91295521962f41d2adc3cfafb
Opcode Fuzzy Hash: 59fa8fdeb75162bbe4281d8da053442abcb270323a8c5256514713cc72225cba
Instruction Fuzzy Hash: 58719A35905259DFCF24EF28CC48BADBBB4AF04314F1482D9E819AB291DB319E94CF80

Function 002CFA45 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,002CFD5D,00000002,00000000,?,?,?,002CFD5D,?,00000000), ref: 002CFADE
GetLocaleInfoW.KERNEL32(?,20001004,002CFD5D,00000002,00000000,?,?,?,002CFD5D,?,00000000), ref: 002CFB07
GetACP.KERNEL32(?,?,002CFD5D,?,00000000), ref: 002CFB1C

Strings

OCP, xrefs: 002CFA99
ACP, xrefs: 002CFA63

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 18d61af0edeb1fd7689ff39d808cbfd123ac4e6cce5f93f24ccd856903118709
Instruction ID: 2d3c2c0b85865d5beb5e92d5f4c3c7f4664ebe026dbeecf4345034f3d13d1192
Opcode Fuzzy Hash: 18d61af0edeb1fd7689ff39d808cbfd123ac4e6cce5f93f24ccd856903118709
Instruction Fuzzy Hash: 0421C722660102ABDBB48F55DB00F97B2A7EB48B54B56823CED0ECB214E732DD50C350

Function 002CFC27 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 002CFD2F
IsValidCodePage.KERNEL32(00000000), ref: 002CFD6D
IsValidLocale.KERNEL32(?,00000001), ref: 002CFD80
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 002CFDC8
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 002CFDE3

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID:
API String ID: 3475089800-0
Opcode ID: 38498af6ceec3738a623510a5a6e2c20ec8ca7ddc749c8df22c84d134902c510
Instruction ID: 7e2b1cdf23ddbbac5b5e61f2f07ed1e3117c304c6cd7b309d55652fff180d4ba
Opcode Fuzzy Hash: 38498af6ceec3738a623510a5a6e2c20ec8ca7ddc749c8df22c84d134902c510
Instruction Fuzzy Hash: 49518171A2020AAFDB50DFA4DD85FBE77B9AF08700F14067DE915EB151E7709A20CBA0

Function 002CF284 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 271COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,?,?,?,?,002C5626,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 002CF34D
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,002C5626,?,?,?,00000055,?,-00000050,?,?), ref: 002CF384
GetLocaleInfoW.KERNEL32(00000000,00001002,?,00000078,-00000050,00000000,000000D0), ref: 002CF4F0

Strings

utf8, xrefs: 002CF456

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CodeInfoLocalePageValid
String ID: utf8
API String ID: 790303815-905460609
Opcode ID: c4c3f8a441e65d8060b46f50b8b6cd836c317928a89293783b3f36803633595c
Instruction ID: f04e4ee2da63f892081d9c8bacfdc6ff40ccbe2447444c32719fb8c36c9b38e7
Opcode Fuzzy Hash: c4c3f8a441e65d8060b46f50b8b6cd836c317928a89293783b3f36803633595c
Instruction Fuzzy Hash: F0710B71620242AADB68AF348D46FBB73A9EF54740F15027EFA05DB181F770DD60C691

Function 0028A8A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0028A97A

Strings

\, xrefs: 0028A8F4
\, xrefs: 0028A8FC
\, xrefs: 0028A91E

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: 00421ab3b5f798c06c1f8d008cd04a23f797593a29c7099a7c2220e1e17206bb
Instruction ID: 1731cd2330e29420425647ab16cb644d01ab0cafcdeb9cf8504fa22606a55b50
Opcode Fuzzy Hash: 00421ab3b5f798c06c1f8d008cd04a23f797593a29c7099a7c2220e1e17206bb
Instruction Fuzzy Hash: B841C626929256C6DB30BF2484416ABB3F4FF95354F168A2FE8D897080FB6099958387

Function 00280E10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?), ref: 00280E9F
FindClose.KERNEL32(00000000), ref: 00280EEC

Strings

0!$, xrefs: 00280EA7, 00280EDD
2Svp1Sv, xrefs: 00280E9F

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 2Svp1Sv$0!$
API String ID: 2295610775-655561941
Opcode ID: 6a3a6b9d15f9f571b0c726cfe3f98cd06d569ff990ef8fdf726c64af142000cb
Instruction ID: 9afd6ba4a4c85fd2d563f5e0c1b16de5030f6ca3ef798c4e13eb077d08f31bae
Opcode Fuzzy Hash: 6a3a6b9d15f9f571b0c726cfe3f98cd06d569ff990ef8fdf726c64af142000cb
Instruction Fuzzy Hash: B241E435A06259CFCB10EF28C8887ADB7B4EF05320F144299E819A73D1CB359E59CF90

Function 00267DF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,2DDDF7D7,?,00000000), ref: 00267E56
FindClose.KERNEL32(00000000), ref: 00267EBE

Strings

0!$, xrefs: 00267E5E, 00267EA6
2Svp1Sv, xrefs: 00267E56

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 2Svp1Sv$0!$
API String ID: 2295610775-655561941
Opcode ID: a7c2e997420c0bc291c382f5331bcaa67f053b565eb7676d7fa0f6ca6f0b3fa6
Instruction ID: c7cef19279a9536bf068e963cd4c02809eecdc811c0deee6555cecf22345cb26
Opcode Fuzzy Hash: a7c2e997420c0bc291c382f5331bcaa67f053b565eb7676d7fa0f6ca6f0b3fa6
Instruction Fuzzy Hash: EE21C131908658DBDB10DF68DC887A9B7B8EB45320F1443AAE429A72D1DB755E44CF40

Function 002D0D6D Relevance: 6.4, Strings: 4, Instructions: 1424COMMON

Download Yara Rule

Strings

1#IND, xrefs: 002D0E72
1#SNAN, xrefs: 002D0E79
1#QNAN, xrefs: 002D0E80
1#INF, xrefs: 002D0EA3

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: c1ff4e0d10b3e582480ae919057b53e37805a45711f164e66707b850a0a4e0aa
Instruction ID: 7d65fea9f3881a1c0d97bdb1a8e6e8865945c51868f1a20ab5850e1869554e27
Opcode Fuzzy Hash: c1ff4e0d10b3e582480ae919057b53e37805a45711f164e66707b850a0a4e0aa
Instruction Fuzzy Hash: DFC26D72E282299FDB65CE28DC807EAB3B5EB54304F1441EBD84DE7640D774AEA58F40

Function 002B5342 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 002B534E
IsDebuggerPresent.KERNEL32 ref: 002B541A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002B5433
UnhandledExceptionFilter.KERNEL32(?), ref: 002B543D

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 7fedc15b4d109fa6f66e4e7175cc40791b5f995f41c996be51132fcb8444af5e
Instruction ID: b977d7a8df281dbe6104ae45e1b5d59dfaf1c953b5c76cb26ffdc71ea545e5fd
Opcode Fuzzy Hash: 7fedc15b4d109fa6f66e4e7175cc40791b5f995f41c996be51132fcb8444af5e
Instruction Fuzzy Hash: C5312A75C152299BDF20DF64E9897CDBBB8AF08340F1041EAE40CAB250E7709B85CF44

Function 002B4433 Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,002B4553,002EA864), ref: 002B4438
UnhandledExceptionFilter.KERNEL32(002B4553,?,002B4553,002EA864), ref: 002B4441
GetCurrentProcess.KERNEL32(C0000409,?,002B4553,002EA864), ref: 002B444C
TerminateProcess.KERNEL32(00000000,?,002B4553,002EA864), ref: 002B4453

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 2eb5cf480e07f34ba17d77c9223c906b2542d909f2fa9c928154aae804f1364a
Instruction ID: 02a41919d6e62e5802656b102c8af1d02ed114d3523b911a9adb0cb4d6795a74
Opcode Fuzzy Hash: 2eb5cf480e07f34ba17d77c9223c906b2542d909f2fa9c928154aae804f1364a
Instruction Fuzzy Hash: 26D01231088284ABCA002FE1FC4CA883F28EB05216F004440F30E8D060CB3144419B61

Function 00294DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

GetLocaleInfoW.KERNEL32(00000000,00000002,002F37C0,00000000), ref: 00294E41
GetLocaleInfoW.KERNEL32(00000000,00000002,?,-00000001,00000078,-00000001), ref: 00294E7D

Strings

%d-%s, xrefs: 00294E87

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale$HeapProcess
String ID: %d-%s
API String ID: 3246605784-1781338863
Opcode ID: a77ff80dd80d80f85dd5c292b18ffeffb982ae0f5edac4f2716427df17ed2930
Instruction ID: 2ce10d768c2bf1724117f10ada5e6069d02608d66444f79bebc9322406286248
Opcode Fuzzy Hash: a77ff80dd80d80f85dd5c292b18ffeffb982ae0f5edac4f2716427df17ed2930
Instruction Fuzzy Hash: BB31CE71A10209ABDB05EF98CC49BAEFBB8FF44724F104159E615AB3D1DBB15A10CF90

Function 002B16FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00000000,0000001C,?,?,?,?,?,?,?,002B1642,00000000,00000000,00000004,0030F7DC,002B1944), ref: 002B170E
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,002B1642,00000000,00000000,00000004,0030F7DC,002B1944), ref: 002B1729

Strings

D, xrefs: 002B171D

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 0201b2e1ae6c4f929fecb3a4d1515db09caed23060cb0379580372600aa7fba2
Instruction ID: f97f5a27b05d5cea2c9b0782d2a03eb8a1036ded35b07e383d7160821c659059
Opcode Fuzzy Hash: 0201b2e1ae6c4f929fecb3a4d1515db09caed23060cb0379580372600aa7fba2
Instruction Fuzzy Hash: B801D432650209ABCB14DE29DC49ADEBBA9EFC4364F08C121ED19DB144DB34D9218A80

Function 002CF6C0 Relevance: 4.7, APIs: 3, Instructions: 210COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00001002,?,00000078), ref: 002CF717
GetLocaleInfoW.KERNEL32(00000000,00001001,?,00000078), ref: 002CF75B
GetLocaleInfoW.KERNEL32(00000000,00001001,?,00000078), ref: 002CF825

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a58dca6ea281d4af60884e6cc202b499bdcc74bfa50b1cb0dd012677436e0f07
Instruction ID: b5f170fdaf6f874e3408598f3f4958530cdd115df6ad7b8f143172a40c75f3f0
Opcode Fuzzy Hash: a58dca6ea281d4af60884e6cc202b499bdcc74bfa50b1cb0dd012677436e0f07
Instruction Fuzzy Hash: 3861A5719202179FEB689F24CE81FBAB7AAEF04300F20427EE905C6145EB75DDA5DB50

Function 002415F0 Relevance: 4.7, APIs: 3, Instructions: 204COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 002AE3A2
GetVersionExW.KERNEL32(00000114), ref: 002AE3F1
IsProcessorFeaturePresent.KERNEL32(00000011), ref: 002AE409

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Version$FeaturePresentProcessor
String ID:
API String ID: 1871528217-0
Opcode ID: d4150698525ddb843a48a5361432deb8f322363c31842c0aaae524db12292457
Instruction ID: b4da3121196516cd5a4151862b45bb8476d44fcb53702e6897c43419d52c6e99
Opcode Fuzzy Hash: d4150698525ddb843a48a5361432deb8f322363c31842c0aaae524db12292457
Instruction Fuzzy Hash: 14613B71B102204BE748CE2DDCD52EABBDAEBCD341F054A3EE496C6290DA78C555CBA0

Function 002B96A3 Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 002B979B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 002B97A5
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 002B97B2

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0cb9df2e8624d4294b8a3556b08f1caa9dc96c539edeb0e7637bb9f88e3f217c
Instruction ID: 9d87d96ec349345e5fbf76029f293e1408fbdf9f19d795574f5345526ec71940
Opcode Fuzzy Hash: 0cb9df2e8624d4294b8a3556b08f1caa9dc96c539edeb0e7637bb9f88e3f217c
Instruction Fuzzy Hash: 9531C5749512299BCB21DF68DC897CCBBB8BF08750F5041EAE41CAB290EB749F958F44

Function 00269710 Relevance: 3.1, APIs: 2, Instructions: 145windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000007,00000400,?,00000000,00000000,2DDDF7D7,00000000,?), ref: 0026975B
GetLastError.KERNEL32 ref: 00269765

Part of subcall function 00243620: RtlAllocateHeap.NTDLL(00000000,00000000,?,2DDDF7D7,00000000,002D5110,000000FF,?,?,0030B028,?,?,00281A0D,80004005,2DDDF7D7,?), ref: 0024366A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AllocateErrorFormatHeapLastMessage
String ID:
API String ID: 4114510652-0
Opcode ID: ca5365b11ad8b43843cf0e12691cfa1eb6eb086c5fdade9ee0f513f677b9b992
Instruction ID: f33858ed3cee36c8c59c5c8e6ad52de0fc75bce9c8fda80c990ebfebd778fc14
Opcode Fuzzy Hash: ca5365b11ad8b43843cf0e12691cfa1eb6eb086c5fdade9ee0f513f677b9b992
Instruction Fuzzy Hash: DC41E071A142099FDB14CF98DC457AEFBB8FB44714F10016EE919EB380EBB59D448B90

Function 002B4355 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMON

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,002B4122,?,?,?,?,002B40E1,000000FF,?,?,?,002B41F4,00000000,?), ref: 002B438D
GetSystemTimeAsFileTime.KERNEL32(?,2DDDF7D7,?,?,002E6272,000000FF,?,002B4122,?,?,?,?,002B40E1,000000FF,?), ref: 002B4391

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 8edcff02d2985f0fe896ed0dee57abdcf7d1ed9cf85af9674e72ad157bb34991
Instruction ID: af9de4f7a8acc0b960fbbd9ac042e27352c4cb7625b5f2c448830937d404fd5f
Opcode Fuzzy Hash: 8edcff02d2985f0fe896ed0dee57abdcf7d1ed9cf85af9674e72ad157bb34991
Instruction Fuzzy Hash: D2F0A032A48554EFCB129F44DC44B9DBBA8F709B50F000666EC0297690DB74A9008A90

Function 00245930 Relevance: 1.9, Strings: 1, Instructions: 682COMMON

Download Yara Rule

Strings

l%, xrefs: 00245940

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID: l%
API String ID: 0-3230761376
Opcode ID: 2b747808e54cfda2a8be659db6fd8c762fabaec49ae651353f695398b9248a4b
Instruction ID: e240300d810ad17a3234643af020aa7a584fa5eaa8b391749d860541a3fc54c9
Opcode Fuzzy Hash: 2b747808e54cfda2a8be659db6fd8c762fabaec49ae651353f695398b9248a4b
Instruction Fuzzy Hash: 0222C2B3B543104BD75CCE5DCCA23ADB2D3ABD4218B0E853DB48AC3342EA7DD9598685

Function 002C91C0 Relevance: 1.8, APIs: 1, Instructions: 263COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,00000008,?,?,?,002C91AE,?,?,00000008,?,?,002D449E,00000000), ref: 002C9408

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9043a3e077060e196c335d11eb7c49cc234a95affe1abaac7942a703889fb2bc
Instruction ID: 837bef22f9b619af4ec71cc05144dd202d479f5c48d6ff65e159251961cdb0c4
Opcode Fuzzy Hash: 9043a3e077060e196c335d11eb7c49cc234a95affe1abaac7942a703889fb2bc
Instruction Fuzzy Hash: D4B148315206099FD719CF28C49AB65BBA0FF45364F24879CE89A8F2E1C375E9D2CB40

Function 002B4E00 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 002B4E16

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 769229badae39683eb9f00de35d2d1664ef2983b6331a74abd11f1daac3c93a9
Instruction ID: cbc90b175af1a08d887b115ae6bb7e44f82c443f15723fc5404b18245d5853fd
Opcode Fuzzy Hash: 769229badae39683eb9f00de35d2d1664ef2983b6331a74abd11f1daac3c93a9
Instruction Fuzzy Hash: 0DA17BB1A266168FDB19CF59D8D17A9BBF4FB48354F14892AD405EB390D3B49840CF60

Function 002CCCF0 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e583062468522b7eea217071335d4c11cbeb41001fe1e80af8c5f703de3f0fc
Instruction ID: a1d49efd0e40852167e7b30cc3d3dc8be23799671cdf49e459cb603c8eca7f19
Opcode Fuzzy Hash: 8e583062468522b7eea217071335d4c11cbeb41001fe1e80af8c5f703de3f0fc
Instruction Fuzzy Hash: B8312B7591021DAFDB24DFA8CC88EAB777DEF84350F24466DF80997244EA309D50CB50

Function 002CF920 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00001001,?,00000078), ref: 002CF970

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6098b8c053c0e1227c3b5bd9c5a27c09f7c4a9777d49483953852e028e482679
Instruction ID: 4dee16e23a4e2f7e2da9f474fd9ee37c6de79c7f8c85c3a81011ef6a8fd7cea8
Opcode Fuzzy Hash: 6098b8c053c0e1227c3b5bd9c5a27c09f7c4a9777d49483953852e028e482679
Instruction Fuzzy Hash: 30217F32620206BBEF649E25DE86FBA73A9EF44344F20027EFD05D6151EB74AD609B50

Function 002CF58E Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(002CF6C0,00000001,00000000,?,-00000050,?,002CFD03,00000000,?,?,?,00000055,?), ref: 002CF600

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: bfa1bbcf6f3564d62d7c7dc56b2b5885b9b7acc5e2cdd7a0cb274c9082644e08
Instruction ID: 1c94bdcc3f616fab91e88ec511c470d25e76e70b74f716a1d5bab2d6432f3602
Opcode Fuzzy Hash: bfa1bbcf6f3564d62d7c7dc56b2b5885b9b7acc5e2cdd7a0cb274c9082644e08
Instruction Fuzzy Hash: 0D1155362107025FDB189F38D891ABAB792FF80358B14463DEA8687A40D331A812CB40

Function 002CFB4B Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,002CF9C6,00000000,00000000,?), ref: 002CFB77

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e9b9bb76f976d978939d02bfe025d280abfce3a5b098e194ec6dca88bf74be17
Instruction ID: 56e016f103ab9ff30b86640693b44f3c3cde31f0f63c24046d6a38c249cffad3
Opcode Fuzzy Hash: e9b9bb76f976d978939d02bfe025d280abfce3a5b098e194ec6dca88bf74be17
Instruction Fuzzy Hash: 8C012B33A20113ABDB285E20C955FBA7769DB44318F15457CAC06E3180DB70FD51CA90

Function 002CF4A0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00001002,?,00000078,-00000050,00000000,000000D0), ref: 002CF4F0

Strings

utf8, xrefs: 002CF456

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID: utf8
API String ID: 2299586839-905460609
Opcode ID: 13dd44eef78293e7739b186f3455be9725e09acae419384430028c425d477287
Instruction ID: fc73797d27db14c065331b1c0c471fb56a5043e98d161ca00cb9feee8b4aeb74
Opcode Fuzzy Hash: 13dd44eef78293e7739b186f3455be9725e09acae419384430028c425d477287
Instruction Fuzzy Hash: 75F0C832A61204AFEB10AB34DD4AFBA73ECDB44355F11017AFA06DB141EAB4AD159B90

Function 002CF629 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(002CF920,00000001,?,?,-00000050,?,002CFCCB,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 002CF673

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: c058dcfabe780585e0c123e5adf4b3c0400c4d5eabafbd4e9b6d5c4e85f7c090
Instruction ID: da3dafce436aa64b241c5139493a3cd27ea5ba3cc914da8092a2459b0e1df166
Opcode Fuzzy Hash: c058dcfabe780585e0c123e5adf4b3c0400c4d5eabafbd4e9b6d5c4e85f7c090
Instruction Fuzzy Hash: 94F0F6362103055FDB149F35DC86F7A7B9AEF80368B25463CF9458B6A0D6B1AC12DB50

Function 002CF543 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(002CF4A0,00000001,?,?,?,002CFD25,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 002CF57A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 3307f087016009e9e1082945b08e173854532dd3d234d8f2f51639f195ad82d1
Instruction ID: 2d24bfc9703d0cb933467b7f804f84e57bbfdea01bf461a98e7ae2ee07706b2c
Opcode Fuzzy Hash: 3307f087016009e9e1082945b08e173854532dd3d234d8f2f51639f195ad82d1
Instruction Fuzzy Hash: D5F0553A34030557CB089F39D849B7ABF95EFC1764B46406CEB098B240C6319842CB90

Function 002C6EC2 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 002C2301: EnterCriticalSection.KERNEL32(-003100C0,?,002C48AB,00243AB6,0030ACC8,0000000C,002C4B87,?), ref: 002C2310

EnumSystemLocalesW.KERNEL32(002C6EA0,00000001,0030ADE8,0000000C,002C7387,00000000), ref: 002C6EF4

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 5e74d5066b5f437674107d919ad117162b88aa306420a3f005657fa57124262e
Instruction ID: 384a9db83a56410f5013a12d841edfeece9d941e8fd481ce59495ea9e0744dd1
Opcode Fuzzy Hash: 5e74d5066b5f437674107d919ad117162b88aa306420a3f005657fa57124262e
Instruction Fuzzy Hash: 2BF06D36A50300DFE704EF99E486F9D77B0EB48726F10811AF5119B2A1CBB959008F90

Function 002C73C9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,002C61AA,?,20001004,00000000,00000002,?,?,002C57A8), ref: 002C73FD

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e08f23ce3c511d2943b7fbc3761e478b0b1e4db19ac1daaa605c941df8536822
Instruction ID: e425cb55f87a1a7310841dd508a944ddecbdffd1443f4d40cb96c45433e91e04
Opcode Fuzzy Hash: e08f23ce3c511d2943b7fbc3761e478b0b1e4db19ac1daaa605c941df8536822
Instruction Fuzzy Hash: 37E04F31558168BBCF122F60EC09F9E3E2AEF447A0F008118FD1566160CB728D31AEE5

Function 0024CEA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00025C80), ref: 0024CEBB

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 652f109d89e7f78036f23155d684291bf1859e3d5d6d43e0948cc44bc11ed5d8
Instruction ID: ba52e1796a5c7fa486923fefcedad08dd5a10ff298897ecee628e74660542ddc
Opcode Fuzzy Hash: 652f109d89e7f78036f23155d684291bf1859e3d5d6d43e0948cc44bc11ed5d8
Instruction Fuzzy Hash: 33D022306BD3814AE31E4B38AD0DB803E80071230CF085006E406012C2CBF428F08713

Function 002B54CF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000754E0,002B4BC5), ref: 002B54D4

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 78746a139082d390a8d11139183a2f6e0ac6a9becf8018b345cee7c213d52dda
Instruction ID: be025c39a43cba6cd9c1d7dd351aa18e2435692f61b4f76d2b0dae67d07cf518
Opcode Fuzzy Hash: 78746a139082d390a8d11139183a2f6e0ac6a9becf8018b345cee7c213d52dda
Instruction Fuzzy Hash:

Function 002AC5C0 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6453403380a7b34aadd2ec5b6f4e6fc514050c8fed5f45670e5b1e22cf39ce5a
Instruction ID: b14648c09cdfc91fbd42b750968782fc7bfa0924bf10c6dd97ebd1e97735b8d6
Opcode Fuzzy Hash: 6453403380a7b34aadd2ec5b6f4e6fc514050c8fed5f45670e5b1e22cf39ce5a
Instruction Fuzzy Hash: 8F228D71E10219DFCF15DF98C884AAEBBB5BF89310F244169E815AB351DB70AD51CF90

Function 002AC6E0 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b90fb879b8a8ea003658af5eef9001548811b57cd40964113baebda285a45c9
Instruction ID: 805aa1b1cba8747fd9704f10cfa1c6f1c8628e1c727f53d15e8ffe92658c10d6
Opcode Fuzzy Hash: 3b90fb879b8a8ea003658af5eef9001548811b57cd40964113baebda285a45c9
Instruction Fuzzy Hash: F8325771E10259DFCF15DFA8C884AAEBBB5BF49310F2440A9E805AB351DB71AD11CFA0

Function 0029FD20 Relevance: .5, Instructions: 538COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8076dd7ca720b42ae06c3f8efee0de5e73b0c5de5720f7eb9c3b1b3a1ca7cf
Instruction ID: 914b9609b7167ba4ef520c491a38639885cb18e0ad33cdee5fb8ff1fcc3dfe0f
Opcode Fuzzy Hash: 1b8076dd7ca720b42ae06c3f8efee0de5e73b0c5de5720f7eb9c3b1b3a1ca7cf
Instruction Fuzzy Hash: 48327870910249DFDF14DF58C994BADBBB1BF49308F148199E8099B392CB75A968CF80

Function 002A8100 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe832cafeae4252b426330cf67226a48b717919387d1670b98870811c6abd5d
Instruction ID: 924a0c24261f98fa65c9196233033cb7d532b415ead03688acdf1702b3fe0c83
Opcode Fuzzy Hash: 6fe832cafeae4252b426330cf67226a48b717919387d1670b98870811c6abd5d
Instruction Fuzzy Hash: 3002D072B286218BDB0CCE19C49033ABBE7BBC9705F154A2DE49797384CE70D955CB86

Function 002BA0D0 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7471089b39a0c606a1ead41c5972f56f77b679b77ddc466d9b28eb3e4bb7b9c1
Instruction ID: 59491522af68f2eea7622e4df4fe50f2e6fbe0d8a3a5f30cd3876718a404353f
Opcode Fuzzy Hash: 7471089b39a0c606a1ead41c5972f56f77b679b77ddc466d9b28eb3e4bb7b9c1
Instruction Fuzzy Hash: 3A023B71E1021A9FDF14CFA8D8806EDFBB1FF88354F24826AD915AB344D731AA51CB91

Function 002BDF0B Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca69180bb57cccfb2e6c13dd4c0cecf0bd6cf031ae4c6ec8b8075e5c1f824ff
Instruction ID: 5bcbb023becb17ae1cc856d2f7a4eed245863ce2455327b587413d1f0764d624
Opcode Fuzzy Hash: 3ca69180bb57cccfb2e6c13dd4c0cecf0bd6cf031ae4c6ec8b8075e5c1f824ff
Instruction Fuzzy Hash: 6102DF70A206068FCF24DF28C480AFAB7F1FF48394F254A59D45BAB291D771AC62CB51

Function 002A4A50 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4911864617fdf83a06b6adce574f5103a532950a914ed70c71664c61b15ba0a
Instruction ID: 703e5deda353bac6a99e6f3d9049a5b88a6309f9691340991b815ee02211453d
Opcode Fuzzy Hash: f4911864617fdf83a06b6adce574f5103a532950a914ed70c71664c61b15ba0a
Instruction Fuzzy Hash: 6C023F72A083018BC75CCF19D89056BF7E2BFCC314F19892EF89A93355DB70A955CA86

Function 002BDACC Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a8202252df956a005388096f879b4c09ec12c0603b9b94b3cd752c41ff1f0d
Instruction ID: c4aab84fc30a4a2348581f7a5ddd755258eb0c13402d274209f148a3c0254b59
Opcode Fuzzy Hash: b8a8202252df956a005388096f879b4c09ec12c0603b9b94b3cd752c41ff1f0d
Instruction Fuzzy Hash: E1E10F749206078FCB28CF68C484AFABBB1FF14394F14861ED4969B691E775EC62CB50

Function 00252940 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e206b806fc2f2d15c42555acfeba3d2c160a7d8809909fbe2a5ce934a7d32e61
Instruction ID: 3dbcb43ebc07f7a2df056e3d4297a7d14ff5176b0d1b16932cb6af7de9da5a27
Opcode Fuzzy Hash: e206b806fc2f2d15c42555acfeba3d2c160a7d8809909fbe2a5ce934a7d32e61
Instruction Fuzzy Hash: 11E19C72A18305CFC718CF19D49056AFBE2BFD9310F198A6DE88A57394CA70AD1DCB85

Function 002AE640 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f79f5fec76a827348ddce4bf634d1cead62ca974fa53a81a2a47e8160ea0b21
Instruction ID: 755f6d50b5a42d4188d396e819d99ffc9b385b7767f547a89cd88c277aa42c7f
Opcode Fuzzy Hash: 4f79f5fec76a827348ddce4bf634d1cead62ca974fa53a81a2a47e8160ea0b21
Instruction Fuzzy Hash: 19F191705142A18BD749CF1AE8E04AB77E1FBCD311F458A0EF58687395C734E626CBA1

Function 002C8E60 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1557de346b51a715020df214854dc7e53798be9dd99d05bffbebc2292b48854d
Instruction ID: 9ef6722512528afb7a53b1ed9ee7f22411d458d109993d5b8165a0b020d5b8db
Opcode Fuzzy Hash: 1557de346b51a715020df214854dc7e53798be9dd99d05bffbebc2292b48854d
Instruction Fuzzy Hash: 7291C832C20E4A8ADB12CF68C849BDEB772AF46360F298349DC597F291D77498E5C750

Function 0024EAA0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6260f7346573ee0492d7d087c9a02f31b07962f178dacaa3a5896be440bf1b46
Instruction ID: 56a460836c3f9a0e4b2822ed7c17841ad88960cf348009d410f8dde5208d4f4e
Opcode Fuzzy Hash: 6260f7346573ee0492d7d087c9a02f31b07962f178dacaa3a5896be440bf1b46
Instruction Fuzzy Hash: 11717071A246168FDB18CF28C48062AB7E1FFD4354F168A2EE856D7354D730E964CBC1

Function 0024E870 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d934bc695e1d0d50cbc75462444d9697a9e6472ccb29cd5305cced352182a1
Instruction ID: ccc47d0f853d89b22338dea3d480a3ecb34185ba569be27832da047eeb1df2df
Opcode Fuzzy Hash: d2d934bc695e1d0d50cbc75462444d9697a9e6472ccb29cd5305cced352182a1
Instruction Fuzzy Hash: 5E713E76E201298FDF18CF6DC8805ADB7F5FB48310F5A4669E815EB354E770A910CB94

Function 002AE090 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6a5bc58de809013063d6a2681a055a54a9f030fd3cdf8c7f79c10b0e74bf7e
Instruction ID: 3936c47df6e1ad503fc24541205be2746f50d67742c30e498a7536bdc5a2c664
Opcode Fuzzy Hash: ca6a5bc58de809013063d6a2681a055a54a9f030fd3cdf8c7f79c10b0e74bf7e
Instruction Fuzzy Hash: 58414B72B143610BCF148E2C8CE4269BAD29BD6325F0B877DD89A97381D9B48C1EC791

Function 0024E540 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59845c80f73a15e3b05cb42bff5b3d653e629c8e708305577ecb24b55e42dd06
Instruction ID: f826a67953b8fc306aeb98bfd838b41f8b3848833cd5af4951fff1bff9aa0a8b
Opcode Fuzzy Hash: 59845c80f73a15e3b05cb42bff5b3d653e629c8e708305577ecb24b55e42dd06
Instruction Fuzzy Hash: 4341B472B2421A4BEB0CDF2DD84093AB3EABBE4304F56862DE506C7254FB70D925C6C5

Function 002AE490 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28382760f5826ba8b86f3d3185c11f78971d9eb01ebd0ef70525be43b5095a9f
Instruction ID: 6ff2b293f63db8304fb3f4801efe7cd8fd4e121cdec4c6bfdd3556c57b272a93
Opcode Fuzzy Hash: 28382760f5826ba8b86f3d3185c11f78971d9eb01ebd0ef70525be43b5095a9f
Instruction Fuzzy Hash: C3317871A102721FDB50CE1E8C44535BBD5EBCA311F8A41BAE4F4CB342D638DA0797A0

Function 0029D6F0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b46043004ac8ee5073276c9609b340daa0962de972f7f21fc85175d3f0f8ee2
Instruction ID: 7994ca3947f680634f015d1431a1f65be65f02f32869516c26c44ef250ef3cc5
Opcode Fuzzy Hash: 6b46043004ac8ee5073276c9609b340daa0962de972f7f21fc85175d3f0f8ee2
Instruction Fuzzy Hash: A02107367709020B9B8CCB2DDC766B932D5E78D301788D67DEA5BCB291E7388525C740

Function 002AA4B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3395c45eef9510d8e6ba7a1e4d1d4521fa8a1af8b18e96eb7d1c28856ff8121
Instruction ID: f110f49c1cb3329c00f9dc9c21019dadcf8871cd7a8d4e71d76144df1074f951
Opcode Fuzzy Hash: f3395c45eef9510d8e6ba7a1e4d1d4521fa8a1af8b18e96eb7d1c28856ff8121
Instruction Fuzzy Hash: BF2192719202235BD21ACE1DC8445B6F795FF86305F81832AED8097249CB39E835D7D0

Function 002AA410 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e12790dad87ec2532e809a9eef8ff034ad4c78d338c3fea1aea289e885726f6
Instruction ID: 2fd3730a4c63b1272fe99ab03083072b0e5059c838ed207843ed3deb0490e6f7
Opcode Fuzzy Hash: 9e12790dad87ec2532e809a9eef8ff034ad4c78d338c3fea1aea289e885726f6
Instruction Fuzzy Hash: 621148315202324BD719CD2CD888676B394EF8A315F86836AED41AB148CB25FC35C3E1

Function 00296A70 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 397filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,2DDDF7D7,?,00000000), ref: 00296ACD
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?,?), ref: 00296AEB
GetFileTime.KERNEL32(00000000,00000000,00000000,00290E15,?,00000000,?,?,?,?,?,?,?,002E3B2D,000000FF), ref: 00296B0C
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?,?), ref: 00296B16
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?,?), ref: 00296B34
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?,?), ref: 00296BA0
FileTimeToSystemTime.KERNEL32(00290E15,002F8E10,?,00000000,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?), ref: 00296BB5
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?,?), ref: 00296BBF
SystemTimeToFileTime.KERNEL32(002F8E10,00290E15,?,00000000,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?), ref: 00296C26
SystemTimeToFileTime.KERNEL32(002F8DFE,002F2ECC,?,00000000,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?), ref: 00296C47
CompareFileTime.KERNEL32(002F2ECC,00290E15,?,00000000,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?), ref: 00296C5D
PathFileExistsW.SHLWAPI(00000000,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?,?), ref: 00296CCF
CreateFileW.KERNEL32(00000000,C0000000,00000000,0000000C,00000002,00000080,00000000,S-1-5-18,?,00000001,S-1-1-0,?,00000001), ref: 00296D3B
GetLastError.KERNEL32(?,00000001,S-1-1-0,?,00000001,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15), ref: 00296D4D
CloseHandle.KERNEL32(00000000,?,00000001,S-1-1-0,?,00000001,?,?,?,?,?,?,?,002E3B2D,000000FF), ref: 00296D59
CopyFileExW.KERNEL32(?,00000000,00297340,002F8DA8,00000000,00000000,?,?,?,?,?,?,?,002E3B2D,000000FF), ref: 00296D91
GetLastError.KERNEL32(?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?,?), ref: 00296D9B
DeleteFileW.KERNEL32(002F89C4,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?,?), ref: 00296E44
MoveFileW.KERNEL32(00000000,002F89C4), ref: 00296E4F
CopyFileW.KERNEL32(00000000,002F89C4,00000000,?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?,?), ref: 00296E5F
GetLastError.KERNEL32(?,?,?,?,?,?,?,002E3B2D,000000FF,?,00290E15,?,?), ref: 00296E69

Strings

S-1-1-0, xrefs: 00296CF6
.part, xrefs: 00296C9F
S-1-5-18, xrefs: 00296D06

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$Time$ErrorLast$CloseHandleSystem$CopyCreate$CompareDeleteExistsMovePath
String ID: .part$S-1-1-0$S-1-5-18
API String ID: 1792433798-2727065896
Opcode ID: b038db02740481170ff7e169939498d9336bc6fd0f0ab225e2542200432d9066
Instruction ID: 189f118a78aeb6afa00616b43027a1333e11504f0db4324fc8d52f6604ad6fbb
Opcode Fuzzy Hash: b038db02740481170ff7e169939498d9336bc6fd0f0ab225e2542200432d9066
Instruction Fuzzy Hash: FCF19970A502569FDF15DFA4DC8CBAEBBF4AF08310F144169E901AB2D1DB70AD94CBA1

Function 00295F10 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 267windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00295F3D
GetWindowLongW.USER32(?,000000F0), ref: 00295F52
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00295F69
GetWindowLongW.USER32(?,000000EC), ref: 00295F82
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00295F96
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00295FA4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00295FB7
GetDlgItem.USER32(?,0000E801), ref: 00295FC4
IsWindow.USER32(00000000), ref: 00295FCD
DestroyWindow.USER32(00000000,?,00000000), ref: 00295FE9
GetClientRect.USER32(?,800040FD), ref: 00296041
GetDlgItem.USER32(?,0000E801), ref: 00296060
IsWindow.USER32(00000000), ref: 00296067
CreateWindowExW.USER32(00000000,SCROLLBAR,00000000,5402001C,?,?,?,?,?,0000E801,00000000), ref: 002960AC
IsWindow.USER32(00000000), ref: 002960B5
GetWindowRect.USER32(00000000,800040ED), ref: 002960D1
MapWindowPoints.USER32(00000000,00000001,800040ED,00000002), ref: 002960E6
GetClientRect.USER32(?,800040ED), ref: 00296143
GetWindowRect.USER32(?,800040ED), ref: 0029614B
GetDlgItem.USER32(FFFFFFFF,0000042B), ref: 002961E3
GetWindowRect.USER32(00000000,800040ED), ref: 002961F7
MapWindowPoints.USER32(00000000,00000000,800040ED,00000002), ref: 0029620C

Strings

SCROLLBAR, xrefs: 002960A5

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$LongRect$Item$ClientMessagePointsSend$CreateDestroy
String ID: SCROLLBAR
API String ID: 3826962570-324577739
Opcode ID: 741adc15c345e51bc9d0f91639d9af35b369e46d94fdcf3aa9c0b8891c51c49d
Instruction ID: ce6582a91b173ee0118388983ecf79d4353ae4435d2c259da736108faf5be013
Opcode Fuzzy Hash: 741adc15c345e51bc9d0f91639d9af35b369e46d94fdcf3aa9c0b8891c51c49d
Instruction Fuzzy Hash: 04B17970618341AFEB50DF28D888B5ABBF5FF89310F104A1DF995D72A0DB71A854CB92

Function 00260BF0 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 360memorystringCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(?,2DDDF7D7,?,00000000,00000000), ref: 00260C79
CharNextW.USER32(?,00000000,00000000), ref: 00260CF8
CharNextW.USER32(00000000,?,00000000,00000000), ref: 00260D01
CharNextW.USER32(00000000,?,00000000,00000000), ref: 00260D0A
CharNextW.USER32(00000000,?,00000000,00000000), ref: 00260D13
CharNextW.USER32(?,?,00000000,00000001,2DDDF7D7,?,00000000,00000000), ref: 00260D5D
CharNextW.USER32(?,?,00000000,00000001,2DDDF7D7,?,00000000,00000000), ref: 00260D71
CharNextW.USER32(00000000,}},00000009,?,00000000,00000001,2DDDF7D7,?,00000000,00000000), ref: 00260DEE
CharNextW.USER32(00000000,?,00000000,00000001,2DDDF7D7,?,00000000,00000000), ref: 00260E27
EnterCriticalSection.KERNEL32(0000001B,00000001,2DDDF7D7,?,00000000,00000000), ref: 00260E70
lstrcmpiW.KERNEL32(?,?,?,00000000,00000000), ref: 00260E8A
LeaveCriticalSection.KERNEL32(0000001B,?,00000000,00000000), ref: 00260E9E
LeaveCriticalSection.KERNEL32(0000001B,?,00000000,00000000), ref: 00260ECE
CharNextW.USER32(00000000,?,?), ref: 00260F21
CharNextW.USER32(?,00000000,00000001,2DDDF7D7,?,00000000,00000000), ref: 00260F44
CoTaskMemFree.OLE32(00000000,2DDDF7D7,?,00000000,00000000), ref: 00260F92

Strings

HKCU{Software{Classes, xrefs: 00260D27
}}, xrefs: 00260DC7
HKCR, xrefs: 00260CDF

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CharNext$CriticalSection$LeaveTask$AllocEnterFreelstrcmpi
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 3576304915-1142484189
Opcode ID: 82b66779ce0b0830498912bb0e82dbe434a5e9815755130ef24ff097772111c5
Instruction ID: d5e3d8ce3a53966d3f754f69a0f254f6a2cdeef210cbb705bc527c24ecf57d68
Opcode Fuzzy Hash: 82b66779ce0b0830498912bb0e82dbe434a5e9815755130ef24ff097772111c5
Instruction Fuzzy Hash: 5ED1C3709243569FCB24DFA4D8C8BAFBBB4EF08700F240569E845DB281DB719DA4DB90

Function 0026BD40 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 292libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00310AF0,2DDDF7D7), ref: 0026BDB3
EnterCriticalSection.KERNEL32(00310AF0,2DDDF7D7), ref: 0026BDC8
GetCurrentProcess.KERNEL32 ref: 0026BDD5
GetCurrentThread.KERNEL32 ref: 0026BDE3
SymSetOptions.IMAGEHLP(80000016), ref: 0026BE0F
LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 0026BE7D
GetProcAddress.KERNEL32(00000000), ref: 0026BE84
SymInitialize.IMAGEHLP(00000000,00000000,00000001,002F37C0,00000000), ref: 0026BECC
StackWalk.IMAGEHLP(0000014C,?,?,?,?,00000000,00000000,*** Stack Trace (x86) ***,?,?,?), ref: 0026C00F
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,?,?,?), ref: 0026C0C0
SymCleanup.IMAGEHLP(?,?), ref: 0026C1A2
LeaveCriticalSection.KERNEL32(00310AF0,?), ref: 0026C1CD

Strings

[0x%.8Ix] , xrefs: 0026C0C7
Dbghelp.dll, xrefs: 0026BE78
MODULE_BASE_ADDRESS, xrefs: 0026C0F2
*** Stack Trace (x86) ***, xrefs: 0026BFA2
<--------------------MORE--FRAMES-------------------->, xrefs: 0026C05D
SymFromAddr, xrefs: 0026BE73

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$CurrentInitialize$AddressCleanupEnterHandleLeaveLibraryLoadModuleOptionsProcProcessStackThreadWalk
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 4282195395-80696534
Opcode ID: 7ca70838e269df514213fdf07a757fef0aeef8c2f81dbbff9cd8fbc7d3773ebc
Instruction ID: 4aaea975c61490acd56f970ca37fc9882188938466d6c7209a544ed310598fee
Opcode Fuzzy Hash: 7ca70838e269df514213fdf07a757fef0aeef8c2f81dbbff9cd8fbc7d3773ebc
Instruction Fuzzy Hash: 6BC1EE709606689FDB21EF24DC88BEEBBB4AF06304F1041D8E508A7292DB742BD4CF51

Function 0025AC20 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 347libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,2DDDF7D7,?,?,?,?,?,?,?,?,2DDDF7D7,002D91F5,000000FF,?,0025A02A), ref: 0025AC93
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0025AC99
LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,2DDDF7D7,002D91F5,000000FF,?,0025A02A,002F4350,2DDDF7D7), ref: 0025ACE0
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0025ACE6
CoInitializeEx.OLE32(00000000,00000000,2DDDF7D7,?,?,?,002D922D,000000FF), ref: 0025B005

Part of subcall function 00258780: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00258890

Part of subcall function 002B3148: GetCurrentThreadId.KERNEL32 ref: 002B3173

Strings

CoIncrementMTAUsage, xrefs: 0025ACD6
.dll, xrefs: 0025AE02
combase.dll, xrefs: 0025AC8E, 0025ACDB
DllGetActivationFactory, xrefs: 0025AE5E
RoGetActivationFactory, xrefs: 0025AC89

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AddressLibraryLoadProc$CurrentFolderInitializePathThread
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2148253048-2454113998
Opcode ID: 32bc50f97469aebe8337b43c7afb604fb89393ef0775ed2478ec70e7efbe54d3
Instruction ID: 7b41572ffa99f3501842136655496fd668d5bc63c1ad574baabad2a9c4e0996f
Opcode Fuzzy Hash: 32bc50f97469aebe8337b43c7afb604fb89393ef0775ed2478ec70e7efbe54d3
Instruction Fuzzy Hash: A5D1D370D20209EFCB15EFA4D856BEEFBB4EF48711F144229E801A7290DB709E68CB55

Function 00271410 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000007,000001F6), ref: 00271458
GetDlgItem.USER32(00000007,000001F8), ref: 00271468
GetDlgItem.USER32(00000007,000001F7), ref: 002714AE
SetWindowTextW.USER32(00000000,?), ref: 002714C1
ShowWindow.USER32(00000000,00000005), ref: 0027151F
GetDlgItem.USER32(00000007,000001F7), ref: 00271545
SetWindowTextW.USER32(00000000,?), ref: 00271558
ShowWindow.USER32(00000000,00000000), ref: 002715B5
ShowWindow.USER32(?,00000000), ref: 002715C0
SetWindowPos.USER32(00000007,00000000,00000000,00000000,?,?,00000616), ref: 0027160D
GetDlgItem.USER32(?,000000FF), ref: 00271640
IsWindow.USER32(00000000), ref: 0027164A
IsRectEmpty.USER32(?), ref: 00271667
SetWindowPos.USER32(000000FF,00000000,?,?,?,?,00000014,?,000000FF,?,?,00000616), ref: 00271697

Strings

Details <<, xrefs: 00271495
Details >>, xrefs: 0027152C

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$Item$Show$Text$EmptyRect
String ID: Details <<$Details >>
API String ID: 4171068809-3763984547
Opcode ID: c5e46d3ae70371c479d350a79686ad97bb726c86a3475e2f0c5dcf28350d0d78
Instruction ID: 141078ffa02131981bc8757be5a25f2610782d6cd5e583593efa2bb2016a608c
Opcode Fuzzy Hash: c5e46d3ae70371c479d350a79686ad97bb726c86a3475e2f0c5dcf28350d0d78
Instruction Fuzzy Hash: C981C171920204AFDB14DFA8DC89BAEBBB5EF44704F24825DF916A6691D730A960CF50

Function 0025FE40 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 276COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,2DDDF7D7), ref: 0025FEE8
GetLastError.KERNEL32 ref: 0025FEF2
EnterCriticalSection.KERNEL32(?), ref: 0025FF64
LeaveCriticalSection.KERNEL32(?,?,?), ref: 0025FF91
GetModuleFileNameW.KERNEL32(00240000,?,00000104), ref: 0025FFEA
GetModuleHandleW.KERNEL32(00000000), ref: 00260052
EnterCriticalSection.KERNEL32(?), ref: 00260063
EnterCriticalSection.KERNEL32(?), ref: 0026011B
LeaveCriticalSection.KERNEL32(?,Module,?), ref: 0026014F
EnterCriticalSection.KERNEL32(?), ref: 00260174
LeaveCriticalSection.KERNEL32(?,Module_Raw,?), ref: 002601A8

Strings

REGISTRY, xrefs: 00260229
Module, xrefs: 00260136
8F/, xrefs: 0025FF12
Module_Raw, xrefs: 0026018F

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$Enter$Leave$Module$ErrorFileHandleInitializeLastName
String ID: 8F/$Module$Module_Raw$REGISTRY
API String ID: 2998937331-594715233
Opcode ID: b537ac742a50adce1b45d26fc69e127e511f05267425c7e391ccd3c8b2e464c8
Instruction ID: c860e1bcdf60f8cd3701435ca211f7e021c37de0696974f4d538ce89d9bb3c6e
Opcode Fuzzy Hash: b537ac742a50adce1b45d26fc69e127e511f05267425c7e391ccd3c8b2e464c8
Instruction Fuzzy Hash: CCB1BF31914318DBDB20DF64DD88B9EB7B4AF4A300F1441E9E90DA7A80E7759E94CF92

Function 00296640 Relevance: 25.8, APIs: 17, Instructions: 332COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,?), ref: 00296685
GetWindowRect.USER32(00000000,80004109), ref: 00296695
MapWindowPoints.USER32(00000000,00000000,80004109,00000002), ref: 002966C1
InvalidateRect.USER32(?,00000000,00000001), ref: 002969AE
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 002969D7

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$InvalidateItemPoints
String ID:
API String ID: 2775623374-0
Opcode ID: 7a165b442808cbc864ae89fd66e4a23574f8f15f14de2f4f65e35d35c9e19de3
Instruction ID: ebe214f1c982ae90ec8c787de57bf15a9dd82c92fdc31cfbc8602874f72a7148
Opcode Fuzzy Hash: 7a165b442808cbc864ae89fd66e4a23574f8f15f14de2f4f65e35d35c9e19de3
Instruction Fuzzy Hash: B3D14B71618706AFDB08CF68D988B6ABBE5FF88304F088A2CF985D7254D770E854CB51

Function 002571F0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 282libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,2DDDF7D7,00000000,?,?,?,?,?,?,?,?,?,?,?,2DDDF7D7), ref: 00257273
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00257279
GetErrorInfo.OLEAUT32(00000000,00000000), ref: 002572D0
LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,002F37C0,00000000,00000000,00000000), ref: 0025743B

Strings

CoIncrementMTAUsage, xrefs: 0025731A
.dll, xrefs: 00257422
combase.dll, xrefs: 0025726E, 0025731F
DllGetActivationFactory, xrefs: 0025747E
RoGetActivationFactory, xrefs: 00257269

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoad$AddressErrorInfoProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 3571556279-2454113998
Opcode ID: 4af80877861ea8b4576308e3c331b399272d232028f403477ee95b5045f85c41
Instruction ID: f31281e3902b7a81992dc00369381aa33953cd757800e6a7e36d4fe1190279b0
Opcode Fuzzy Hash: 4af80877861ea8b4576308e3c331b399272d232028f403477ee95b5045f85c41
Instruction Fuzzy Hash: BDB1AC70D6420AEFCB14DFA4E855BADBBB4FF48311F144169EC01A7290E770AD68CB94

Function 002710F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002698C0: LoadLibraryW.KERNEL32(ComCtl32.dll,2DDDF7D7,00000007,00000007,?), ref: 002698FA
Part of subcall function 002698C0: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00269920
Part of subcall function 002698C0: FreeLibrary.KERNEL32(00000000), ref: 002699A9

GetDlgItem.USER32(?,000001F4), ref: 0027112B
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 0027113A
GetDC.USER32(00000000), ref: 00271146
GetDeviceCaps.GDI32(00000000), ref: 0027114D
MulDiv.KERNEL32(00000009,00000000), ref: 00271156
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 0027117F
GetDlgItem.USER32(?,000001F6), ref: 00271190
IsWindow.USER32(00000000), ref: 00271199
SendMessageW.USER32(00000000,00000030,?,00000000), ref: 002711B0
GetDlgItem.USER32(?,000001F8), ref: 002711BE
GetWindowRect.USER32(?,?), ref: 002711CD
GetWindowRect.USER32(00000000,?), ref: 002711E1
GetWindowRect.USER32(00000000,?), ref: 002711F5

Strings

Courier New, xrefs: 0027115C

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$ItemRect$LibraryMessageSend$AddressCapsCreateDeviceFontFreeLoadProc
String ID: Courier New
API String ID: 1731048342-2572734833
Opcode ID: 58bbec6b92532e36b0a9d178b3a43235de0cada95251af54b062a9e54f1b50b8
Instruction ID: 2650f37c6a1f7bbace3911c2d2d9af7d8efb6426adfb325baf2209528b8a4f6f
Opcode Fuzzy Hash: 58bbec6b92532e36b0a9d178b3a43235de0cada95251af54b062a9e54f1b50b8
Instruction Fuzzy Hash: 5D4197717D4341BBFB545F209C9AFAA37A9EF48B01F104568FB09AD1D2DAB0A8548B14

Function 00264B10 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 399libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll), ref: 00264BA2
GetLastError.KERNEL32 ref: 00264BD0

Part of subcall function 00243620: RtlAllocateHeap.NTDLL(00000000,00000000,?,2DDDF7D7,00000000,002D5110,000000FF,?,?,0030B028,?,?,00281A0D,80004005,2DDDF7D7,?), ref: 0024366A

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00264BE6
FreeLibrary.KERNEL32(00000000), ref: 00264C02
GetLastError.KERNEL32 ref: 00264C0F
GetLastError.KERNEL32 ref: 00264E06
GetLastError.KERNEL32 ref: 00264E6B

Strings

Advapi32.dll, xrefs: 00264B9D
ConvertStringSidToSidW, xrefs: 00264BE0

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 3460774402-1129428314
Opcode ID: 6ab0427c8b23b40076d5a2e32388be3d5c27fd66da93c044eab512b0ce8acaff
Instruction ID: c0df667d188e82e0ebf4f5e394d4268cc01e9429a2526ba2889a54c4de4e36a2
Opcode Fuzzy Hash: 6ab0427c8b23b40076d5a2e32388be3d5c27fd66da93c044eab512b0ce8acaff
Instruction Fuzzy Hash: 2EF19FB1C1125AEBDB00EF94D944BEEFBB4FF48310F204119E915B7281D771AAA4CBA1

Function 00291750 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,2DDDF7D7,?,?,00000000), ref: 0029178F
GetLastError.KERNEL32 ref: 002917B0

Part of subcall function 00243620: RtlAllocateHeap.NTDLL(00000000,00000000,?,2DDDF7D7,00000000,002D5110,000000FF,?,?,0030B028,?,?,00281A0D,80004005,2DDDF7D7,?), ref: 0024366A

GetFileSize.KERNEL32(00000000,00000000), ref: 002917C0
GetLastError.KERNEL32 ref: 002917CD
CloseHandle.KERNEL32(?), ref: 00291A94

Strings

US-ASCII, xrefs: 00291966
utf-16, xrefs: 00291862
ISO-8859-1, xrefs: 00291949
utf-8, xrefs: 00291845

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorFileLast$AllocateCloseCreateHandleHeapSize
String ID: ISO-8859-1$US-ASCII$utf-16$utf-8
API String ID: 4082270022-3020978663
Opcode ID: 4860b3f21d57e0fb943747c984ed1416f5658e6d593ff7d23c8fa2ff7150170a
Instruction ID: 61c6441b47f2ec0e5d1697eba0e2688e1d39ae4249dafec3363409c6b293a665
Opcode Fuzzy Hash: 4860b3f21d57e0fb943747c984ed1416f5658e6d593ff7d23c8fa2ff7150170a
Instruction Fuzzy Hash: 48A1D470A10307AFDF10DFA6CC89BAEB7B9AF14350F144528E915AB391DB749D20CB61

Function 0026A750 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 211fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00310A68,2DDDF7D7,00000000,?), ref: 0026A78C

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

EnterCriticalSection.KERNEL32(?,2DDDF7D7,00000000,?), ref: 0026A799
WriteFile.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0026A7CB
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0026A7D4
WriteFile.KERNEL32(00000000,?,?,000000FF,00000000,002F4EF4,00000001,?,?,000000FF,00000000), ref: 0026A86C
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0026A875
WriteFile.KERNEL32(00000000,?,?,000000FF,00000000,?,?,000000FF,00000000), ref: 0026A8BD
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0026A8C6
WriteFile.KERNEL32(00000000,?,?,000000FF,00000000,002F37E8,00000002,?,?,000000FF,00000000), ref: 0026A935
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0026A93E
LeaveCriticalSection.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0026A97A

Part of subcall function 00245350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0025E648,-00000010), ref: 00245373

Strings

7/, xrefs: 0026A8F8

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$EnterFindHeapInitializeLeaveProcessResource
String ID: 7/
API String ID: 3680465103-3756460529
Opcode ID: 9a3e3a670579fb4bef2ca50a23312f46f108c1d8cdfde4d79ad3cec3c87e3e04
Instruction ID: 18c7e2a9577c12a6bf63e59f48e30a7805656065edfcee4c53eb3edf565f055b
Opcode Fuzzy Hash: 9a3e3a670579fb4bef2ca50a23312f46f108c1d8cdfde4d79ad3cec3c87e3e04
Instruction Fuzzy Hash: 7571CE31A012459FDB01DF68DC89BAEBBB8FF44320F144198E911AB3A1DB349E55CFA1

Function 00270770 Relevance: 21.1, APIs: 14, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 002707A9
GetWindowLongW.USER32(?,000000F0), ref: 002707BE
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002707D4
GetWindowLongW.USER32(?,000000EC), ref: 002707E7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002707FA
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00270808
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0027081B
GetClientRect.USER32(?,?), ref: 00270830
GetClientRect.USER32(?,?), ref: 00270858
GetWindowRect.USER32(?,?), ref: 00270860
GetDlgItem.USER32(?,?), ref: 00270897
IsWindow.USER32(00000000), ref: 002708A2
GetWindowRect.USER32(?,?), ref: 002708BD
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 002708CE

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$Rect$ClientMessageSend$ItemPoints
String ID:
API String ID: 3417004906-0
Opcode ID: 3f7d2de904c6814bb502aab9ecbe1e10775225253ce85d412fcb988dd9f2e64a
Instruction ID: c7cb56c93a552835137cfda18e07b7895eef4f99db48ecf6fec7908b50f7976f
Opcode Fuzzy Hash: 3f7d2de904c6814bb502aab9ecbe1e10775225253ce85d412fcb988dd9f2e64a
Instruction Fuzzy Hash: F1418071558342DFD760DF64EC88B5BB7E4FF58310F208B1DF89A96291D730A8988B62

Function 0027BEA0 Relevance: 19.7, APIs: 13, Instructions: 167COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0027BEE7
GetParent.USER32(00000000), ref: 0027BEFA
GetWindow.USER32(00000000,00000004), ref: 0027BF05
GetWindowRect.USER32(?,80004055), ref: 0027BF13
GetWindowLongW.USER32(00000000,000000F0), ref: 0027BF26
MonitorFromWindow.USER32(?,00000002), ref: 0027BF3E
GetMonitorInfoW.USER32(00000000,8000402D), ref: 0027BF54
GetWindowRect.USER32(00000000,80004075), ref: 0027BF7A
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 0027C035

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID:
API String ID: 1468510684-0
Opcode ID: 5dc3f5969aa1437f91c988f37414992b90d06bfad58e2061f97f177369ad7eee
Instruction ID: 42d277440ccbd3342584d01f5a1209005c7b5291127002501615fd843a33f510
Opcode Fuzzy Hash: 5dc3f5969aa1437f91c988f37414992b90d06bfad58e2061f97f177369ad7eee
Instruction Fuzzy Hash: 97518072914209AFDB11CF78DD89BAEBBB9FB44710F244269F815E7290DB30AD108B50

Function 002908D0 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 473synchronizationfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 002909C2
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,.part,00000005,?,?,?), ref: 00290AFC
GetFileSize.KERNEL32(00000000,00000000), ref: 00290B31
CloseHandle.KERNEL32(00000000), ref: 00290B55
ResetEvent.KERNEL32(?,00000000,002F8A34,00000000,00000000,00000000,00000000,00000000,?), ref: 00290E6B
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00290E94
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00290EA2

Strings

#, xrefs: 00290D62
<, xrefs: 002909B1
.part, xrefs: 00290925

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: FileObjectSingleWait$CloseCreateErrorEventHandleLastResetSize
String ID: #$.part$<
API String ID: 1885162932-1559421475
Opcode ID: 740d6029514921228aa95413cb25d7bd8ddfc38b6f0e31badbb0497402efb764
Instruction ID: 7eb861b7d46c4dbcfa837da18d9371465396e1bf32f9f3fd97a14a625352ac8d
Opcode Fuzzy Hash: 740d6029514921228aa95413cb25d7bd8ddfc38b6f0e31badbb0497402efb764
Instruction Fuzzy Hash: 29229030910659DFEF24CF64CC88BADBBB5BF09314F148299E509A7281DB70AE94CF91

Function 00275B60 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 309fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00244450: GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W), ref: 00244547
Part of subcall function 00244450: GetProcAddress.KERNEL32(00000000), ref: 0024454E
Part of subcall function 00244450: PathFileExistsW.SHLWAPI(?), ref: 002445BC

Part of subcall function 00244850: GetTempFileNameW.KERNEL32(?,00000000,00000000,?,2DDDF7D7,?,00000004), ref: 002448C8

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,00000000), ref: 00275CCD
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00275CF5
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,00000000), ref: 00275D37
CloseHandle.KERNEL32(?,?,00000000), ref: 00275DAA
ShellExecuteW.SHELL32(00000000,open,?,00000000,?,00000000), ref: 00275DDE

Part of subcall function 00245350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0025E648,-00000010), ref: 00245373

ShellExecuteExW.SHELL32(?), ref: 00275E36

Strings

runas, xrefs: 00275E1E
open, xrefs: 00275DD7
EXE, xrefs: 00275C08
.bat, xrefs: 00275C03

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$Handle$CloseExecuteShell$AddressCreateExistsFindHeapModuleNamePathProcProcessResourceTempWrite
String ID: .bat$EXE$open$runas
API String ID: 1017135135-1492471297
Opcode ID: 1c41d5d0906230517dc83d1496c762fc197950ea11cf6bbbd11a1102f227ae46
Instruction ID: 0519819649e30ed8b860feced255d400b369afb91c17c73b82ceb48814676b87
Opcode Fuzzy Hash: 1c41d5d0906230517dc83d1496c762fc197950ea11cf6bbbd11a1102f227ae46
Instruction Fuzzy Hash: C4C1AD70900649DFDB04DF68C888B9DBBB5EF48324F248259F919AB2D1DBB49E05CF90

Function 002AF270 Relevance: 16.6, APIs: 11, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 002AF27C
GetLastError.KERNEL32 ref: 002AF286
SetEvent.KERNEL32(?), ref: 002AF28F
GetLastError.KERNEL32 ref: 002AF299
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 002AF2A4
GetLastError.KERNEL32 ref: 002AF2AF
CloseHandle.KERNEL32(00000000), ref: 002AF2BD
GetLastError.KERNEL32 ref: 002AF2C7
CloseHandle.KERNEL32(?), ref: 002AF2DE
GetLastError.KERNEL32 ref: 002AF2E8
CloseHandle.KERNEL32(?), ref: 002AF2FF

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CloseHandle$Event$ObjectSingleWait
String ID:
API String ID: 2663162059-0
Opcode ID: bab078901b3c68244054a291854f33b0abfbc487f77e629a849ce497a1ad9211
Instruction ID: 2421c21217043af958883ba951f8894bee11bff22af50047b77098e03f4beb18
Opcode Fuzzy Hash: bab078901b3c68244054a291854f33b0abfbc487f77e629a849ce497a1ad9211
Instruction Fuzzy Hash: A9114F34168782CBDBB05FB1FD8C7167BB4BF12355F104629E852CA4A0EB34D8548B60

Function 00259AF0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 179processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00259C08
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00259C12
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00259C24
GetExitCodeProcess.KERNEL32(?,?), ref: 00259C41
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00259C4B
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00259C58
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00259C62

Strings

"%s" %s, xrefs: 00259B90
D, xrefs: 00259B21

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeCreateExitHandleHeapObjectSingleWait
String ID: "%s" %s$D
API String ID: 3234789809-3971972636
Opcode ID: fb97613d6550d2f7e42a21b170ad79bc85ed3d4ded56a891a6d7fa79eec3a44c
Instruction ID: 0191e07abdeefddc5217c0c50f429c8cf45cfb9d4196f766931b1a3324940be2
Opcode Fuzzy Hash: fb97613d6550d2f7e42a21b170ad79bc85ed3d4ded56a891a6d7fa79eec3a44c
Instruction Fuzzy Hash: 5451C071E10216DFDB14CF64DC44BAEB7B9FF48316F20462AED21A7280D770A995CB94

Function 00255100 Relevance: 15.3, APIs: 10, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

GetErrorInfo.OLEAUT32(00000000,00000000,2DDDF7D7,00000000), ref: 0025517A
SysFreeString.OLEAUT32(00000001), ref: 00255200
SysFreeString.OLEAUT32(00000000), ref: 00255288
SysStringLen.OLEAUT32(00000000), ref: 002552B7
GetProcessHeap.KERNEL32(-000000FE,?), ref: 00255300
HeapFree.KERNEL32(00000000,-000000FE,?), ref: 00255306
GetProcessHeap.KERNEL32(-000000FE,00000000,?,00000000,00000000,00000000,2DDDF7D7,00000000), ref: 00255333
HeapFree.KERNEL32(00000000,-000000FE,00000000,?,00000000,00000000,00000000,2DDDF7D7,00000000), ref: 00255339
SysFreeString.OLEAUT32(00000000), ref: 00255351
SetErrorInfo.OLEAUT32(00000000,00000000), ref: 00255407

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Free$HeapString$ErrorInfoProcess
String ID:
API String ID: 1533966657-0
Opcode ID: b2685ccd354d001a88cd76ff17ab56d9118423dfa6a07c949e9dfce03a74ed44
Instruction ID: 7b17fa3cf88d8a59b669cefa8af7198f38e35ca5bfe294f3abb669cb23ffbd9f
Opcode Fuzzy Hash: b2685ccd354d001a88cd76ff17ab56d9118423dfa6a07c949e9dfce03a74ed44
Instruction Fuzzy Hash: D5A1BC70D2062AEFDB10DFA4C854BEEBBB8EF05311F144559EC15AB281D7B49E18CBA1

Function 00270F30 Relevance: 15.2, APIs: 10, Instructions: 154COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00270F3E
DeleteObject.GDI32(?), ref: 00270F96

Part of subcall function 00270910: IsWindowVisible.USER32 ref: 00270926
Part of subcall function 00270910: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0027093C
Part of subcall function 00270910: GetWindowLongW.USER32(?,000000F0), ref: 00270946
Part of subcall function 00270910: GetDlgItem.USER32(?,?), ref: 002709B2
Part of subcall function 00270910: GetWindowRect.USER32(00000000,?), ref: 002709CA
Part of subcall function 00270910: MapWindowPoints.USER32(00000000,?,00000002,00000002), ref: 002709DB

EndDialog.USER32(?,00000000), ref: 00271016

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$DeleteDialogItemMessageObjectPointsRectSendVisible
String ID:
API String ID: 2368538989-0
Opcode ID: 981915bddc98e002ed6bb2c7934dd030e4328518a00b21a699adb438271f4e09
Instruction ID: 3d070077e1d022f1ed338cea83b724d337a7f49039e725d4d2094ee2d68ac8a9
Opcode Fuzzy Hash: 981915bddc98e002ed6bb2c7934dd030e4328518a00b21a699adb438271f4e09
Instruction Fuzzy Hash: 2141233236421557D7249E2EAC4DBBB3398EB85731F00876AFD5AC66D0CA72C87197A0

Function 0028D6A0 Relevance: 15.1, APIs: 10, Instructions: 148windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 0028D6DB
SendMessageW.USER32(00000000,00000406,00000000,?), ref: 0028D6EF

Part of subcall function 00294D20: GetWindowLongW.USER32(?,000000F0), ref: 00294D35
Part of subcall function 00294D20: GetParent.USER32(?), ref: 00294D43

GetDlgItem.USER32(?,0000040A), ref: 0028D719

Part of subcall function 0028CEB0: SetWindowLongW.USER32(?,000000FC,00000000), ref: 0028CEF3
Part of subcall function 0028CEB0: GetWindowLongW.USER32(?,000000F0), ref: 0028CF08
Part of subcall function 0028CEB0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 0028CF20
Part of subcall function 0028CEB0: CreateWindowExW.USER32(00000000,tooltips_class32,00000000,00000000,80000000,80000000,00000000,00000000,?,00000000,00000000), ref: 0028CF5D
Part of subcall function 0028CEB0: IsWindow.USER32(00000000), ref: 0028CF67
Part of subcall function 0028CEB0: SendMessageW.USER32(?,00000401,00000001,00000000), ref: 0028CF7D

Part of subcall function 0028CA00: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0028CA3E
Part of subcall function 0028CA00: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0028CA4D

Part of subcall function 0027BEA0: GetWindowLongW.USER32(?,000000F0), ref: 0027BEE7
Part of subcall function 0027BEA0: GetParent.USER32(00000000), ref: 0027BEFA
Part of subcall function 0027BEA0: GetWindowRect.USER32(?,80004055), ref: 0027BF13
Part of subcall function 0027BEA0: GetWindowLongW.USER32(00000000,000000F0), ref: 0027BF26
Part of subcall function 0027BEA0: MonitorFromWindow.USER32(?,00000002), ref: 0027BF3E
Part of subcall function 0027BEA0: GetMonitorInfoW.USER32(00000000,8000402D), ref: 0027BF54

SetWindowTextW.USER32(?,?), ref: 0028D7C5
GetDlgItem.USER32(?,00000002), ref: 0028D80C
EnableWindow.USER32(00000000,00000000), ref: 0028D815
GetSystemMenu.USER32(?,00000000), ref: 0028D81F
ModifyMenuW.USER32(00000000,0000F060,00000001,00000000,00000000), ref: 0028D83D
DestroyMenu.USER32(00000000), ref: 0028D84F
SetEvent.KERNEL32(?,000000DA), ref: 0028D86A

Part of subcall function 0026F8E0: GetFileVersionInfoSizeW.KERNELBASE(?,?,2DDDF7D7,00000000,?,?,00000000,002DCCC5,000000FF,?,0027A745), ref: 0026F945

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$MessageSend$ItemMenu$InfoMonitorParent$CreateDestroyEnableEventFileFromModifyRectSizeSystemTextVersion
String ID:
API String ID: 3019886063-0
Opcode ID: c0ddf77dfa45edd0ac3d30d58e3604f3091a01ec6f74cc96ee3d663dc1c8b33f
Instruction ID: 5b6daf745049e7fe4f8ccf72d5892b68b571f51e803970f0ff2501b3781a9406
Opcode Fuzzy Hash: c0ddf77dfa45edd0ac3d30d58e3604f3091a01ec6f74cc96ee3d663dc1c8b33f
Instruction Fuzzy Hash: 0051BD35611205EFEB11EF64DC89BA9BBB9EF08310F1041A9F905AF2E1CB759915CF90

Function 0028AA20 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,2DDDF7D7), ref: 0028AA57

Part of subcall function 00266150: MultiByteToWideChar.KERNEL32(00000003,00000000,002F38A1,000000FF,00000000,00000000,00000000,?,?,002783BC,002F38A1), ref: 00266168
Part of subcall function 00266150: MultiByteToWideChar.KERNEL32(00000003,00000000,002F38A1,000000FF,?,-00000001,?,002783BC,002F38A1), ref: 0026619A

Strings

0!$, xrefs: 0028B33A
.jar, xrefs: 0028AF94
@9/, xrefs: 0028B19F
.pack, xrefs: 0028ADD7
*.*, xrefs: 0028AAED, 0028AB08
p2Sv3Sv, xrefs: 0028B105, 0028B288, 0028B31E
2Svp1Sv, xrefs: 0028B25A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiWide$ObjectSingleWait
String ID: 2Svp1Sv$*.*$.jar$.pack$0!$$@9/$p2Sv3Sv
API String ID: 3339361032-921004472
Opcode ID: 70ce059b3fa835e365c2c0947f1196bcf6f281b8652be82a05448f012c0499fb
Instruction ID: c694f6a36f1cfaa1c8399a181c119c59e3527dcf8153e92474131f4e4a723d6c
Opcode Fuzzy Hash: 70ce059b3fa835e365c2c0947f1196bcf6f281b8652be82a05448f012c0499fb
Instruction Fuzzy Hash: 2D618374A1160A9FDB04DFA8C894BAEBBB5FF48324F14416AE411A73D1DB34AD10CFA5

Function 0028EBE0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0028EC2D
GetForegroundWindow.USER32 ref: 0028EC39
SetLastError.KERNEL32(0000000E,?,?,?,2DDDF7D7), ref: 0028EC80

Strings

\,1, xrefs: 0028ECF1

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$ActiveErrorForegroundLast
String ID: \,1
API String ID: 1822391280-4060636498
Opcode ID: 65b3a9cebcf2f530a83dbe13a71c5a22f7737e75378d42ef837da7ea8ea340c7
Instruction ID: e32cc2cf798fa3a4829956ce53bfbfbe0cea039a3eb5ad17aa651aa5df9791f5
Opcode Fuzzy Hash: 65b3a9cebcf2f530a83dbe13a71c5a22f7737e75378d42ef837da7ea8ea340c7
Instruction Fuzzy Hash: 6F41D371955249DFDB11DFA4DC45BDEBBB8FF15310F10426AE815A7280DB70AA14CBD0

Function 00291F20 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 102COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,00000000,?,000000FF,?,00291597,?,?,?,00000000), ref: 00291F65
GetFileSize.KERNEL32(?,00000000,?,00000000,?,000000FF,?,00291597), ref: 00291F75

Strings

., xrefs: 002922A7
+F-, xrefs: 00292CEE
FTP Server, xrefs: 00292878, 0029288A, 00292894
Local Network Server, xrefs: 00292598, 002925AA, 002925B4
?F-, xrefs: 002929E1
HTTP/1.0, xrefs: 00292CE4

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFlushSize
String ID: +F-$?F-$FTP Server$HTTP/1.0$Local Network Server$.
API String ID: 3400284609-3607065384
Opcode ID: 9ace14965499975c26ffedd27f7e9d6209bf3b1d1883048d538bc1cfa05dea70
Instruction ID: d8802d09810e39dabf909762e6a352aefb6d5b78699dd7e7947ce420979e3628
Opcode Fuzzy Hash: 9ace14965499975c26ffedd27f7e9d6209bf3b1d1883048d538bc1cfa05dea70
Instruction Fuzzy Hash: A8415C71A0424A9FCB04CF68C8446AEBBB8FF08320F14426AE925E7391D7759E11CBA0

Function 002B4310 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002B4316
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 002B4324
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 002B4335
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 002B4346

Strings

GetSystemTimePreciseAsFileTime, xrefs: 002B432A
kernel32.dll, xrefs: 002B4311
GetTempPath2W, xrefs: 002B433B
GetCurrentPackageId, xrefs: 002B431E

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 6a21268d3cba655bfd40cd5d7958494cda26da22f8af9ae3538e230dcac415bb
Instruction ID: 18b46b0d5585c5d110b13cfe25448ec57b06e3d3ea280412e601f86328c89389
Opcode Fuzzy Hash: 6a21268d3cba655bfd40cd5d7958494cda26da22f8af9ae3538e230dcac415bb
Instruction Fuzzy Hash: 9BE086715D52946FE310DF74FC4E8563EE8EA6A3613000072F608C2150D77004028B50

Function 00254C40 Relevance: 13.7, APIs: 4, Strings: 5, Instructions: 224memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(002553F4,?,?,000000FF), ref: 00254D7D
HeapFree.KERNEL32(00000000,002553F4,?,?,000000FF), ref: 00254D83
GetProcessHeap.KERNEL32(002552F5,000000FF,?,000000FF), ref: 00254DBD
HeapFree.KERNEL32(00000000,002552F5,000000FF,?,000000FF), ref: 00254DC3

Strings

$@/, xrefs: 00254E89
4@/, xrefs: 00254E08
d@/, xrefs: 00254E27
D@/, xrefs: 00254E46
?/, xrefs: 00254C9A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: $@/$4@/$D@/$d@/$?/
API String ID: 3859560861-3967436770
Opcode ID: 8e79c5a98311505f5ea9d78ecf5125e6e75b00c236dd49b371b6f94e582f633e
Instruction ID: b319cd01570830caa318e639788c8c77383836be5a3f730c1333f44cfe097dea
Opcode Fuzzy Hash: 8e79c5a98311505f5ea9d78ecf5125e6e75b00c236dd49b371b6f94e582f633e
Instruction Fuzzy Hash: D381D172E112069FEB14DF58C840BAAF7F4FB80329F154629ED059B380D775ED988B94

Function 00295830 Relevance: 13.7, APIs: 9, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(-0000003C,00000427), ref: 002958D6
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002958E6
EndDialog.USER32(?,00000001), ref: 002958FA

Part of subcall function 00295C00: SetWindowTextW.USER32(00000002,?), ref: 00295C9E
Part of subcall function 00295C00: GetDlgItem.USER32(?,0000042B), ref: 00295D02
Part of subcall function 00295C00: SetWindowTextW.USER32(00000000,?), ref: 00295D0D
Part of subcall function 00295C00: GetDlgItem.USER32(?,00000001), ref: 00295D17
Part of subcall function 00295C00: EnableWindow.USER32(00000000,00000000), ref: 00295D20

EndDialog.USER32(?,00000002), ref: 00295925
GetDlgItem.USER32(?,00000001), ref: 00295974
EnableWindow.USER32(00000000,00000000), ref: 00295986

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ItemWindow$DialogEnableText$MessageSend
String ID:
API String ID: 3408327222-0
Opcode ID: b85ab7765a86e1201398a6cd9b0345cbc742fac50973ce06bf6db98d96f04335
Instruction ID: d57bbf592ede124aa02ff5106c4b43246a86ac8a539e0105637f983092d35c97
Opcode Fuzzy Hash: b85ab7765a86e1201398a6cd9b0345cbc742fac50973ce06bf6db98d96f04335
Instruction Fuzzy Hash: 3351F371B206169FEF159F28EC89B6A77A5FB44320F40416AFD018B280D772DCA4CBE1

Function 00270910 Relevance: 13.6, APIs: 9, Instructions: 147windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00270926
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0027093C
GetWindowLongW.USER32(?,000000F0), ref: 00270946
GetDlgItem.USER32(?,?), ref: 002709B2
GetWindowRect.USER32(00000000,?), ref: 002709CA
MapWindowPoints.USER32(00000000,?,00000002,00000002), ref: 002709DB
SetWindowPos.USER32(00000014,00000000,?,00000002,00000002,?,00000014,?,00000002,00000002,?,?,?,000000F0,?,00000000), ref: 00270A57
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00270A85
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00270A96

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$MessageSend$ItemLongPointsRectRedrawVisible
String ID:
API String ID: 3196996609-0
Opcode ID: 205683ec84efbf48132b96740ed1e5cad16c74f201459263959f2f0308d9a673
Instruction ID: 3a725b821ecd2a844e7a26d922eece876e9c2e7abc41ef0dd3c272278e8bd5fd
Opcode Fuzzy Hash: 205683ec84efbf48132b96740ed1e5cad16c74f201459263959f2f0308d9a673
Instruction Fuzzy Hash: 43517E31254301DFE724CF28D889B2ABBE1FF84704F148A1CF9999A2A5D771E854CB41

Function 00256480 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 363memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,2DDDF7D7), ref: 002564FC
GetProcessHeap.KERNEL32(?,00000000), ref: 00256613
HeapFree.KERNEL32(00000000,?,00000000), ref: 00256619
GetProcessHeap.KERNEL32(?,00000000), ref: 002566AA
HeapFree.KERNEL32(00000000,?,00000000), ref: 002566B0
CoUninitialize.OLE32 ref: 0025688A

Strings

4?/, xrefs: 002566F2

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Heap$FreeProcess$InitializeUninitialize
String ID: 4?/
API String ID: 4239879612-791446331
Opcode ID: bacce77c9a17c5f662871da9f6ed3b6a04bea60402e71f072e55130d4be75949
Instruction ID: bc26c45046fe1409caadb50a80582b8fef4e0fc0b8ec3db895bd046aa7cb8569
Opcode Fuzzy Hash: bacce77c9a17c5f662871da9f6ed3b6a04bea60402e71f072e55130d4be75949
Instruction Fuzzy Hash: E4E19C70D10359CFEF14CFA4C848BADBBB8AF44305F2441A9E805AB291DB74AE59CF64

Function 00270AC0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000080,00000001,Close,50000001,?,00000128,00000025,00000032,0000000E,00000082,000001F5,?,50000000,?,00000026), ref: 00270DC5
DialogBoxIndirectParamW.USER32(00000000,00000000,?,00270F30,00000000), ref: 00270E14

Strings

Send Error Report, xrefs: 00270D22
Copy, xrefs: 00270DAC
Close, xrefs: 00270CC8
d\/, xrefs: 00270C7D
Details >>, xrefs: 00270D4B

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: DialogHandleIndirectModuleParam
String ID: Close$Copy$Details >>$Send Error Report$d\/
API String ID: 279259766-4165310048
Opcode ID: 998761ce02c3224188805913977f3fa96ce0b24f747647143cad6d2ed0fa0b75
Instruction ID: c3032f4206396b2fc94cd7894e3deb83cc2bfe8229a06843812974cbc9daa783
Opcode Fuzzy Hash: 998761ce02c3224188805913977f3fa96ce0b24f747647143cad6d2ed0fa0b75
Instruction Fuzzy Hash: A6D1AE70A50719EFDB14CFA4CC95BAEB7B5EF48714F108229E515BB2C0D7B0AA15CB90

Function 00296390 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 216windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000064,000000F0), ref: 002963B6
IsWindowVisible.USER32(00000064), ref: 00296401
SendMessageW.USER32(00000064,0000000B,00000000,00000000), ref: 00296417
SendMessageW.USER32(00000064,0000000B,00000001,00000000), ref: 0029660E
RedrawWindow.USER32(00000064,00000000,00000000,00000185,?,?), ref: 00296627

Strings

dddd, xrefs: 002963EB, 002963FF, 00296415
dddd, xrefs: 002965AF

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$MessageSend$LongRedrawVisible
String ID: dddd$dddd
API String ID: 554559110-3677277811
Opcode ID: 2970e7d0c69e7d2506aabe29280df83701d3b6b4f6d94a064d0817dc4f6862d5
Instruction ID: cebc4ca3ef744b05676e865345cb7f4e7689242b7d8fe83b8e09b49a5134c3fd
Opcode Fuzzy Hash: 2970e7d0c69e7d2506aabe29280df83701d3b6b4f6d94a064d0817dc4f6862d5
Instruction Fuzzy Hash: D5915671A183519FDB10CF18C884A1ABBF5FF88710F554A2EF995A72A0D771E854CF82

Function 002617F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 111libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,2DDDF7D7,?,00000000,?,?,Function_00095000,000000FF,?,0026173D,?), ref: 0026182A
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0026183A
GetModuleHandleW.KERNEL32(Advapi32.dll,2DDDF7D7,?,00000000,?,?,Function_00095000,000000FF,?,0026173D,?), ref: 002618A6
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002618B6

Strings

RegDeleteKeyExW, xrefs: 002618B0
Advapi32.dll, xrefs: 00261825, 002618A1
RegDeleteKeyTransactedW, xrefs: 00261834

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 1646373207-1053001802
Opcode ID: 84cc0800f548b7bab81ee8e7793951b884f8b213ba39977bc6267d6d6fd3a0e0
Instruction ID: 3d3b91e588950caf98f70f0464836cca61bd66d93cd38be115bb83cfebe6f040
Opcode Fuzzy Hash: 84cc0800f548b7bab81ee8e7793951b884f8b213ba39977bc6267d6d6fd3a0e0
Instruction Fuzzy Hash: CA310936A58244EFE721CF55EC44B9DFBA9FB58721F14413AE90593390C7B2A8B0DB90

Function 0026FB40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,80000002,80000002,00310A68), ref: 0026FB50
LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,00310A68), ref: 0026FB63
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0026FB73
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 0026FC02
SHGetMalloc.SHELL32(?), ref: 0026FC4A

Strings

SHGetSpecialFolderPathW, xrefs: 0026FB6D
Shell32.dll, xrefs: 0026FB5E

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll
API String ID: 2352187698-2988203397
Opcode ID: cb950417fb1fc5ae9b736150c31cd89b7a61d1d5ce69e0ad9d7dfa0d0012f0a5
Instruction ID: 5cc99673e020636ab4f72cb455eb907d88ffa6bd6abc8f5c16b9b4ff6ca7db95
Opcode Fuzzy Hash: cb950417fb1fc5ae9b736150c31cd89b7a61d1d5ce69e0ad9d7dfa0d0012f0a5
Instruction Fuzzy Hash: F93138726007069BDF249F24FD59B67B7F5AF84704F08843CE885871D4EBB198D28B92

Function 0028DC50 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0028DC7B
SetLastError.KERNEL32(0000000E), ref: 0028DC98
GetCurrentThreadId.KERNEL32 ref: 0028DCC7
EnterCriticalSection.KERNEL32(00312C5C), ref: 0028DCE7
LeaveCriticalSection.KERNEL32(00312C5C), ref: 0028DD0B
DialogBoxParamW.USER32(000000D8,00000000,Function_0003BD70,00000000), ref: 0028DD28

Part of subcall function 002B1F2A: GetProcessHeap.KERNEL32(00000008,00000008,?,0027A67E), ref: 002B1F2F
Part of subcall function 002B1F2A: HeapAlloc.KERNEL32(00000000), ref: 002B1F36

Strings

\,1, xrefs: 0028DCD0

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalHeapSection$ActiveAllocCurrentDialogEnterErrorLastLeaveParamProcessThreadWindow
String ID: \,1
API String ID: 828238446-4060636498
Opcode ID: 60114fbc314f294dbcd922307e4f9800da6496f7a6a458d724b995dc39e7d740
Instruction ID: 5eaf74802266116b851cc0f86e6843bddda3a5aa24e252b26dd587d8aa3c4ad1
Opcode Fuzzy Hash: 60114fbc314f294dbcd922307e4f9800da6496f7a6a458d724b995dc39e7d740
Instruction Fuzzy Hash: 4C312535644344EFC7219F64EC48B9EBBB8FB08715F00465AE908AB7C0C7B16814CB91

Function 0028CEB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 0028CEF3
GetWindowLongW.USER32(?,000000F0), ref: 0028CF08
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0028CF20
CreateWindowExW.USER32(00000000,tooltips_class32,00000000,00000000,80000000,80000000,00000000,00000000,?,00000000,00000000), ref: 0028CF5D
IsWindow.USER32(00000000), ref: 0028CF67
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 0028CF7D

Part of subcall function 002B1F2A: GetProcessHeap.KERNEL32(00000008,00000008,?,0027A67E), ref: 002B1F2F
Part of subcall function 002B1F2A: HeapAlloc.KERNEL32(00000000), ref: 002B1F36

Strings

tooltips_class32, xrefs: 0028CF56

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$Heap$AllocCreateMessageProcessSend
String ID: tooltips_class32
API String ID: 1584627587-1918224756
Opcode ID: 5f472f6a64e6a7a7870242859c6844315cd400767326bba9aed4c29ea3046b59
Instruction ID: 173a5e687e90d4064adc323686a3b1a14f49dbf4eb1d5a9f31ac7f2099ee2319
Opcode Fuzzy Hash: 5f472f6a64e6a7a7870242859c6844315cd400767326bba9aed4c29ea3046b59
Instruction Fuzzy Hash: EF21A375355202BFDB10AF68EC49F26BBA9FB48761F104326F515D76E0DB70A820CBA4

Function 00265090 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,?,?), ref: 002650A2
LocalFree.KERNEL32(?,?,?), ref: 002650B6
GetLastError.KERNEL32 ref: 002650F8
LocalAlloc.KERNEL32(00000040,00000014), ref: 00265138
GetLastError.KERNEL32 ref: 00265152
LocalFree.KERNEL32(?), ref: 00265163

Part of subcall function 00243620: RtlAllocateHeap.NTDLL(00000000,00000000,?,2DDDF7D7,00000000,002D5110,000000FF,?,?,0030B028,?,?,00281A0D,80004005,2DDDF7D7,?), ref: 0024366A

Strings

sF-, xrefs: 002650EE
}F-, xrefs: 0026512A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Local$Free$ErrorLast$AllocAllocateHeap
String ID: sF-$}F-
API String ID: 1027944315-809066640
Opcode ID: 3f78c74096afdabc0daeaa2e1e36b03d7410d006e8a3290f51883845b04e0672
Instruction ID: 66cc661b71750a012b89fa5bb7991c7d2606781d0f9b9f8b1ee0ff90a70766a5
Opcode Fuzzy Hash: 3f78c74096afdabc0daeaa2e1e36b03d7410d006e8a3290f51883845b04e0672
Instruction Fuzzy Hash: 95313870614B02AFD7308F69EC49B97B7F8BF48704F00892DE88AD6650EB74D558CB61

Function 002B1DC8 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,002B1F72,00000000), ref: 002B1DEC
HeapAlloc.KERNEL32(00000000,?,002B1F72,00000000), ref: 002B1DF3

Part of subcall function 002B1EBE: IsProcessorFeaturePresent.KERNEL32(0000000C,002B1DDA,00000000,?,002B1F72,00000000), ref: 002B1EC0

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,002B1F72,00000000), ref: 002B1E03
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,002B1F72,00000000), ref: 002B1E2A
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,002B1F72,00000000), ref: 002B1E3E
InterlockedPopEntrySList.KERNEL32(00000000,?,002B1F72,00000000), ref: 002B1E51
VirtualFree.KERNEL32(00000000,00000000,00008000,?,002B1F72,00000000), ref: 002B1E64

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 32f4835bea9d1cb13b71360ed1e3e659322e4b6293549fdce715469da01ec531
Instruction ID: 6861fba507d7e5ac3928fa230563eeeec9df9f13d0604bbb59657bd5eadbf12f
Opcode Fuzzy Hash: 32f4835bea9d1cb13b71360ed1e3e659322e4b6293549fdce715469da01ec531
Instruction Fuzzy Hash: 4911B231695652ABE7321B78BCACFEB766CAB447C1F948130FE01DA150DA60DC314BB0

Function 00290160 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0029027A
ResetEvent.KERNEL32(?,?,?,?,?,?,?,POST,?,?,-00000010), ref: 00290475
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00290495
WaitForSingleObject.KERNEL32(?,000000FF), ref: 002904A0

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

Part of subcall function 00291750: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,2DDDF7D7,?,?,00000000), ref: 0029178F
Part of subcall function 00291750: GetLastError.KERNEL32 ref: 002917B0
Part of subcall function 00291750: CloseHandle.KERNEL32(?), ref: 00291A94

Strings

POST, xrefs: 0029032E
.part, xrefs: 00290225

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLastObjectSingleWait$CloseCreateEventFileHandleHeapProcessReset
String ID: .part$POST
API String ID: 2995559500-3433193937
Opcode ID: 3f0225d3b957383e4841fea039d241022947c2b59ba09e14a25407c399115cb7
Instruction ID: b4559e822e8ce2c54b6f4c0437727c758987d530a7fa7a9fe22669cec67b43d3
Opcode Fuzzy Hash: 3f0225d3b957383e4841fea039d241022947c2b59ba09e14a25407c399115cb7
Instruction Fuzzy Hash: 4C129D31A10249DFDF04DFA8C888BAEBBB8FF48314F144169E915A7391DB74AA15CF91

Function 002A1CB0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 353stringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000), ref: 002A1E7D
lstrlenW.KERNEL32(?), ref: 002A1E91
CloseHandle.KERNEL32(?), ref: 002A1EE3
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 002A1F11

Strings

?, xrefs: 002A1EBF
\, xrefs: 002A1EB5

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: lstrlen$CloseCreateFileHandle
String ID: ?$\
API String ID: 2263087898-1128499142
Opcode ID: 1d499206111ad6d8085e14320ca5468e589bd4133b29260fb91d24a3c2b76fd6
Instruction ID: 5291497d7bae5d5b16da3c884b51d3e5ed558367bcdd2b1f7a3ed0e1bea0dd87
Opcode Fuzzy Hash: 1d499206111ad6d8085e14320ca5468e589bd4133b29260fb91d24a3c2b76fd6
Instruction Fuzzy Hash: E3F18BB0A10618CFCB24DF28C884B99B7F5BF49320F1485ADE55A973A1DB30AE95CF54

Function 00261030 Relevance: 10.9, APIs: 7, Instructions: 351stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00261950: CharNextW.USER32(?,?,00000000,0000007B,?,?,0026262C,00000000,?,00000000,?,00000000,00000000,00000000,002628BE,?), ref: 00261986
Part of subcall function 00261950: CharNextW.USER32(00000000,?,00000000,0000007B,?,?,0026262C,00000000,?,00000000,?,00000000,00000000,00000000,002628BE,?), ref: 002619AB
Part of subcall function 00261950: CharNextW.USER32(?,?,00000000,0000007B,?,?,0026262C,00000000,?,00000000,?,00000000,00000000,00000000,002628BE,?), ref: 002619BF
Part of subcall function 00261950: CharNextW.USER32(?,?,00000000,0000007B,?,?,0026262C,00000000,?,00000000,?,00000000,00000000,00000000,002628BE,?), ref: 002619CB

lstrcmpiW.KERNEL32(?,002F48FC,?,2DDDF7D7,00000000,00000000,?), ref: 002610B1
lstrcmpiW.KERNEL32(?,002F37C4), ref: 002610CC
VarUI4FromStr.OLEAUT32(?,00000000,00000000,?), ref: 00261346
CharNextW.USER32(?,?), ref: 00261439
CharNextW.USER32(00000000), ref: 00261453

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CharNext$lstrcmpi$From
String ID:
API String ID: 298784196-0
Opcode ID: df553fe31eef4bc9661ee3dfb4776c093a9a065802506a8c273862d67cbf473a
Instruction ID: af63c123eab444a3cc21ff4ad795598675f45b128eebff02b8900cae31f7b8eb
Opcode Fuzzy Hash: df553fe31eef4bc9661ee3dfb4776c093a9a065802506a8c273862d67cbf473a
Instruction Fuzzy Hash: 43D1D07092024ADFDF24DF64C895BEE77B4EF04300F184169ED5AAB291DB74AAB4CB50

Function 00266400 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 306COMMON

Download Yara Rule

APIs

Part of subcall function 00266400: GetFileAttributesW.KERNEL32(?,?,?,002F2E60,00000001,2DDDF7D7,?,?,00000000), ref: 00266681
Part of subcall function 00266400: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00266692
Part of subcall function 00266400: FindNextFileW.KERNEL32(-00000001,?,?,?,00000000), ref: 00266706

GetFileAttributesW.KERNEL32(?,?,?,002F2E60,00000001,2DDDF7D7,?,?,00000000), ref: 002666A5
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 002666B6

Strings

p2Sv3Sv, xrefs: 00266706

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$Attributes$FindNext
String ID: p2Sv3Sv
API String ID: 3019667586-3579131148
Opcode ID: c698a4c3157446a8016e2d43bf59c5dfe52a89529eca168114b825f61b1635d8
Instruction ID: 5864158f17de5ec3f99dfa56bac35a4244fb70147293a1674c124eb1db0617be
Opcode Fuzzy Hash: c698a4c3157446a8016e2d43bf59c5dfe52a89529eca168114b825f61b1635d8
Instruction Fuzzy Hash: 7EA1F031A2064AEFDB14DF68DC99BAEB7B8FF00320F144629E815972D1DB749E54CB50

Function 00292740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

?F-, xrefs: 002929E1

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: HeapProcess
String ID: ?F-
API String ID: 54951025-864735049
Opcode ID: 4be7ec160602fc3b3a3b5b0744dd9a995aba23496eea6678acb1cd7e3b065fd7
Instruction ID: 7e13841d8ee3526b08edf74f8308ad87bba7ee8813f045c8cd7245123b6b9f6c
Opcode Fuzzy Hash: 4be7ec160602fc3b3a3b5b0744dd9a995aba23496eea6678acb1cd7e3b065fd7
Instruction Fuzzy Hash: 6A917931A00249EFCF11CFA8D888B9DBBB5FF48324F148169E915AB391CB749D15CB91

Function 0028E0E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0028E17F
GetWindowLongW.USER32(?,000000FC), ref: 0028E18E
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 0028E1A9
GetWindowLongW.USER32(?,000000FC), ref: 0028E1C3
SetWindowLongW.USER32(?,000000FC,?), ref: 0028E1D5

Strings

$, xrefs: 0028E101

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 35ccb9a0f2357e2f049c495e231699b5a90da9956c90a29127ca0dfa4717a826
Instruction ID: e7ab9f052736cd6c1204f988ab90d2ed85b32ec60ba8643e472155f94474168d
Opcode Fuzzy Hash: 35ccb9a0f2357e2f049c495e231699b5a90da9956c90a29127ca0dfa4717a826
Instruction Fuzzy Hash: 0B4159B5608702AFC700DF19D888A1AFBF5FF88320F104A19F959876A0D772E964DF91

Function 0027BD70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00312C5C,2DDDF7D7), ref: 0027BDAD
GetCurrentThreadId.KERNEL32 ref: 0027BDC1
LeaveCriticalSection.KERNEL32(00312C5C), ref: 0027BDFF
SetWindowLongW.USER32(?,00000004,00000000), ref: 0027BE65

Strings

\,1, xrefs: 0027BE6B
\,1, xrefs: 0027BD9A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID: \,1$\,1
API String ID: 3550545212-3073346799
Opcode ID: e03ded86d027ab355491ace57e49bddebf681d0b63e1b6d431b2ba2b56b1bf73
Instruction ID: 2809ab4ac099d30e51a87d829ddc0f3e41db1c73c08bdcd24893fb22e147d900
Opcode Fuzzy Hash: e03ded86d027ab355491ace57e49bddebf681d0b63e1b6d431b2ba2b56b1bf73
Instruction Fuzzy Hash: 1131C631A14755DFC722CF65EC48BABBBB9FB49760F00866AE91997350D7709820CBE0

Function 0026F6E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,?,00000000,?,?,?,?,?,?,?,?,00272E21,?), ref: 0026F6FF
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0026F715
FreeLibrary.KERNEL32(00000000), ref: 0026F758
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,00272E21,?), ref: 0026F774

Strings

DllGetVersion, xrefs: 0026F70F
Shlwapi.dll, xrefs: 0026F6F8

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: 497c16d4b2402d0354de1b2b8f5cb609b0084d2d2dec92ae6a770061b62ae748
Instruction ID: 2c4ab2a6fa92e3b0f1c545b75cc8bf5c44c12da8b7f06fcc9adffb7f476e6c4a
Opcode Fuzzy Hash: 497c16d4b2402d0354de1b2b8f5cb609b0084d2d2dec92ae6a770061b62ae748
Instruction Fuzzy Hash: F521BD766543058BD710DF29E88556BFBE4EFDD361F40092EF859C7200EA31D4898B92

Function 002AD2F0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 002AD30D
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 002AD31D
GetLastError.KERNEL32 ref: 002AD32D
CloseHandle.KERNEL32(?), ref: 002AD357
GetLastError.KERNEL32 ref: 002AD361
CreateSemaphoreW.KERNEL32(00000000,00000000,00000003,00000000), ref: 002AD386
GetLastError.KERNEL32 ref: 002AD393

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CreateEvent$CloseHandleResetSemaphore
String ID:
API String ID: 3310109588-0
Opcode ID: 55eba4c2d2d319d5c99b88f63d2a10cc2e9742190c00c7b3ab749f7a0586a4d1
Instruction ID: 81cc497f8b0d3059ff4fedc9aba61d89f3d4ba0c1c8338a9ead3c450df0293bf
Opcode Fuzzy Hash: 55eba4c2d2d319d5c99b88f63d2a10cc2e9742190c00c7b3ab749f7a0586a4d1
Instruction Fuzzy Hash: 15219A70354742DBEF308F25DC9872A73E8AF41741F1048A8E947CAA90EBB0E8448F62

Function 00293A20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,?,00000000,00292C42,?,?,?,?,?,00000003,00000000,2DDDF7D7,?,?), ref: 00293A33
GetLastError.KERNEL32(?,?,?,00000000,00292C42,?,?,?,?,?,00000003,00000000,2DDDF7D7,?,?), ref: 00293A60
WaitForSingleObject.KERNEL32(?,0000000A,?,?,?,00000000,00292C42,?,?,?,?,?,00000003,00000000,2DDDF7D7), ref: 00293A9A
SetEvent.KERNEL32(?,?,?,?,00000000,00292C42,?,?,?,?,?,00000003,00000000,2DDDF7D7,?,?), ref: 00293AC3

Strings

B,), xrefs: 00293A3A
!F-, xrefs: 00293A56

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Event$ErrorLastObjectResetSingleWait
String ID: !F-$B,)
API String ID: 708712559-859536791
Opcode ID: d2d74b13fc40ec2be3999465233a103d7eadbe23ee6142d341d085bc717df9b4
Instruction ID: 4c3dd6c60ca5777fb7767a80139f21ba999ab930ce18963a85850c71b7e7dc93
Opcode Fuzzy Hash: d2d74b13fc40ec2be3999465233a103d7eadbe23ee6142d341d085bc717df9b4
Instruction Fuzzy Hash: 3411D3322147419FDF30CF55E88CB567BA5EB95321F04882EE0C3865A1C730E9A4D720

Function 002B1648 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,002B16C3,002B1622,002B1944), ref: 002B165F
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 002B1675
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 002B168A

Strings

KERNEL32.DLL, xrefs: 002B165A
AcquireSRWLockExclusive, xrefs: 002B166F
ReleaseSRWLockExclusive, xrefs: 002B167F

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: c66ae2d041b97ef4fa4e3650f7c6e27944a58ed3d19373d8b8ca65550ef33fe5
Instruction ID: a94da1b1f011bd061da03642aaee8dc30ed452acd1472fb1610ffaa0e302aafb
Opcode Fuzzy Hash: c66ae2d041b97ef4fa4e3650f7c6e27944a58ed3d19373d8b8ca65550ef33fe5
Instruction Fuzzy Hash: 71F028713716638B8B320F705DB95E723DC9A02BD4388023AE505C7640D650CCB186C1

Function 00284390 Relevance: 10.5, APIs: 7, Instructions: 43sleepwindowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040A), ref: 002843A3
SetWindowTextW.USER32(00000000,?), ref: 002843AE
GetDlgItem.USER32(?,0000040B), ref: 002843BC
SendMessageW.USER32(00000000,00000410,00000002,00000000), ref: 002843CE
ShowWindow.USER32(00000000,00000000), ref: 002843D7
Sleep.KERNEL32(000000C8), ref: 002843E2
ShowWindow.USER32(00000000,00000001), ref: 002843EB

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$ItemShow$MessageSendSleepText
String ID:
API String ID: 106862907-0
Opcode ID: 8e23c03420bfa33a83bc17d27ac9119a203d6262b9110c82011e4e61407f21fd
Instruction ID: 960338cd3cb47bf51cb8772cfb2827989bd745e8d3d27af462996ce5ca35e199
Opcode Fuzzy Hash: 8e23c03420bfa33a83bc17d27ac9119a203d6262b9110c82011e4e61407f21fd
Instruction Fuzzy Hash: 77017C32284311BFEB506B60EC4DF8A7BA4BF48B11F044454FB01AB1E0C7B058219B54

Function 00277B45 Relevance: 9.2, APIs: 6, Instructions: 230fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00267C78: ShellExecuteExW.SHELL32(0000003C), ref: 00267D54
Part of subcall function 00267C78: GetLastError.KERNEL32 ref: 00267D65

ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00277BA3
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00277BD5
CloseHandle.KERNEL32(?), ref: 00277C8A
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00277CD1
CloseHandle.KERNEL32(?,?,002F2ECC), ref: 00277D36
CloseHandle.KERNEL32(?), ref: 00277D6C

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CloseFileHandle$CreateErrorExecuteLastReadShellWrite
String ID:
API String ID: 521638843-0
Opcode ID: d8ac6c18978d221c4aa4d86592316f8356b50fffac6c059c650b98b59d8a1c11
Instruction ID: eca98a4a3abe5a079fe4a8e89175c7e88834f0bbf10c29a14408b46ff2be3867
Opcode Fuzzy Hash: d8ac6c18978d221c4aa4d86592316f8356b50fffac6c059c650b98b59d8a1c11
Instruction Fuzzy Hash: 0091AE70A142069BDB15CFA8D884BADB7B5FF48310F24816DE819EB291DB70AD51CF60

Function 00261950 Relevance: 9.1, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,0000007B,?,?,0026262C,00000000,?,00000000,?,00000000,00000000,00000000,002628BE,?), ref: 00261986
CharNextW.USER32(00000000,?,00000000,0000007B,?,?,0026262C,00000000,?,00000000,?,00000000,00000000,00000000,002628BE,?), ref: 002619AB
CharNextW.USER32(?,?,00000000,0000007B,?,?,0026262C,00000000,?,00000000,?,00000000,00000000,00000000,002628BE,?), ref: 002619BF
CharNextW.USER32(?,?,00000000,0000007B,?,?,0026262C,00000000,?,00000000,?,00000000,00000000,00000000,002628BE,?), ref: 002619CB
CharNextW.USER32(?,?,00000000,0000007B,?,?,0026262C,00000000,?,00000000,?,00000000,00000000,00000000,002628BE,?), ref: 00261A31
CharNextW.USER32(?,?,00000000,0000007B,?,?,0026262C,00000000,?,00000000,?,00000000,00000000,00000000,002628BE,?), ref: 00261A5E

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: ecedc33f35fd9f22eaca1c1873c14ed083e021ac638bd3ab80869f78f1185e3c
Instruction ID: f0595d00b5ab31636db2c5ec1d092abfdd1b0031fbd810b72e3be8ff6a01f4a2
Opcode Fuzzy Hash: ecedc33f35fd9f22eaca1c1873c14ed083e021ac638bd3ab80869f78f1185e3c
Instruction Fuzzy Hash: 404117362112529FCB20CF78DC885BA77E7FFD8315B59852AF8468B254E731ADA0C750

Function 00267A90 Relevance: 9.1, APIs: 6, Instructions: 103processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00267B3F
GetLastError.KERNEL32 ref: 00267B50
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00267B66
GetExitCodeProcess.KERNEL32(?,000000FF), ref: 00267B77
CloseHandle.KERNEL32(?), ref: 00267B81
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00267B9C

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ProcessWow64$CloseCodeCreateErrorExitHandleLastObjectRedirectionRevertSingleWait
String ID:
API String ID: 3742689608-0
Opcode ID: 81bb9be90a8670a1763850c6642c6e2a13350f68461e1d6fda3abd2fe08d865e
Instruction ID: 77e23aa74e18d8a159a5d55d6d9459906fac1bdcf49d2a6bd6313c5ad545df5d
Opcode Fuzzy Hash: 81bb9be90a8670a1763850c6642c6e2a13350f68461e1d6fda3abd2fe08d865e
Instruction Fuzzy Hash: B5418F71E18389DBDB10CFA5DD48BAEBBB8FF49714F108259E820A7290D7709940CF90

Function 0026C7B0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 350COMMON

Download Yara Rule

APIs

SymGetLineFromAddr.IMAGEHLP(?,?,?,?,2DDDF7D7), ref: 0026C85E

Part of subcall function 0026C210: LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 0026C26E
Part of subcall function 0026C210: GetProcAddress.KERNEL32(00000000), ref: 0026C275

Strings

[0x%.8Ix] , xrefs: 0026CB37
%hs:%ld, xrefs: 0026C9FB
-> , xrefs: 0026CCDE
%hs(), xrefs: 0026CC01

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AddrAddressFromLibraryLineLoadProc
String ID: -> $%hs()$%hs:%ld$[0x%.8Ix]
API String ID: 2196328783-3499247214
Opcode ID: f0852463d2a5f80e6415ec8e3fce6a19aa91744116ddc4b2cc80dd39c95bad7e
Instruction ID: 81017234f44896d979ab0b30fc971b0df3610c6e21db2f8ee611acabff2af7ca
Opcode Fuzzy Hash: f0852463d2a5f80e6415ec8e3fce6a19aa91744116ddc4b2cc80dd39c95bad7e
Instruction Fuzzy Hash: 46E17A70D202699ADB28DF64CC98BEDBBB4FF44304F2042DAE518A7291D7795AD4CF90

Function 00295E10 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00295E2D
GetWindowTextLengthW.USER32(00000000), ref: 00295E38
GetWindowTextW.USER32(?,?,?), ref: 00295E91
MessageBeep.USER32(000000FF), ref: 00295ED6
GetDlgItem.USER32(?,?), ref: 00295EEB
SetFocus.USER32(00000000,?,?), ref: 00295EF2

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ItemTextWindow$BeepFocusLengthMessage
String ID:
API String ID: 2221317226-0
Opcode ID: ef1cfc69369e833f61b671ac33ce765713d0bda1e9813f993ab925579ada9b54
Instruction ID: 9ec1bd13efa4468d0fcf7741200cf02ea33971c46303266c5c6df0b94f29ec5b
Opcode Fuzzy Hash: ef1cfc69369e833f61b671ac33ce765713d0bda1e9813f993ab925579ada9b54
Instruction Fuzzy Hash: 5D31D431615616DFCF09DF28D88D86EBBA5FF44321B14466DF855CB2A0DB32A924CF90

Function 0028E270 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,00000100,?,80000000), ref: 0028E2F3
VerSetConditionMask.KERNEL32(00000000), ref: 0028E2FB
VerSetConditionMask.KERNEL32(00000000), ref: 0028E303
VerifyVersionInfoW.KERNEL32(?), ref: 0028E32C
GetParent.USER32(0028CF9A), ref: 0028E349
SendMessageW.USER32(?,00000432,00000000,00000023), ref: 0028E382

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ConditionMask$InfoMessageParentSendVerifyVersion
String ID:
API String ID: 2374517313-0
Opcode ID: d1a93cca1ffb14fdbc98feb648db43f6189c5fcc1b86291dbe0257ceca59d786
Instruction ID: 003648f1b016cd741b7c49f90e081d03ab8571e8836a2e4e9359484f961d2f8b
Opcode Fuzzy Hash: d1a93cca1ffb14fdbc98feb648db43f6189c5fcc1b86291dbe0257ceca59d786
Instruction Fuzzy Hash: D0314FB1558344AFE3209F64DC4AB9BBBE8EBC9704F00891EF688DA290D7B495448F56

Function 002B0650 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 002AF400: WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 002AF45E
Part of subcall function 002AF400: GetLastError.KERNEL32 ref: 002AF469

SetEvent.KERNEL32(?,?,00000000,?,?,?,002B0A9E,?), ref: 002B069A
GetLastError.KERNEL32(?,?,002B0A9E,?), ref: 002B06A4
SetEvent.KERNEL32(?,?,?,002B0A9E,?), ref: 002B06B0
GetLastError.KERNEL32(?,?,002B0A9E,?), ref: 002B06BA
EnterCriticalSection.KERNEL32(?,?,?,002B0A9E,?), ref: 002B06D8
LeaveCriticalSection.KERNEL32(?,?,?,002B0A9E,?), ref: 002B06F4

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CriticalEventSection$EnterLeaveObjectSingleWait
String ID:
API String ID: 3090723020-0
Opcode ID: e28e6d77283e241195b67de162845ef61aef4ff1421f36fe3da7e09178574067
Instruction ID: e34ed4bf2aa6d90c066ae989410cbde5a94baccf843b19c29408c6535b1061b6
Opcode Fuzzy Hash: e28e6d77283e241195b67de162845ef61aef4ff1421f36fe3da7e09178574067
Instruction Fuzzy Hash: F0218171610705DBD721DFAAE88979BB7E8FF88750F00491EE55ACB211D730A8208F60

Function 002AF1E0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,002B0A50), ref: 002AF1EB
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,002B0A50), ref: 002AF1FB
GetLastError.KERNEL32 ref: 002AF20C
ResetEvent.KERNEL32(?), ref: 002AF228
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 002AF238
GetLastError.KERNEL32 ref: 002AF249

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Event$CreateErrorLastReset
String ID:
API String ID: 3053278375-0
Opcode ID: c72d83b0a063640f708725334fbab8c1236ee691386270c5781a2267075c85a1
Instruction ID: 8e02b273999a1981fa04c31e5fd10c66abe7c5f0aeee23a0010969c505c65689
Opcode Fuzzy Hash: c72d83b0a063640f708725334fbab8c1236ee691386270c5781a2267075c85a1
Instruction Fuzzy Hash: E3012C343A83439BEBA85FB5BD69B6632D4AB41B02F10413DBD07D96C0EEA8EC504A14

Function 0027ED00 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 208COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0027EE88
GetForegroundWindow.USER32(?,?,?,002DFB6D,000000FF), ref: 0027EE98
SetForegroundWindow.USER32(00000000), ref: 0027EED2

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

OutputDebugStringW.KERNEL32(?,2DDDF7D7,00000000,?,?,?,?,?,002DFB6D,000000FF,?,0028B890,?,?,?,?), ref: 0027EF3B

Strings

h1, xrefs: 0027ED9F

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$Foreground$ActiveDebugHeapOutputProcessString
String ID: h1
API String ID: 799693181-313830202
Opcode ID: 9fbf79cecf34fcaff60ac0c9874b3479006ad2fe7c1562811c9497621957cb00
Instruction ID: b4b98c4bb59ec7effdab82ac71351815a62f847fa439ad93080229723304b697
Opcode Fuzzy Hash: 9fbf79cecf34fcaff60ac0c9874b3479006ad2fe7c1562811c9497621957cb00
Instruction Fuzzy Hash: B1710575A002468FDB14DF68D8457AEBBB5FF48320F1981ADE819A7390DB34AD01CFA1

Function 0026A540 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,2DDDF7D7), ref: 0026A57C
EnterCriticalSection.KERNEL32(?,2DDDF7D7), ref: 0026A589
OutputDebugStringW.KERNEL32(?,?,00000000), ref: 0026A655
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,002DBE7D,000000FF), ref: 0026A718

Part of subcall function 00243620: RtlAllocateHeap.NTDLL(00000000,00000000,?,2DDDF7D7,00000000,002D5110,000000FF,?,?,0030B028,?,?,00281A0D,80004005,2DDDF7D7,?), ref: 0024366A

Strings

Logger::SetLogFile( %s ) while OLD path is:%s, xrefs: 0026A5D0

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$AllocateDebugEnterHeapInitializeLeaveOutputString
String ID: Logger::SetLogFile( %s ) while OLD path is:%s
API String ID: 117955849-1927537607
Opcode ID: 6f389aec7df81f82ce9f1235d28bf532fb0f19f5b815bfbf494b6ac79067233e
Instruction ID: 1aff9014820dddebe65088deb00530c093f262db2c292615dbd68b27012e8c04
Opcode Fuzzy Hash: 6f389aec7df81f82ce9f1235d28bf532fb0f19f5b815bfbf494b6ac79067233e
Instruction Fuzzy Hash: C3611135910256CFCF05DF68C8446AEBBB9FF18320F194199E816AB391DB31AE51CFA1

Function 002671C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,2DDDF7D7,?,?,00000000,?,?,?,?,?,?,?,?,00000000,002DB56F,000000FF), ref: 0026720B
CreateDirectoryW.KERNEL32(?,00000000,?,?,002F37AC,00000001,?,2DDDF7D7), ref: 002672CA
GetLastError.KERNEL32(?,2DDDF7D7), ref: 002672D8

Strings

\\?\UNC\, xrefs: 00266E59, 00266EE1, 00266EE7
\\?\, xrefs: 00266F5F, 00266F65

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID: \\?\$\\?\UNC\
API String ID: 953296794-3019864461
Opcode ID: 7989e5ee3f4c5b958fbff4007586c30ced0b4210c1bebb820377543ddecc36d7
Instruction ID: 11a700a8dee41c9285e53619c2e8217b3c5170544bb748cf22d2f9a5907294d5
Opcode Fuzzy Hash: 7989e5ee3f4c5b958fbff4007586c30ced0b4210c1bebb820377543ddecc36d7
Instruction Fuzzy Hash: D161AB30A14209CFDB04DFA8D899BADB7F4FF08314F1485A9E811A7391EB359965CFA0

Function 002768D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 002769AD
GetLastError.KERNEL32 ref: 002769B5
RemoveDirectoryW.KERNEL32 ref: 00276A15
GetLastError.KERNEL32 ref: 00276A1D

Strings

H, xrefs: 00276935

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$DeleteDirectoryFileRemove
String ID: H
API String ID: 50330452-2852464175
Opcode ID: 386dbbdb75a6bc3601660bb621f2ec58fca22495773cc83132fe8f5850a5cf9d
Instruction ID: 599776b79603aac01acfe04673c8e11eee81c3911b488384568ecd21ae919560
Opcode Fuzzy Hash: 386dbbdb75a6bc3601660bb621f2ec58fca22495773cc83132fe8f5850a5cf9d
Instruction Fuzzy Hash: AA519D31910619CBDF10CFA4C988BEEBBB4FB11304F15C4A8E909AB251DB74A958CFA1

Function 0025F7F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00310A1C,2DDDF7D7), ref: 0025F82F
DestroyWindow.USER32(00000000), ref: 0025F84D
LeaveCriticalSection.KERNEL32(00310A1C), ref: 0025F896

Strings

,1, xrefs: 0025F817
,1, xrefs: 0025F965

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$DestroyEnterLeaveWindow
String ID: ,1$,1
API String ID: 1456685395-496849307
Opcode ID: dbd06ed7839bec9b22d1ebef2b11df70b88bb7597898a2a39219ca27493b459c
Instruction ID: c37e186f0dad085d9e5b69ed3a5da844e2a32634d6bb1988498e0f0701ba1e95
Opcode Fuzzy Hash: dbd06ed7839bec9b22d1ebef2b11df70b88bb7597898a2a39219ca27493b459c
Instruction Fuzzy Hash: BA410071A117129BDB209F28ED08B5ABBF8FF04711F144529EC55AB790E7B0AC58CB91

Function 00255440 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00255484
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0025548A
GetErrorInfo.OLEAUT32(00000000,00000000), ref: 002554DA

Strings

RoOriginateLanguageException, xrefs: 0025547A
combase.dll, xrefs: 0025547F

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AddressErrorInfoLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 1186719886-3996158991
Opcode ID: 55b22eedc134616404b1515b5f23942fc0f388f7c954f8bae2035082a6c8f615
Instruction ID: c98642522951c64aa94a5222187439a735b06f613b2c028c76e059d9a56f6fde
Opcode Fuzzy Hash: 55b22eedc134616404b1515b5f23942fc0f388f7c954f8bae2035082a6c8f615
Instruction Fuzzy Hash: ED31CF31D2462ADBCB20DF94D855BEEBBB4EF00325F10022AE815A72D0D7B45E98CBD0

Function 002C41D1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,2DDDF7D7,00000000,?,00000001,002E6170,000000FF,?,002C41C6,?,?,002C419D,?,?), ref: 002C4206
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002C4218
FreeLibrary.KERNEL32(00000000,?,00000001,002E6170,000000FF,?,002C41C6,?,?,002C419D,?,?), ref: 002C423A

Strings

CorExitProcess, xrefs: 002C4210
mscoree.dll, xrefs: 002C41FF

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ced16a90c731970d18a3e027478fe32ad8f85294fb3b4e2ef747a435a81c59dc
Instruction ID: 4b90ae9ec9ba975fa6f139c6bf83ac5f8ee2ac301ae96c6b64a96f138b3c231f
Opcode Fuzzy Hash: ced16a90c731970d18a3e027478fe32ad8f85294fb3b4e2ef747a435a81c59dc
Instruction Fuzzy Hash: 8801D671994699EFDB019F91EC49FAFBBBCFB04B14F000629F815A62D0DB749900CA90

Function 0026C210 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 002B46AF: AcquireSRWLockExclusive.KERNEL32(0030FFB8,?,?,?,00243A56,00310848,2DDDF7D7,?,?,002D516D,000000FF,?,002810B6,2DDDF7D7,?), ref: 002B46BA
Part of subcall function 002B46AF: ReleaseSRWLockExclusive.KERNEL32(0030FFB8,?,?,00243A56,00310848,2DDDF7D7,?,?,002D516D,000000FF,?,002810B6,2DDDF7D7,?), ref: 002B46F4

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 0026C26E
GetProcAddress.KERNEL32(00000000), ref: 0026C275

Part of subcall function 002B465E: AcquireSRWLockExclusive.KERNEL32(0030FFB8,?,?,00243AC7,00310848,002E6460), ref: 002B4668
Part of subcall function 002B465E: ReleaseSRWLockExclusive.KERNEL32(0030FFB8,?,?,00243AC7,00310848,002E6460), ref: 002B469B
Part of subcall function 002B465E: WakeAllConditionVariable.KERNEL32(0030FFB4,?,?,00243AC7,00310848,002E6460), ref: 002B46A6

Strings

Dbghelp.dll, xrefs: 0026C269
7/, xrefs: 0026C229, 0026C299
SymFromAddr, xrefs: 0026C264

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr$7/
API String ID: 1702099962-1580748015
Opcode ID: d938f5d15054d44603899d7932cae2a6950ac8a99470cdee1b5272ec2f6b1ccf
Instruction ID: 2eea75db9590bdc6980b3897bded3aee6d800fb1d7cca8c4fb708d545018d5f2
Opcode Fuzzy Hash: d938f5d15054d44603899d7932cae2a6950ac8a99470cdee1b5272ec2f6b1ccf
Instruction Fuzzy Hash: 0A01D471944645DFC715DF98ED49B9E73A8F709720F108665EE25833D0DB346920CF51

Function 002C71DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,002C7144,00000000,?,?,?,?,002C7268,0000001A,AppPolicyGetProcessTerminationMethod,002ED708,AppPolicyGetProcessTerminationMethod,00000000), ref: 002C71E9
GetLastError.KERNEL32(?,002C7144,00000000,?,?,?,?,002C7268,0000001A,AppPolicyGetProcessTerminationMethod,002ED708,AppPolicyGetProcessTerminationMethod,00000000,?,002C986F,00000000), ref: 002C71F3
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 002C7231

Strings

ext-ms-, xrefs: 002C7216
api-ms-, xrefs: 002C7200

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: 7b6ced2ddd9db81a9c7d51d6db51f274779eca737ea01abf7e62479376143f65
Instruction ID: e05a3683f1b98316121e1def374232df948d0b4b298c42d33369523c2e6d0513
Opcode Fuzzy Hash: 7b6ced2ddd9db81a9c7d51d6db51f274779eca737ea01abf7e62479376143f65
Instruction Fuzzy Hash: 64F0A0316D8246B7EB201F22EC0AF593E5CAB11B99F104024FE4CA80E1EB72D97199C2

Function 002D28F9 Relevance: 7.8, APIs: 5, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7bb452387f0a2dd81a4d08565ad1db8a5b7f63cee80f24916695dd94ca5b967
Instruction ID: cbfc1c2394163e412288048838a6ae28ac8c097d2bdedb20cef61ede99caa2db
Opcode Fuzzy Hash: a7bb452387f0a2dd81a4d08565ad1db8a5b7f63cee80f24916695dd94ca5b967
Instruction Fuzzy Hash: 8CB12770A2424ADFDB12DF99C880BBD7BB5AF69304F14415BE500AB392C7B09DA5CF61

Function 00295C00 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

SetWindowTextW.USER32(00000002,?), ref: 00295C9E
GetDlgItem.USER32(?,0000042B), ref: 00295D02
SetWindowTextW.USER32(00000000,?), ref: 00295D0D
GetDlgItem.USER32(?,00000001), ref: 00295D17
EnableWindow.USER32(00000000,00000000), ref: 00295D20

Part of subcall function 0027BEA0: GetWindowLongW.USER32(?,000000F0), ref: 0027BEE7
Part of subcall function 0027BEA0: GetParent.USER32(00000000), ref: 0027BEFA
Part of subcall function 0027BEA0: GetWindowRect.USER32(?,80004055), ref: 0027BF13
Part of subcall function 0027BEA0: GetWindowLongW.USER32(00000000,000000F0), ref: 0027BF26
Part of subcall function 0027BEA0: MonitorFromWindow.USER32(?,00000002), ref: 0027BF3E
Part of subcall function 0027BEA0: GetMonitorInfoW.USER32(00000000,8000402D), ref: 0027BF54

Part of subcall function 00295F10: GetWindowLongW.USER32(?,000000F0), ref: 00295F3D
Part of subcall function 00295F10: GetWindowLongW.USER32(?,000000F0), ref: 00295F52
Part of subcall function 00295F10: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00295F69
Part of subcall function 00295F10: GetWindowLongW.USER32(?,000000EC), ref: 00295F82
Part of subcall function 00295F10: SetWindowLongW.USER32(?,000000EC,00000000), ref: 00295F96
Part of subcall function 00295F10: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00295FA4
Part of subcall function 00295F10: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00295FB7
Part of subcall function 00295F10: GetDlgItem.USER32(?,0000E801), ref: 00295FC4
Part of subcall function 00295F10: IsWindow.USER32(00000000), ref: 00295FCD
Part of subcall function 00295F10: DestroyWindow.USER32(00000000,?,00000000), ref: 00295FE9
Part of subcall function 00295F10: GetClientRect.USER32(?,800040FD), ref: 00296041

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$Item$MessageMonitorRectSendText$ClientDestroyEnableFromHeapInfoParentProcess
String ID:
API String ID: 3895391425-0
Opcode ID: 8fc5562fa9070970f9f7ca19670e556557d64efadb472eb9d65b1172ed8908c2
Instruction ID: c17b575ccb9eb27f6245ef8eeaa53f2e4593caadc0e1e8980f0f65364f5492f5
Opcode Fuzzy Hash: 8fc5562fa9070970f9f7ca19670e556557d64efadb472eb9d65b1172ed8908c2
Instruction Fuzzy Hash: E361B031A00655DFDB01DFA8DC88AAEBBB4FF09320F144169E915AB3A1DB349D15CFA1

Function 0028BC50 Relevance: 7.7, APIs: 5, Instructions: 175synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,2DDDF7D7,00000000,?,?,?,?,?,?,?,00000000,002E20FD,000000FF), ref: 0028BC8D
CreateThread.KERNEL32(00000000,00000000,0028C060,?,00000000,?), ref: 0028BCDD
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0028BE07

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Create$EventObjectSingleThreadWait
String ID:
API String ID: 1077646455-0
Opcode ID: d74adba1099abde51b0195ce9311e64aa6a98105047c4a2ab9cc2fc3bb5e0f65
Instruction ID: 9ac03c3280b362e0248b7d8e00dec4879639a2372ccd6066d28d75102f395a28
Opcode Fuzzy Hash: d74adba1099abde51b0195ce9311e64aa6a98105047c4a2ab9cc2fc3bb5e0f65
Instruction Fuzzy Hash: 59618A79A11219DFCB05DF58D884BAEBBB5FF88710F248159E915AB390DB30AC51CFA0

Function 002B416A Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002B417E
AcquireSRWLockExclusive.KERNEL32(0024FCB8,?,00000000,002E6214,000000FF,?,0024FCB8), ref: 002B419D
AcquireSRWLockExclusive.KERNEL32(0024FCB8,?,?,?,00000000,002E6214,000000FF,?,0024FCB8), ref: 002B41CB
TryAcquireSRWLockExclusive.KERNEL32(0024FCB8,?,?,?,00000000,002E6214,000000FF,?,0024FCB8), ref: 002B4226
TryAcquireSRWLockExclusive.KERNEL32(0024FCB8,?,?,?,00000000,002E6214,000000FF,?,0024FCB8), ref: 002B423D

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 153b736a4701cca584b4078dcdc506bb76ec9da199ca2a803ed2b556733ba399
Instruction ID: c646386c207921a9716af4bd0bbb580feec2c2c466442ff740126b1e74344a42
Opcode Fuzzy Hash: 153b736a4701cca584b4078dcdc506bb76ec9da199ca2a803ed2b556733ba399
Instruction Fuzzy Hash: C9414A34920706DBCF20EF64D4C49EAB3F8FF44390B60492AE95A87542D730F9A5DB50

Function 0026F7D0 Relevance: 7.6, APIs: 5, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0026F270: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,2DDDF7D7,00000000,00000000,?), ref: 0026F2CB

GetFileVersionInfoSizeW.VERSION(?,00000000,?,2DDDF7D7,00000000,?,?,?,?,00000000,002DCC55,000000FF,00000000,0026F786,?), ref: 0026F81D
GetFileVersionInfoW.VERSION(?,00000000,002DCC55,00000000,00000000,?,?,00000000,002DCC55,000000FF,00000000,0026F786,?), ref: 0026F849
VerQueryValueW.VERSION(00000000,002F37AC,000000FF,?,?,?,00000000,002DCC55,000000FF,00000000,0026F786,?), ref: 0026F861
GetLastError.KERNEL32(?,?,00000000,002DCC55,000000FF,00000000,0026F786,?), ref: 0026F88E
DeleteFileW.KERNEL32(?), ref: 0026F8A1

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$InfoVersion$DeleteErrorFolderLastPathQuerySizeValue
String ID:
API String ID: 1753006064-0
Opcode ID: 766000f3dd75e9aae5e9c8874c1e78fb72de8c43757025e48d49572772f67972
Instruction ID: 083d711076fa1fb75dcba40a108164446f7b44a96544455bf16c1e3c0c3db750
Opcode Fuzzy Hash: 766000f3dd75e9aae5e9c8874c1e78fb72de8c43757025e48d49572772f67972
Instruction Fuzzy Hash: BA31B271D1024AEBDF14DFA5ED84BEFBBB8EF09350F1401AAE805A3240D7309954CBA0

Function 002AA880 Relevance: 7.6, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 002B0B70: SetEvent.KERNEL32(00000002,?,002AA8BE,2DDDF7D7), ref: 002B0B7F
Part of subcall function 002B0B70: GetLastError.KERNEL32(?,002AA8BE,2DDDF7D7), ref: 002B0B89
Part of subcall function 002B0B70: WaitForSingleObject.KERNEL32(?,000000FF,?,002AA8BE,2DDDF7D7), ref: 002B0B99
Part of subcall function 002B0B70: GetLastError.KERNEL32(?,002AA8BE,2DDDF7D7), ref: 002B0BA4
Part of subcall function 002B0B70: CloseHandle.KERNEL32(?,?,002AA8BE,2DDDF7D7), ref: 002B0BB2

CloseHandle.KERNEL32(?,2DDDF7D7), ref: 002AA8CA
GetLastError.KERNEL32 ref: 002AA8D4
CloseHandle.KERNEL32(?,2DDDF7D7), ref: 002AA8F8
GetLastError.KERNEL32 ref: 002AA902
CloseHandle.KERNEL32(?,2DDDF7D7), ref: 002AA92B
GetLastError.KERNEL32 ref: 002AA935

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CloseHandle$EventObjectSingleWait
String ID:
API String ID: 2212007442-0
Opcode ID: c37d9f511b893d0b6edbddd1f7e9de9c6df8f59365e8df7f0417441eca7f45ea
Instruction ID: e14613e4f62d0a17c72ced08c0c7dd1c88bdee2b9fd723eca1c3f64d77f9ad81
Opcode Fuzzy Hash: c37d9f511b893d0b6edbddd1f7e9de9c6df8f59365e8df7f0417441eca7f45ea
Instruction Fuzzy Hash: 6B21F170A18346DFDB20CF69E90875AFBF8EF01720F10466EE855D7280DB759A14CBA1

Function 002C6A4E Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,002C6C08,?,002BFA29,?,00000004,00000000,00000000,?,?,002C4979,?,00000000,00000004,?), ref: 002C6A51
SetLastError.KERNEL32(00000000,000000FF,?,002BFA29,?,00000004,00000000,00000000,?,?,002C4979,?,00000000,00000004,?), ref: 002C6A6B
SetLastError.KERNEL32(00000000,00000000,00000000,?,000000FF,?,002BFA29,?,00000004,00000000,00000000,?,?,002C4979,?,00000000), ref: 002C6AA1

Strings

X0, xrefs: 002C6AD2

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast
String ID: X0
API String ID: 1452528299-4193090317
Opcode ID: 9f714886cb0a54de8f4ca58513b6c17c5c3f25699988226c71788d5b98d55984
Instruction ID: 744ee56fb0506c96fb0c16f996490ec92d887f43b95657327564c647eb1b2eac
Opcode Fuzzy Hash: 9f714886cb0a54de8f4ca58513b6c17c5c3f25699988226c71788d5b98d55984
Instruction Fuzzy Hash: 4B019E3227D2517EE61637B4BC8EF2B2A1CDF84768B104B7DF805AA0A2EE614C215961

Function 00254B80 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00254BCA
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00254BD0
FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,00000000,00000000,00000000), ref: 00254BF3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00254C1B
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00254C21

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: 3ba55bdfe016d8236b54b22a1aa81f5d713806ce8d5142e939bcf2a9ee0b9973
Instruction ID: 698ba85b90911b0390d53630b97a56522563aa7fca9b1f6c148fb8a96093d23e
Opcode Fuzzy Hash: 3ba55bdfe016d8236b54b22a1aa81f5d713806ce8d5142e939bcf2a9ee0b9973
Instruction Fuzzy Hash: 631186B1A54219ABEB00EF94CC15FEFB7BCEB04B04F104515F914AB2C1D7B599148BA4

Function 002B0B70 Relevance: 7.5, APIs: 5, Instructions: 32synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000002,?,002AA8BE,2DDDF7D7), ref: 002B0B7F
GetLastError.KERNEL32(?,002AA8BE,2DDDF7D7), ref: 002B0B89
WaitForSingleObject.KERNEL32(?,000000FF,?,002AA8BE,2DDDF7D7), ref: 002B0B99
GetLastError.KERNEL32(?,002AA8BE,2DDDF7D7), ref: 002B0BA4
CloseHandle.KERNEL32(?,?,002AA8BE,2DDDF7D7), ref: 002B0BB2

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CloseEventHandleObjectSingleWait
String ID:
API String ID: 891035169-0
Opcode ID: 51524416199fefa1407ed453a162b8e3efb521830654feda993c7b5fa1231b98
Instruction ID: 06b36c6d65ccdd792fce058412b052a12adce13db9bb8d5caf7fc5456fec148b
Opcode Fuzzy Hash: 51524416199fefa1407ed453a162b8e3efb521830654feda993c7b5fa1231b98
Instruction Fuzzy Hash: 8AF03A302583439BDB715F39FC8CB9777E8BB043ADF148A59E866C62D0DB70D8048A60

Function 00276530 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 306fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,2DDDF7D7,?), ref: 0027659F
CloseHandle.KERNEL32(?), ref: 00276744

Strings

,i/, xrefs: 0027656A
0i/, xrefs: 00276563

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CloseDeleteFileHandle
String ID: ,i/$0i/
API String ID: 2633145722-3989723807
Opcode ID: d6cc92b48be0dcbbe388605a8b00c92840e8019905481994a924200b2f1da53b
Instruction ID: b48e35e81d9b4e45d9034c9b101c3cf73b892e72079c81f461a020759438a7a5
Opcode Fuzzy Hash: d6cc92b48be0dcbbe388605a8b00c92840e8019905481994a924200b2f1da53b
Instruction Fuzzy Hash: 80C1D330A01645CFDB05DF68C95876CBBB5EF09320F1982A9D859AB3D2DB349E06CF91

Function 0026B620 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 0026FB40: SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,80000002,80000002,00310A68), ref: 0026FB50
Part of subcall function 0026FB40: LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,00310A68), ref: 0026FB63
Part of subcall function 0026FB40: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0026FB73

PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,00310A68), ref: 0026B710

Part of subcall function 00243620: RtlAllocateHeap.NTDLL(00000000,00000000,?,2DDDF7D7,00000000,002D5110,000000FF,?,?,0030B028,?,?,00281A0D,80004005,2DDDF7D7,?), ref: 0024366A

Strings

ADVINST_LOGS, xrefs: 0026B703
Everyone, xrefs: 0026B72C

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: AddressAllocateExistsFileFolderHeapLibraryLoadLocationPathProcSpecial
String ID: ADVINST_LOGS$Everyone
API String ID: 3321256476-3921853867
Opcode ID: 04c446a24854da25054192e715389dea90b3bcd4c655202412d54ae82d67e5e6
Instruction ID: fa681d2cf9ab378bf87b28bd461d66abd76c2b54050e84a002a71d930bee51b3
Opcode Fuzzy Hash: 04c446a24854da25054192e715389dea90b3bcd4c655202412d54ae82d67e5e6
Instruction Fuzzy Hash: 0BA1EE71D11209CBDB05DFA8C959BAEBBB4EF44324F244258E811AB391DB755E90CFA0

Function 00264020 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,?,?,?,2DDDF7D7,*.*,?), ref: 00264150

Strings

\\?\UNC\, xrefs: 00264172, 00264255
*.*, xrefs: 00264036
\\?\, xrefs: 0026426B, 002642D6

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Path
String ID: *.*$\\?\$\\?\UNC\
API String ID: 2875597873-1700010636
Opcode ID: c41335442eed286588c75af19e938305f5d7bb087ced286e53db5352a00b8ed9
Instruction ID: cf0b163c328b5a47f806541c493d1517615416cb31d04347f91e588dd03fe418
Opcode Fuzzy Hash: c41335442eed286588c75af19e938305f5d7bb087ced286e53db5352a00b8ed9
Instruction Fuzzy Hash: 3F91E170A10216CFDB04EF68C858BAEB7B5FF05324F204269E915AB391C775AE90CBC0

Function 00293B40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 176synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

GetLastError.KERNEL32 ref: 00293BD2
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00293C1F

Strings

REST %u, xrefs: 00293B9F
IF-, xrefs: 00293BC5

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorHeapLastObjectProcessSingleWait
String ID: IF-$REST %u
API String ID: 1530046183-2071377186
Opcode ID: 0288eab7a8fd03f0588cd67fbb8633e3f0f974d435f916a0ed07df70c5e17858
Instruction ID: ac6dd77a300247da7568fa0b313a4ddf97d0f099f200982fc16d09fe95415646
Opcode Fuzzy Hash: 0288eab7a8fd03f0588cd67fbb8633e3f0f974d435f916a0ed07df70c5e17858
Instruction Fuzzy Hash: 4351B131610A059FDF15DF28DC84B69BBB9FF44320F24426AE826AB3D1DB709E55CB90

Function 002D244C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000002,?,00000000,?,00000000,00000000,?,?,002D2C2C,?,?,?), ref: 002D253A

Strings

,,-, xrefs: 002D24E5
,,-, xrefs: 002D2521
,,-, xrefs: 002D247A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: FileRead
String ID: ,,-$,,-$,,-
API String ID: 2738559852-2670300124
Opcode ID: 5e6fa204ca95ac6815b1769e9d42e8eae1b59f4bc497ff9c25441c3198676f37
Instruction ID: ad78e53ae09068d0e506b1dc771bdb2747ce27e0419f004adc55cda137e21b58
Opcode Fuzzy Hash: 5e6fa204ca95ac6815b1769e9d42e8eae1b59f4bc497ff9c25441c3198676f37
Instruction Fuzzy Hash: 3A512431A18216EBCB14CF48D890BADB7B1EF69310F64815BE545AB390D370AE94DBA1

Function 00281A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000), ref: 00281AB2

Strings

.url, xrefs: 00281A60
URL, xrefs: 00281A5A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CreateFile
String ID: .url$URL
API String ID: 823142352-2674294872
Opcode ID: 4ebb41ff6171d4719ac032e48b7baea8ec6eca5ea38669134c7aea06158e6d30
Instruction ID: 78ddc793f90a502180b0f80bc1a69b04b1dc00b94e31f44165d12354929d5a1d
Opcode Fuzzy Hash: 4ebb41ff6171d4719ac032e48b7baea8ec6eca5ea38669134c7aea06158e6d30
Instruction Fuzzy Hash: B331D271C11248ABD724EF58DD46B9EBBB8EB04710F1042A9EA24773C1DBB01A24CFA5

Function 00291AE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,80070057,80004005), ref: 00291AEE
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,80070057,80004005), ref: 00291B19
GetLastError.KERNEL32 ref: 00291B83

Strings

AdvancedInstaller, xrefs: 00291B6A

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CreateEvent$ErrorLast
String ID: AdvancedInstaller
API String ID: 1131763895-1372594473
Opcode ID: d18f523b7a2ce636a5f72c411e2bb5265e4905188f025a864b9e6dc3b2e2c008
Instruction ID: 8db60a4767d8e12f76c460e8c096fe072e6ad10bb8da2488b166f647a62c2bfd
Opcode Fuzzy Hash: d18f523b7a2ce636a5f72c411e2bb5265e4905188f025a864b9e6dc3b2e2c008
Instruction Fuzzy Hash: 2D219331650305ABDB10AF61DC99F657BA9EB44709F104059FA029F2D6EB72A811CB54

Function 002B9327 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(002F37E8,00000000,00000800,?,002B92D8,?,?,00000000,?,?,?,002B9402,00000002,FlsGetValue,002EAA18,FlsGetValue), ref: 002B9334
GetLastError.KERNEL32(?,002B92D8,?,?,00000000,?,?,?,002B9402,00000002,FlsGetValue,002EAA18,FlsGetValue,?,?,002B65FB), ref: 002B933E
LoadLibraryExW.KERNEL32(002F37E8,00000000,00000000,0026CFDC,002F37E8,00000002,2DDDF7D7), ref: 002B9366

Strings

api-ms-, xrefs: 002B934B

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 3d8174da0c79b4521d8865edcfb1608740ea0b4e7e99c65a209cd47b287837e9
Instruction ID: 0359ffcef5ae2563789bf7592534a7ae542faa7828f513f962f2670404b79126
Opcode Fuzzy Hash: 3d8174da0c79b4521d8865edcfb1608740ea0b4e7e99c65a209cd47b287837e9
Instruction Fuzzy Hash: 9DE04F302D8249F7EB201F61FD4AB993F99AB00B95F1040A0FB0CA80E1D762E8B58A45

Function 00244850 Relevance: 6.5, APIs: 4, Instructions: 462fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000000,00000000,?,2DDDF7D7,?,00000004), ref: 002448C8
MoveFileW.KERNEL32(?,00000000), ref: 00244C9B
DeleteFileW.KERNEL32(?), ref: 00244CE5
FreeLibrary.KERNEL32(?), ref: 00244F7B

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$DeleteFreeLibraryMoveNameTemp
String ID:
API String ID: 2027907882-0
Opcode ID: 7a1f1e8f50e61a6a4f870b2b700046678914adfb0797e930b28ddf6559be002b
Instruction ID: 4c96b98592be9da129080337d989af39a10021b163a1b37f3b3af64153a85032
Opcode Fuzzy Hash: 7a1f1e8f50e61a6a4f870b2b700046678914adfb0797e930b28ddf6559be002b
Instruction Fuzzy Hash: 0C126B70D242699ACB28EF24CC987ADB7B1FF54304F2042D9E449A7691EB756F94CF80

Function 002C9F16 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(2DDDF7D7,00000000,00000000,000000FE), ref: 002C9F79

Part of subcall function 002CCA8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,00000000,?,-00000008,-00000008,00000000,?,?,002C9D6A,?,00000000), ref: 002CCAEA

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002CA1CF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 002CA215
GetLastError.KERNEL32 ref: 002CA2B8

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 4e6883bec2063fd797c94ece5e8bd6926ac9adb087fbd9f3dc5386315d3b9d1e
Instruction ID: ccb45aa480912e4c78a6f5c320947534f4bf887b34aab8755483e864884aa02b
Opcode Fuzzy Hash: 4e6883bec2063fd797c94ece5e8bd6926ac9adb087fbd9f3dc5386315d3b9d1e
Instruction Fuzzy Hash: EDD19B75D1425C9FCB05CFE8C884AADBBB9FF09304F28822EE825EB251D631A951CB51

Function 00275970 Relevance: 6.2, APIs: 4, Instructions: 174COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 002759D2
GetShortPathNameW.KERNEL32(?,?,?), ref: 00275A51
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00275AA1
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 00275AD7

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiNamePathShortWide
String ID:
API String ID: 3379522384-0
Opcode ID: 23c24965715704b804d0cd7329213490e998e64289dd430ce438008988740ca3
Instruction ID: d15d1638ce2e1ad14c7f48e35e32001d78374ee25599c15cdb0ab34b86aa3849
Opcode Fuzzy Hash: 23c24965715704b804d0cd7329213490e998e64289dd430ce438008988740ca3
Instruction Fuzzy Hash: 9951BE71A10616AFDB14DF68DC89B6EF7A9FF44324F108229E9199B390DB71AC11CF90

Function 00283230 Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,?,00000000,?,?,?,00281B33,?,00000003), ref: 002832FD
GetLastError.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,00281B33,?,00000003), ref: 0028330E
WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,?,?,?), ref: 0028332F
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000,?,00000000,00000000,?,00000000,?,?,?), ref: 00283381

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e9414ee19dfcee4560e39cc38b1674907eadf1a5b7ae12c05126165d3df37145
Instruction ID: 4bc0753a0d7f196bfd696b7746eb861f5fb42c9fe5026d2a36accd8999cdf5d8
Opcode Fuzzy Hash: e9414ee19dfcee4560e39cc38b1674907eadf1a5b7ae12c05126165d3df37145
Instruction Fuzzy Hash: 2C412E79625302FBE710BF649C81F6B7698EF04B04F144529FE45E91C1EAA2DA308795

Function 002B08B0 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 002B0A59
GetLastError.KERNEL32 ref: 002B0A63
SetEvent.KERNEL32(?), ref: 002B0A7A
GetLastError.KERNEL32 ref: 002B0A84

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorEventLast
String ID:
API String ID: 3848097054-0
Opcode ID: 485a0490a131cc09df22c9d57d7397d272aae11b5e4611676ffa1a83125c38c6
Instruction ID: ac29acf3b3749e0fee455899de71407a6bff73b59fa559d3ac6ccdbffa68c984
Opcode Fuzzy Hash: 485a0490a131cc09df22c9d57d7397d272aae11b5e4611676ffa1a83125c38c6
Instruction Fuzzy Hash: AC6125B1A11311CFEB25CF18D8D879A3BE5BF44354F0542A8DD489F28AE7B6D858CB90

Function 00291C80 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00291CE0

Strings

GET, xrefs: 00291EA4
E-, xrefs: 00291CD1, 00291D32
C*), xrefs: 00291C9F, 00291E0B

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast
String ID: C*)$GET$E-
API String ID: 1452528299-1018771185
Opcode ID: 5be3f1bb54318b8395c751a0f432cd84a75791b86e63c9faebf0da8ab4ddb3ab
Instruction ID: e4ff1343e14a1272073432ad4ef191b7550ae120c848c6c9e8f7602431e3039e
Opcode Fuzzy Hash: 5be3f1bb54318b8395c751a0f432cd84a75791b86e63c9faebf0da8ab4ddb3ab
Instruction Fuzzy Hash: F9418371D1060A9BDB10EFA5CC49BAEBBB8FF44320F104529E911A7391DB749A24CFA1

Function 0028EF90 Relevance: 6.1, APIs: 4, Instructions: 146fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,2DDDF7D7,?,?,?), ref: 0028EFDA
GetFileSize.KERNEL32(00000000,00000000), ref: 0028F00B
ReadFile.KERNEL32(?,00000000,00010000,?,00000000,00010000), ref: 0028F096
CloseHandle.KERNEL32(00000000), ref: 0028F162

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 6957fb45851b5e2ee0db6f29c78bd226f79af42dd0952c5877de3774bad7b4f2
Instruction ID: 2d019857a41d07bfd201be46dca9da328338bb67d64ea837f2f03368798b8221
Opcode Fuzzy Hash: 6957fb45851b5e2ee0db6f29c78bd226f79af42dd0952c5877de3774bad7b4f2
Instruction Fuzzy Hash: E7510171911258DFEB609F64CD85BEEBBB8FF51310F2081A9E549A72C2DB701A89CF50

Function 00261600 Relevance: 6.1, APIs: 4, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?,2DDDF7D7,00000000,002F49E0,?,?,?,?,?,?,?,002DA86D), ref: 0026167A
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,002DA86D,000000FF), ref: 00261692
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,002DA86D,000000FF), ref: 0026171F
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,002DA86D,000000FF), ref: 0026174E

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Close$Open
String ID:
API String ID: 2976201327-0
Opcode ID: e5fd87b08d7a5c3d9dff12b55b893b14e3d02d7524a3ca600401a4e2ee2de478
Instruction ID: 7bc0776b044d275ad3d1aab8fef3cd9195ebdfa7e34844407af51a6fedc0ad0a
Opcode Fuzzy Hash: e5fd87b08d7a5c3d9dff12b55b893b14e3d02d7524a3ca600401a4e2ee2de478
Instruction Fuzzy Hash: F94108B1901219ABDB21DFA5CD89BEFBBF8EF08350F144119E915A7280D774AA54CBA0

Function 0028DDA0 Relevance: 6.1, APIs: 4, Instructions: 119windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?), ref: 0028DDE2

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

SetWindowTextW.USER32(?,00000010), ref: 0028DE2A
IsWindow.USER32(00000406), ref: 0028DEB6
EndDialog.USER32(00000406,00000001), ref: 0028DEE6

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$DialogHeapMessageProcessSendText
String ID:
API String ID: 3967821603-0
Opcode ID: 8b113f93bec3876800b786b4838308856cc78a484b9c8807cec359dd20053402
Instruction ID: 485edf9b42bcfaac8fac7a51d318b4c01c63f81740cc951ef6587b221c715209
Opcode Fuzzy Hash: 8b113f93bec3876800b786b4838308856cc78a484b9c8807cec359dd20053402
Instruction Fuzzy Hash: 56417975A00215AFCB11DF69DC88B5ABBB9FF48720F14416AED15EB3A0DB70AD10DB90

Function 002A19C0 Relevance: 6.1, APIs: 4, Instructions: 85fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00299F10: SetFilePointer.KERNEL32(?,00000000,?,00000001,2DDDF7D7,?,?,?,002D5130,000000FF), ref: 00299F45
Part of subcall function 00299F10: GetLastError.KERNEL32(?,00000000,?,00000001,2DDDF7D7,?,?,?,002D5130,000000FF), ref: 00299F52

GetLastError.KERNEL32 ref: 002A1A67

Part of subcall function 00299FB0: SetFilePointer.KERNEL32(?,?,?,?,2DDDF7D7,?,?,?,?,?,Function_00095600,000000FF), ref: 00299FEA
Part of subcall function 00299FB0: GetLastError.KERNEL32(?,?,?,?,2DDDF7D7,?,?,?,?,?,Function_00095600,000000FF), ref: 00299FF7
Part of subcall function 00299FB0: SetLastError.KERNEL32(00000000,?,?,?,?,2DDDF7D7,?,?,?,?,?,Function_00095600,000000FF), ref: 0029A00E

SetEndOfFile.KERNEL32(?), ref: 002A1A16
GetLastError.KERNEL32 ref: 002A1A29
SetLastError.KERNEL32(00000000), ref: 002A1A4E

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$File$Pointer
String ID:
API String ID: 4162258135-0
Opcode ID: 5de81dfadca6fa7553cbe4a1e4587b5ceaaafecbe8523d9425fa615c965e4879
Instruction ID: 2edce4eba808cbed3fb47382e22ce4880ed37d563823af1eba4b213ac4a86e48
Opcode Fuzzy Hash: 5de81dfadca6fa7553cbe4a1e4587b5ceaaafecbe8523d9425fa615c965e4879
Instruction Fuzzy Hash: 52213A327652079B8B20DF65AC04AABF799EF92375F14412AFD44C6162EB20CD34C6E1

Function 002B0C20 Relevance: 6.1, APIs: 4, Instructions: 73synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 002B0C4F
GetLastError.KERNEL32 ref: 002B0C5A
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 002B0CC4
GetLastError.KERNEL32 ref: 002B0CCE

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$ObjectReleaseSemaphoreSingleWait
String ID:
API String ID: 1636903514-0
Opcode ID: b45879d13cdfce927db23d250e571fb57cc44c7daf3d1aada59dcd88640f1f3e
Instruction ID: 329f9a3d6d336320f3a981d22a5b1163bc4e2eff5762991f3023ca69fbdf267b
Opcode Fuzzy Hash: b45879d13cdfce927db23d250e571fb57cc44c7daf3d1aada59dcd88640f1f3e
Instruction Fuzzy Hash: 2321F9322147428BD7328F29E8C8797BBE5AF90364F24871FE196865D1D771D864C750

Function 0028CC30 Relevance: 6.1, APIs: 4, Instructions: 51threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,2DDDF7D7,?,?,?,002D5130,000000FF), ref: 0028CC67
GetExitCodeThread.KERNEL32(?,?,?,?,?,002D5130,000000FF), ref: 0028CC81
TerminateThread.KERNEL32(?,00000000,?,?,?,002D5130,000000FF), ref: 0028CC99
CloseHandle.KERNEL32(?,?,?,?,002D5130,000000FF), ref: 0028CCA2

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: a0c1cd08568c073ad372c4c4bceadec8d3624847f3af20f8307bc26082e3d417
Instruction ID: 2d24cbe88bf14d97c2e3c67345ab27ce6cf4f0bc8b4eb07439d94ca8bd0d0bb2
Opcode Fuzzy Hash: a0c1cd08568c073ad372c4c4bceadec8d3624847f3af20f8307bc26082e3d417
Instruction Fuzzy Hash: 1A112530654705EFDB209F14DC48B6ABBF8FB04711F10462AF829D26D0D7B0A824CB60

Function 0028CFA0 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0028CFBD
DestroyWindow.USER32(?), ref: 0028CFCA
IsWindow.USER32(?), ref: 0028D024
SendMessageW.USER32(?,00000407,00000000,?), ref: 0028D03D

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Window$DestroyMessageSend
String ID:
API String ID: 746073012-0
Opcode ID: bdbcff08786fa1963cc083c25e62ea2eae093bbaea3ef931e69ba9ea9ffda125
Instruction ID: dbb98a640b68123813cb0651d83eda7ed4f9a571d2fd742d1cd5b8a7684480cc
Opcode Fuzzy Hash: bdbcff08786fa1963cc083c25e62ea2eae093bbaea3ef931e69ba9ea9ffda125
Instruction Fuzzy Hash: F1116A345093419FE360DF25D888B5ABBE1FF98700F50891EF89AC62A0D370E994DF52

Function 0028CCE0 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,2DDDF7D7,?,?,?,002D5130,000000FF), ref: 0028CD17
GetExitCodeThread.KERNEL32(?,?,?,?,?,002D5130,000000FF), ref: 0028CD31
TerminateThread.KERNEL32(?,00000000,?,?,?,002D5130,000000FF), ref: 0028CD49
CloseHandle.KERNEL32(?,?,?,?,002D5130,000000FF), ref: 0028CD52

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: c4e9f42d6400cff14e88b8d3c86a7364503a5a1ce239374324182a1511185fc1
Instruction ID: 2ffacce8288a18820b2ee0c3c3dc28831e8c8a5f92e9ba3fdd3f743b5f0b1bc8
Opcode Fuzzy Hash: c4e9f42d6400cff14e88b8d3c86a7364503a5a1ce239374324182a1511185fc1
Instruction Fuzzy Hash: 8A01B135558746EFDB209F54EC48B66BBF8FB04B10F108A2EF966D66E0D770A810CB50

Function 002B0D30 Relevance: 6.0, APIs: 4, Instructions: 44synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 002B0D62
GetLastError.KERNEL32 ref: 002B0D6C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 002B0D77
GetLastError.KERNEL32 ref: 002B0D82

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID:
API String ID: 3600396749-0
Opcode ID: ea048c7739cdaa6653cad81632a49f298257cd5ed486e1b9bcdf6a89eb5c604e
Instruction ID: aa33cfebecf5ed1df95b68fa14b47f8df4b5857551d1355bfa405cfb0f4de53f
Opcode Fuzzy Hash: ea048c7739cdaa6653cad81632a49f298257cd5ed486e1b9bcdf6a89eb5c604e
Instruction Fuzzy Hash: 690171326147439FD7218FA9E8C8B4BBBE4EF94760F148A1DE1A5872D0C371B8609B60

Function 00284420 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040A), ref: 00284432
SetWindowTextW.USER32(00000000,00000009), ref: 0028443D
GetDlgItem.USER32(00000000,0000040B), ref: 0028444E
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 0028445F

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Item$MessageSendTextWindow
String ID:
API String ID: 2101643998-0
Opcode ID: 946ceece3ce8300427afacf0d3f6f5d549ef70209dc956365a0df83e95a8c86a
Instruction ID: 64642421ee2b1389cd3975fa03c89e17bc854813652b30d34a6454ee196c97d5
Opcode Fuzzy Hash: 946ceece3ce8300427afacf0d3f6f5d549ef70209dc956365a0df83e95a8c86a
Instruction Fuzzy Hash: 24013C72644602FBDB059FA4EC48E5AFB79FF48B11B048119F705A69B0D731A872DB90

Function 0028CD70 Relevance: 6.0, APIs: 4, Instructions: 39threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0004CE80,?,00000000,?), ref: 0028CD95
GetLastError.KERNEL32(?,00000000,?), ref: 0028CDA2
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0028CDB9
GetExitCodeThread.KERNEL32(?,?), ref: 0028CDC7

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Thread$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 2732711357-0
Opcode ID: f18e6d4c66622c07257ba0735c85b2e82582a589b09ac1971b6bc496507c80f4
Instruction ID: 66ea79d11fb677d7abedc49efc28ccd30e18247d36c3463b53b2d47b1fdef500
Opcode Fuzzy Hash: f18e6d4c66622c07257ba0735c85b2e82582a589b09ac1971b6bc496507c80f4
Instruction Fuzzy Hash: 5DF06235548301ABD720EF68FC49F87BBE4EB54711F10852AF889D2190E730A518C7B2

Function 002B0B10 Relevance: 6.0, APIs: 4, Instructions: 28synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 002B0B25
GetLastError.KERNEL32 ref: 002B0B30
SetEvent.KERNEL32(?), ref: 002B0B4F
GetLastError.KERNEL32 ref: 002B0B59

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID:
API String ID: 3600396749-0
Opcode ID: 6b885489b4e44eb458de7d91c93b8e37f36477914dd72f53bfa33bda9b9e1ead
Instruction ID: ae216dfba67ef5c8b38f802979481151844ced3921b62e2a0f228a0ce2dd63c2
Opcode Fuzzy Hash: 6b885489b4e44eb458de7d91c93b8e37f36477914dd72f53bfa33bda9b9e1ead
Instruction Fuzzy Hash: 7FF082315181418FCB215F24FC8CA6B7BA1BF45378F144A18E1628B1F0C7309C50DB50

Function 002B5585 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 002B5597
GetCurrentThreadId.KERNEL32 ref: 002B55A6
GetCurrentProcessId.KERNEL32 ref: 002B55AF
QueryPerformanceCounter.KERNEL32(?), ref: 002B55BC

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 853eb9c985361e2c13292f03790b8a8c8a48fdc7682df88a7068ce3687866156
Instruction ID: 36597b55f1e495ca2aa41f4cb12b408b9101ad86972f689e1c08fd1b33147f4e
Opcode Fuzzy Hash: 853eb9c985361e2c13292f03790b8a8c8a48fdc7682df88a7068ce3687866156
Instruction Fuzzy Hash: C4F05F71C14209EBCF00DBB4EA8DA9EBBF8EF18315F914595A512EB150D734AB049B51

Function 0028B6A0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 286fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

DeleteFileW.KERNEL32(?), ref: 0028B795
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0028B91D

Part of subcall function 00268BF0: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,2DDDF7D7,00000000,?), ref: 00268C34
Part of subcall function 00268BF0: ReadFile.KERNEL32(00000000,?,000003FF,00000000,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,2DDDF7D7,00000000), ref: 00268C77

Part of subcall function 00269B20: LoadStringW.USER32(?,80003641,00000514,2DDDF7D7), ref: 00269B78

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 0028B738

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$Delete$CreateHeapLoadProcessReadString
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
API String ID: 856989409-3685554107
Opcode ID: 28ac4da8f39f1d13b6309520ac42f97f9df84427986404dd165d18fdce3d983b
Instruction ID: bcd6caae8e3cf11a5a69b80d30bb5f6643685b87b8aedabb668c1aaae3d62a54
Opcode Fuzzy Hash: 28ac4da8f39f1d13b6309520ac42f97f9df84427986404dd165d18fdce3d983b
Instruction Fuzzy Hash: 33B1E235A006459FCB05EF68C894AADBBB5EF48320F18426CE915EB3D2DB34AD15CF91

Function 00285180 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 211COMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32(2DDDF7D7,00000000,?,?,?,2DDDF7D7), ref: 002851B7

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

Part of subcall function 00294DC0: GetLocaleInfoW.KERNEL32(00000000,00000002,002F37C0,00000000), ref: 00294E41
Part of subcall function 00294DC0: GetLocaleInfoW.KERNEL32(00000000,00000002,?,-00000001,00000078,-00000001), ref: 00294E7D

Strings

SystemDefault LangID=, xrefs: 00285205
h1, xrefs: 0028524C

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale$DefaultHeapLangProcessSystem
String ID: SystemDefault LangID=$h1
API String ID: 2240978303-480356336
Opcode ID: e45317b7b504cf4a3124a87c4abb09fbaba7249406371e7dc6004f27e4ce84f1
Instruction ID: 6eaec8430036b106143a4fe4b9f141c5d356d8db666341b7f784b401075e08c3
Opcode Fuzzy Hash: e45317b7b504cf4a3124a87c4abb09fbaba7249406371e7dc6004f27e4ce84f1
Instruction Fuzzy Hash: D071E535A11A268BCB04EF68C8446AEB7B5FF44320F1942A9E821A73D1DB74AD11CF90

Function 0026BB00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,2DDDF7D7,?,80000002,80000002), ref: 0026BB53
LeaveCriticalSection.KERNEL32(?,2DDDF7D7,80000002,00000000,002D4F60,000000FF,?,80004005,?,80000002,80000002), ref: 0026BCCF

Strings

LOG, xrefs: 0026BBC7

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalFileLeaveModuleNameSection
String ID: LOG
API String ID: 1232429956-429402703
Opcode ID: 90ff835150a9beecc6a855dc0d3d8770e669b1d90579a72b3d7ecb82deb164ec
Instruction ID: d78e1628d247d26f864ab5b68ae4ad10ab9486986cf615d28b2d1dd6c9207842
Opcode Fuzzy Hash: 90ff835150a9beecc6a855dc0d3d8770e669b1d90579a72b3d7ecb82deb164ec
Instruction Fuzzy Hash: E6511131A102499FDB16DF28CC457AAB7B9FF44304F54856AEC0ACB391EB719E948B90

Function 002469B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,2DDDF7D7), ref: 00246A52

Strings

\\?\UNC\, xrefs: 00246A77, 00246AD8
\\?\, xrefs: 00246B4B, 00246B76

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: 75c8422fce67fde1afbbf20f4ed6a3964d49e3f025ce51005218e4022f8e49c8
Instruction ID: f06398f97646b4a30ef9bfe8af7082d0782c1d536f82b1e7c415204abcb78f4e
Opcode Fuzzy Hash: 75c8422fce67fde1afbbf20f4ed6a3964d49e3f025ce51005218e4022f8e49c8
Instruction Fuzzy Hash: AE51DFB0D20605DBDB18DF68C849BAEF7F4FF45308F10861AE851B7281DBB56958CBA1

Function 0026B940 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,80000002,2DDDF7D7,?,80000002,00310A68), ref: 0026B97F
CreateDirectoryW.KERNEL32(80000002,00000000,?,80000002,00310A68), ref: 0026B9E0

Strings

ADVINST_LOGS, xrefs: 0026B9B8

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: af4ff661ea75ae6a54bbb62ea4cbcf71a3d09b3a5333a1c4ce368dbf32543377
Instruction ID: 3c471d0cd8015cf0208250e456d13138fbc217dfaabec5cc4be02be5ab111537
Opcode Fuzzy Hash: af4ff661ea75ae6a54bbb62ea4cbcf71a3d09b3a5333a1c4ce368dbf32543377
Instruction Fuzzy Hash: 6451E27592021ACBCB319F68C8447BAB3B4FF14314F2445AEE859D7290EB748ED1CB90

Function 00262920 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,2DDDF7D7,00000000,00000000), ref: 002629C8

Strings

8F/, xrefs: 00262962

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: 8F/
API String ID: 32694325-3637229792
Opcode ID: 38223d4884e90afbf3f6661af485888d9933aa88f9585cb1f4d9dee36abc8bd9
Instruction ID: a87ad840996eaba6e2f4708bc832002938af01b5821912cd97c88a58eb0a4c61
Opcode Fuzzy Hash: 38223d4884e90afbf3f6661af485888d9933aa88f9585cb1f4d9dee36abc8bd9
Instruction Fuzzy Hash: BB51AC35A10719CBDB24CF10CC94BAEB7B4FF89714F044699D80A67680EB756E98CF82

Function 0026B110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002439B0: GetProcessHeap.KERNEL32 ref: 00243A05

WriteFile.KERNEL32(?,00000005,?,?,00000000,002F37E8,00000002,?,00000000,CPU: ,00000005), ref: 0026B201
FlushFileBuffers.KERNEL32(?), ref: 0026B20A

Part of subcall function 00245350: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,0025E648,-00000010), ref: 00245373

Strings

CPU: , xrefs: 0026B168, 0026B17A, 0026B184

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFindFlushHeapProcessResourceWrite
String ID: CPU:
API String ID: 2793600070-1724696780
Opcode ID: 28df0a745ec6a8ed7f562545d20a8253f5152ed383dceccdc545313db2e3f4d2
Instruction ID: fe4dce994dce36484afd7053dee4ae7df48e832c498ef40cef7c2f29061bb679
Opcode Fuzzy Hash: 28df0a745ec6a8ed7f562545d20a8253f5152ed383dceccdc545313db2e3f4d2
Instruction Fuzzy Hash: 8841BD31A00619ABCB05DFA8CC59BAEBBB8FF04320F144669E910A73D1DB74AD11CF90

Function 002B8936 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 002B895B

Strings

RCC, xrefs: 002B8975
MOC, xrefs: 002B896D

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 8cfecfc2cceb3130ee7267b8f7d274329595ebeb6a457eb7622b3bd8a518bbf0
Instruction ID: 47bed2d1a70b2e15c8f5fd464a316bbf53daf0d4e7307f3927a158756d9d6c77
Opcode Fuzzy Hash: 8cfecfc2cceb3130ee7267b8f7d274329595ebeb6a457eb7622b3bd8a518bbf0
Instruction Fuzzy Hash: 8441797291020AEFDF15DF94CC81AEEBBB9BF08340F184059F918A7221DB359A60DF51

Function 00241070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(00310A3C,00000000,00000000,2DDDF7D7,?,002DA3A3,000000FF), ref: 002410A5
GetLastError.KERNEL32(?,002DA3A3,000000FF), ref: 002410AF

Strings

,1, xrefs: 0024109B

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalErrorInitializeLastSection
String ID: ,1
API String ID: 3413597225-1697091110
Opcode ID: 146c3911a47a43115dfd7bc79867bf9d38a41ffbc78761ae4f7364b8e65d9896
Instruction ID: 143407cd470775d68661b94c6169f8d7562cd31284393d307f32536f16ab3e50
Opcode Fuzzy Hash: 146c3911a47a43115dfd7bc79867bf9d38a41ffbc78761ae4f7364b8e65d9896
Instruction Fuzzy Hash: 0B11A0B0654388DBD719CF51ED0879A7BE8FB08714F008259E8048B790D7F644A8CF41

Function 002B1BAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00260600: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,2DDDF7D7,?,Function_00095110,000000FF), ref: 00260627
Part of subcall function 00260600: GetLastError.KERNEL32(?,00000000,00000000,2DDDF7D7,?,Function_00095110,000000FF), ref: 00260631

IsDebuggerPresent.KERNEL32(?,?,?,0024160A), ref: 002B1BDE
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0024160A), ref: 002B1BED

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002B1BE8

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 9241651a22c825829729522c053658e64cb658fcebfc50af4361cf3a6019a3a1
Instruction ID: 6ac2201363ddc1e3645af97ba747a63cb3476786a3eeaae9bc068eefd6e3fa5b
Opcode Fuzzy Hash: 9241651a22c825829729522c053658e64cb658fcebfc50af4361cf3a6019a3a1
Instruction Fuzzy Hash: 73E092702503818FD7309F29E5487C67BE8AF04348F40896DE946C6250EBB0D4B4CFA1

Function 002AD070 Relevance: 5.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 002AD0DD
GetLastError.KERNEL32 ref: 002AD0E7
CloseHandle.KERNEL32(00000000), ref: 002AD10E
GetLastError.KERNEL32 ref: 002AD118

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 9bf9debdf5c41d1e5ba9e00936a502385a6489b5503302ec94ac85d5c6cba36a
Instruction ID: eaf3620b18ab92502e7ad243030a35ff8c5afe1c38d6c4eb0c7a34b1d1fc68bc
Opcode Fuzzy Hash: 9bf9debdf5c41d1e5ba9e00936a502385a6489b5503302ec94ac85d5c6cba36a
Instruction Fuzzy Hash: 0C3101B0914205DFDB20DF64C988B4ABBF8FF05750F104269E8259B680DB71A910CFE0

Function 002A4690 Relevance: 5.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000001,2DDDF7D7), ref: 002A46E9
GetLastError.KERNEL32 ref: 002A46F3
CloseHandle.KERNEL32(00000001,2DDDF7D7), ref: 002A4714
GetLastError.KERNEL32 ref: 002A471E

Memory Dump Source

Source File: 00000008.00000002.1051609808.0000000000241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.1051572662.0000000000240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051772778.00000000002E7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051830660.000000000030E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000316000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.1051865260.0000000000318000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_aipackagechainer.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: b648e0f4c111c9a9fab8c2e5cff0991c77dc673ca2f655ecdf0eb8e3333bb163
Instruction ID: a55112c4977fb3099edaac2937c6221e4db5982f8ceaa6fb4a7abd7ab83b3ab4
Opcode Fuzzy Hash: b648e0f4c111c9a9fab8c2e5cff0991c77dc673ca2f655ecdf0eb8e3333bb163
Instruction Fuzzy Hash: B321F271A14285DFCB20EF54DD88B5AFBF8EF42B54F144199E8049B281DBB0ED148BA0

Analysis Process: powershell.exePID: 824, Parent PID: 7804COMMON

Executed Functions

Function 0777038F Relevance: 2.5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

p]pi, xrefs: 07770354
4'|q, xrefs: 07770368

Memory Dump Source

Source File: 0000000D.00000002.1116330584.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7770000_powershell.jbxd

Similarity

API ID:
String ID: 4'|q$p]pi
API String ID: 0-2912599733
Opcode ID: 80ccbf6bd6d8a80006fc2ccb7a05e81faaf0e3b2f319d71de3d425ec87d024e6
Instruction ID: 130bee50dd80bb500309d897e26d0f051bdc53e31ee578360082f6e60d294b41
Opcode Fuzzy Hash: 80ccbf6bd6d8a80006fc2ccb7a05e81faaf0e3b2f319d71de3d425ec87d024e6
Instruction Fuzzy Hash: 6001625165E3D10FC70717345D385A0AF31AF63240B8A02DBD180EF2A3CA290D0ACBA2

Function 047729F0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1071988206.0000000004770000.00000040.00000800.00020000.00000000.sdmp, Offset: 04770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4770000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33302ddfb22ae70defbcaf9d35c7bdc03df2c671ca22cb390fdf2a02a723341a
Instruction ID: 0ed051e26d96784cd2ab7be326ee317fc06cc1df4396dfc54e8e66f1a603bc3b
Opcode Fuzzy Hash: 33302ddfb22ae70defbcaf9d35c7bdc03df2c671ca22cb390fdf2a02a723341a
Instruction Fuzzy Hash: 9D91CE74A002098FCB15CF59C4949BEFBB1FF88310B2586A9D825AB366D735FC51CBA0

Function 02E5D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1070084453.0000000002E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1ca477f5f80e67ef21123870e301506d384bca393be943ea2717ca6acd93f
Instruction ID: fe3774b1101e7594881d4109d32157fb04a84e72cad40971f28f20d5e8ffe540
Opcode Fuzzy Hash: aeb1ca477f5f80e67ef21123870e301506d384bca393be943ea2717ca6acd93f
Instruction Fuzzy Hash: 30014C6104E3C09ED7128B258C94B52BFB8DF57228F1DC1DBD8988F2A7D2699849C772

Function 02E5D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1070084453.0000000002E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998e9c10953156e33beb9b81b1b4c18fa0f6a947b5a31ac67138ef45f9cac847
Instruction ID: 13d6d2b7d8d79d0daec4e1f12fa76555780258f471c82b84462779aacb14a742
Opcode Fuzzy Hash: 998e9c10953156e33beb9b81b1b4c18fa0f6a947b5a31ac67138ef45f9cac847
Instruction Fuzzy Hash: 7C01D631454350DAE7104E29CCC4BA7FFA8EF55378F18C05AED485B286D3799846C6B1

Non-executed Functions

Function 07770D60 Relevance: 6.6, Strings: 5, Instructions: 300COMMON

Download Yara Rule

Strings

tBqi, xrefs: 07771043
4'|q, xrefs: 07770DEE
4'|q, xrefs: 07770F67
4'|q, xrefs: 07770DE4
4'|q, xrefs: 07770F5B

Memory Dump Source

Source File: 0000000D.00000002.1116330584.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7770000_powershell.jbxd

Similarity

API ID:
String ID: 4'|q$4'|q$4'|q$4'|q$tBqi
API String ID: 0-3733253139
Opcode ID: 5bf4c19621ea249a962ec4accdb152f2edd668723878c4f319548afc9798b029
Instruction ID: 48df83358f2c8195a9febcaf75f937d8b71e228ad304ccc86a45dc558d2d0500
Opcode Fuzzy Hash: 5bf4c19621ea249a962ec4accdb152f2edd668723878c4f319548afc9798b029
Instruction Fuzzy Hash: 7DA177B5B0434ACFCF249B2884107AABBB2AFD6391F24887AD505CB345DA71D952C7A1

Function 07771242 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

$|q, xrefs: 07771296
$|q, xrefs: 0777128A
4'|q, xrefs: 077712B7
4'|q, xrefs: 077712AB

Memory Dump Source

Source File: 0000000D.00000002.1116330584.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7770000_powershell.jbxd

Similarity

API ID:
String ID: 4'|q$4'|q$$|q$$|q
API String ID: 0-2449595895
Opcode ID: 6b35677887a7e14a025b027d73494225820986e50b8e11bdb311c774d42cb9cc
Instruction ID: 84c1a219b4da92b807ac821425478bbbb32d452568c879ec068c547c030e0c67
Opcode Fuzzy Hash: 6b35677887a7e14a025b027d73494225820986e50b8e11bdb311c774d42cb9cc
Instruction Fuzzy Hash: DA01D66071E3D69FCB2B02691930265AFB65FD7A9076A48E7C480DF257CD598C06C3A3

Analysis Process: powershell.exePID: 8876, Parent PID: 824COMMON

Executed Functions

Function 04DB32A0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1068376072.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060f34044c3cc39f18c4660c7a290a78f35f31ee7272a6da96f00a1489563baa
Instruction ID: feaac48c8b170b9259258decb95626ce4bb15780e84e5e0f0dcd2e2c69dfcb0c
Opcode Fuzzy Hash: 060f34044c3cc39f18c4660c7a290a78f35f31ee7272a6da96f00a1489563baa
Instruction Fuzzy Hash: FDA18C74A042498FCB05CF58C4949EEFBB1FF49310B25859AD846AB361C735FC51CBA1

Function 048DD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1067444036.00000000048DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 048DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_48dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308472266bcadfc64e9f0528114daccf8dcc4efdf6bcc4ac2f74105a17b24adb
Instruction ID: e2217d7a07340a246d513cee0191c2e9d5e6ee77a356e33e4fe05310a7b8ae2b
Opcode Fuzzy Hash: 308472266bcadfc64e9f0528114daccf8dcc4efdf6bcc4ac2f74105a17b24adb
Instruction Fuzzy Hash: 5101F731505344EAE710AE29DCC0B66FFD8EF91374F18CA1AED448A242D279AC45C6B1

Function 04DB3D43 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1068376072.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3aa524b0197712f8ee2d0fa60a9f29e7baa7d298307d53fcd2e7ea3af6c886
Instruction ID: 554097787410c053b580541b2d2f66a9456f196fac845b756416c8b3d9e31f88
Opcode Fuzzy Hash: bf3aa524b0197712f8ee2d0fa60a9f29e7baa7d298307d53fcd2e7ea3af6c886
Instruction Fuzzy Hash: 68014F78B005159FDB00DB98D4906EEF771FF9E300B248259D85ADB361CA35EC039B90

Function 048DD005 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1067444036.00000000048DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 048DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_48dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b5ad6c0916368ec086adb43114fcd87682e3baf6c6f7643f6edc61b8c8b21b
Instruction ID: c5d2eca2a8f2d3b82a6b36a46c8eff18b7e34b646d4cf1229701d62fa08dd0c3
Opcode Fuzzy Hash: 23b5ad6c0916368ec086adb43114fcd87682e3baf6c6f7643f6edc61b8c8b21b
Instruction Fuzzy Hash: CA015E6200E3C09FD7129B259C94B52BFF4DF53224F18C5DBD9888F293C269A849C7B2

Analysis Process: file.exePID: 9668, Parent PID: 9536COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	15.7%
Signature Coverage:	0.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 012401BD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 012401D8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 012401F6
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 01240214
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 01240232
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,012402C1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0124027B
RegQueryValueExA.ADVAPI32(?,0124043D,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,012402C1,?,80000001), ref: 01240299
RegCloseKey.ADVAPI32(?,012402C8,00000000,00000000,00000005,00000000,012402C1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 012402BB
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 012402D8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 012402E5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 012402EB
lstrlen.KERNEL32(00000000), ref: 01240316
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 0124036B
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0124037B
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 012403A7
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 012403B7
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 012403E1
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 012403F1

Strings

Software\Borland\Delphi\Locales, xrefs: 01240228
Software\Borland\Locales, xrefs: 012401EC, 0124020A

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 771559fbc6a8331529b9d5717d3cdb3d9cca3b72e7428cfd2c5f6879d89d51aa
Instruction ID: 13a430b2d2b1070ab81dbe2e58d3e08c0c46ac5468b6085a5e1dc28c9d87ed69
Opcode Fuzzy Hash: 771559fbc6a8331529b9d5717d3cdb3d9cca3b72e7428cfd2c5f6879d89d51aa
Instruction Fuzzy Hash: 52612CB1F5420A7FEB15DAE8CC85FEFBBBC9B58700F4040A1BB45E6181D6B4DA848B54

Function 012402C7 Relevance: 15.1, APIs: 10, Instructions: 102
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 012402D8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 012402E5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 012402EB
lstrlen.KERNEL32(00000000), ref: 01240316
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 0124036B
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0124037B
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 012403A7
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 012403B7
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 012403E1
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 012403F1

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID:
API String ID: 1599918012-0
Opcode ID: b30b88bd219cbaf4d9da21ce8602e9a1d9637ed92d71513b3b0053543624a1ba
Instruction ID: b162c91ac34427b960dab261c7b743f286830bbc0d5dca1970e797a77df4b766
Opcode Fuzzy Hash: b30b88bd219cbaf4d9da21ce8602e9a1d9637ed92d71513b3b0053543624a1ba
Instruction Fuzzy Hash: 87313F71F1420A6FEB59DBE8C884BEFBBBC9B58300F404191B659E6181D6B8DA858F50

Function 00FC3AD9 Relevance: 7.9, APIs: 5, Instructions: 373COMMON

Download Yara Rule

APIs

Part of subcall function 00FC4E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC4E6B

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FC4273
GetSysColor.USER32(0000000F), ref: 00FC42C5
SetBkColor.GDI32(?,00000000), ref: 00FC42D8

Part of subcall function 00FC3AE2: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00FC3B2A

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: ae302a80559d3b7acb26f4d86a798de7801ae60ba4058660205aa90cf19ee6a3
Instruction ID: 3adfdf936816207aa3223d2c28715a261f1ab10c2ca4a647f483d261f14d4b69
Opcode Fuzzy Hash: ae302a80559d3b7acb26f4d86a798de7801ae60ba4058660205aa90cf19ee6a3
Instruction Fuzzy Hash: A6A12871904102ABF6759A2C8EAAFFF3A9DFB56350F16411EF1C1C61C5CA26AD01E371

Function 012426B5 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 012426D0
FindClose.KERNEL32(00000000,00000000,?), ref: 012426DB
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 012426F4
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 01242705

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 35532445bcddddf072de4610115932bee76e299e86bdf79fb3123370f2aa134a
Instruction ID: 60e969e7ef3e5b190860d150d19ff4afd0d6b66547b7a9471a7b1b7a596352b0
Opcode Fuzzy Hash: 35532445bcddddf072de4610115932bee76e299e86bdf79fb3123370f2aa134a
Instruction Fuzzy Hash: AFF01272D1020DA7CB69EAE9DD84ADEB3BC5F09214F100692B669E3191EB34DB548B50

Function 012514A7 Relevance: 1.5, APIs: 1, Instructions: 3libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012514AB

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74906ca78a5ed234824da2d21b4ef579ad23ae74e18219abc59e4195ec916c3d
Instruction ID: be68be7296445d1d8c9efe5ed17a0ddc0ed5e3a0c0ce8a40cfea562a1559ef80
Opcode Fuzzy Hash: 74906ca78a5ed234824da2d21b4ef579ad23ae74e18219abc59e4195ec916c3d
Instruction Fuzzy Hash: 24A00231445A80DBDE11DB10CB49B09B761FBC0F01F108E64A0464781457785800D941

Function 00FC51FB Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 283
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FC52D2
GetSystemMetrics.USER32(00000007), ref: 00FC52DA
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FC5305
GetSystemMetrics.USER32(00000008), ref: 00FC530D
GetSystemMetrics.USER32(00000004), ref: 00FC5332
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FC534F
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FC535F
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FC5392
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FC53A6
GetClientRect.USER32(00000000,000000FF), ref: 00FC53C4
GetStockObject.GDI32(00000011), ref: 00FC53E0
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC53EB

Part of subcall function 00FC4B74: GetCursorPos.USER32(?), ref: 00FC4B88
Part of subcall function 00FC4B74: ScreenToClient.USER32(00000000,?), ref: 00FC4BA5
Part of subcall function 00FC4B74: GetAsyncKeyState.USER32(00000001), ref: 00FC4BCE
Part of subcall function 00FC4B74: GetAsyncKeyState.USER32(00000002), ref: 00FC4BE8

SetTimer.USER32(00000000,00000000,00000028,00FC3AA8), ref: 00FC5412

Strings

AutoIt v3 GUI, xrefs: 00FC538A

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ac721390ffcf1de20dcbef1d5d2fea9de6590b03b44d46cdc72242a9bd3b246c
Instruction ID: b98f0cace6b333b50354f417372e267cb6e6f212f100d31b0abd0a52f16f1da1
Opcode Fuzzy Hash: ac721390ffcf1de20dcbef1d5d2fea9de6590b03b44d46cdc72242a9bd3b246c
Instruction Fuzzy Hash: FCB18D75A0020ADFDF24DFA8CA85FAD3BF4FB48714F00421AFA85A7284DB75A840DB50

Function 00FBA76B Relevance: 27.0, APIs: 12, Strings: 3, Instructions: 702windowsleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FBAA28
TranslateMessage.USER32(?), ref: 00FBAB77
DispatchMessageW.USER32(?), ref: 00FBAB85
Sleep.KERNEL32(0000000A,?,?), ref: 00FBAB8F

Strings

@GUI_CTRLID, xrefs: 00FF992F
@GUI_WINHANDLE, xrefs: 00FF9991
@GUI_CTRLHANDLE, xrefs: 00FF99EF

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: Message$DispatchSleepTimeTranslatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
API String ID: 1406140084-758534266
Opcode ID: abb1673af26d17588602716d26e94c25b579297d404515676f5d76604db1d6f3
Instruction ID: 77b49bebe11e96d417d0f81d868b7401ea1ff7113372a37c976da8b863a10f08
Opcode Fuzzy Hash: abb1673af26d17588602716d26e94c25b579297d404515676f5d76604db1d6f3
Instruction Fuzzy Hash: A452FFB0A08346DFD724DF24C884BEAB7E5BF80314F14451DE5998B2A1DB79A844EF93

Function 01255C39 Relevance: 25.0, APIs: 6, Strings: 8, Instructions: 464
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,01256258), ref: 01255D3E
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,01256258,00000000,00000000,00000000,00000000,00000000,00000004), ref: 01255D62
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,01256258), ref: 01255D95
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,01256258,00000000,00000000,00000000,00000000,00000000,00000004), ref: 01255DB5
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,01256258,00000000,00000000,00000000,00000000,00000000,00000004), ref: 01255DE7

Part of subcall function 0125190D: GetTickCount.KERNEL32 ref: 01251986

Part of subcall function 012546D1: MessageBoxA.USER32(00000000,00000000,01254731,00040040), ref: 01254704

GetTickCount.KERNEL32 ref: 01256220

Strings

NtGetContextThread, xrefs: 01255E3B
NtTerminateProcess, xrefs: 0125608B, 01256122, 01256216
NtFreeVirtualMemory, xrefs: 012561E0
NtUnmapViewOfSection, xrefs: 01255E97
NtResumeThread, xrefs: 0125603D
execution failure, try to assign other file path, xrefs: 012560DA, 01256170
D, xrefs: 01255CEE
NtSetContextThread, xrefs: 01255FE6

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: CreateProcess$CountTick$Message
String ID: execution failure, try to assign other file path$D$NtFreeVirtualMemory$NtGetContextThread$NtResumeThread$NtSetContextThread$NtTerminateProcess$NtUnmapViewOfSection
API String ID: 2713535555-1661097759
Opcode ID: 213f674e7243ebffe692ff3d304aecdbadeb973b24af81b773d2b0746c6aa922
Instruction ID: 88959b1da1e3aae037374529726d5aac6b78d2e79414daaa370b0b2ed911bab2
Opcode Fuzzy Hash: 213f674e7243ebffe692ff3d304aecdbadeb973b24af81b773d2b0746c6aa922
Instruction Fuzzy Hash: 4412FF74A10219AFEB90DBA8CC85FEEBBF4AF09704F504095EA14F7281D774A984CF65

Function 00FC310D Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 220
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FC313C
GetCurrentProcess.KERNEL32(?,0104D9B8,00000000,?,?), ref: 00FC3253
IsWow64Process.KERNEL32(00000000,?,?), ref: 00FC325A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00FC3285
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FC3297
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00FC32A5
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FC32AC
GetSystemInfo.KERNEL32(?,?,?), ref: 00FC32D3

Strings

kernel32.dll, xrefs: 00FC3280
GetNativeSystemInfo, xrefs: 00FC3291

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2834427828-192647395
Opcode ID: 8f9385d2d018e04b7bb8bc48d3b3f085c6643d1d0e22a1ce60cdadd0a6afb568
Instruction ID: 2ea4309e1dc825bd77bcc6f189195f937f6823cdb46249c4a9b56b4a59043087
Opcode Fuzzy Hash: 8f9385d2d018e04b7bb8bc48d3b3f085c6643d1d0e22a1ce60cdadd0a6afb568
Instruction Fuzzy Hash: F091D77280D3C6EFDB32D77C75626DD3FA46B36600B04C4ADE4C09724AC22E4548EB21

Function 00FC2D33 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC2D63
IsDebuggerPresent.KERNEL32 ref: 00FC2D76
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00FC2DE2

Part of subcall function 00FBA65C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FBA69D

SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 00FC2E63
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 01007988
SetCurrentDirectoryW.KERNEL32(?), ref: 010079C9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01071E24), ref: 01007A52
ShellExecuteW.SHELL32(00000000), ref: 01007A59

Part of subcall function 00FC2C51: GetSysColorBrush.USER32(0000000F), ref: 00FC2C5C
Part of subcall function 00FC2C51: LoadCursorW.USER32(00000000,00007F00), ref: 00FC2C6B
Part of subcall function 00FC2C51: LoadIconW.USER32(00000063), ref: 00FC2C81
Part of subcall function 00FC2C51: LoadIconW.USER32(000000A4), ref: 00FC2C93
Part of subcall function 00FC2C51: LoadIconW.USER32(000000A2), ref: 00FC2CA5
Part of subcall function 00FC2C51: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FC2CBD
Part of subcall function 00FC2C51: RegisterClassExW.USER32(?), ref: 00FC2D0E

Part of subcall function 00FCFBB7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FCFBE5
Part of subcall function 00FCFBB7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FCFC06
Part of subcall function 00FCFBB7: ShowWindow.USER32(00000000), ref: 00FCFC1A
Part of subcall function 00FCFBB7: ShowWindow.USER32(00000000), ref: 00FCFC23

Part of subcall function 00FC34C7: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC3598

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 01007982
runas, xrefs: 01007A4D
AutoIt, xrefs: 0100797D

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell_
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 1385234928-2030392706
Opcode ID: 61d9f5fc79b0b9fe8bc3ebd71b536d5f585c8b09a9967fe79acbd09933d6c864
Instruction ID: fa4cca6a21f0d303da11c1f229f7ca7777f1c810503ed8f0b7eb33587809af88
Opcode Fuzzy Hash: 61d9f5fc79b0b9fe8bc3ebd71b536d5f585c8b09a9967fe79acbd09933d6c864
Instruction Fuzzy Hash: 0A51687150C341ABD721FFA5DD62EAE7BE8FB91740F00442CF5C152192CB2E9A49EB62

Function 00FC507A Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FC50AD
RegisterClassExW.USER32(00000030), ref: 00FC50D7
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC50E8
InitCommonControlsEx.COMCTL32(?), ref: 00FC5105
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC5115
LoadIconW.USER32(000000A9), ref: 00FC512B
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC513A

Strings

+, xrefs: 00FC5096
AutoIt v3 GUI, xrefs: 00FC50C9
0, xrefs: 00FC508F
TaskbarCreated, xrefs: 00FC50DD

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 16b2b08fea7235c9102ef21f53918310c51f4de0f918b8fdbb32a9c9dc16da51
Instruction ID: 45546b61d645a7abdcb9d389fde2d735d74b757e89f68b49ef202651b8b6101c
Opcode Fuzzy Hash: 16b2b08fea7235c9102ef21f53918310c51f4de0f918b8fdbb32a9c9dc16da51
Instruction Fuzzy Hash: 402124B8D05308AFDB20DFE4E988BDDBBB4FB18750F00411AFA90A6284D7BA4540CF94

Function 0123D929 Relevance: 18.2, APIs: 9, Strings: 3, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CharNextA.USER32(00000000), ref: 0123D97E
CharNextA.USER32(00000000,00000000), ref: 0123D98A
CharNextA.USER32(00000000,00000000), ref: 0123D9B2
CharNextA.USER32(00000000), ref: 0123D9BE
CharNextA.USER32(?,00000000), ref: 0123D9FF
CharNextA.USER32(00000000,?,00000000), ref: 0123DA0B
CharNextA.USER32(00000000,?,00000000), ref: 0123DA43
CharNextA.USER32(?,00000000), ref: 0123DA4F

Strings

", xrefs: 0123DA34
", xrefs: 0123D9A3
, xrefs: 0123D951

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: CharNext
String ID: $"$"
API String ID: 3213498283-938660540
Opcode ID: a74b84504903bc6848e67ef457c7a6e515321d0edc5c07087f1d644512264336
Instruction ID: 6d2bb3d260640e1a2afdb0a84e44cfdf776524cb833e8da7d0d183db6763ab04
Opcode Fuzzy Hash: a74b84504903bc6848e67ef457c7a6e515321d0edc5c07087f1d644512264336
Instruction Fuzzy Hash: 9051D7F4628286DFD321DFADC484A15BBF5EF9A250FA40C59E6C5CB312D335A841CB61

Function 00FC2C51 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 64
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FC2C5C
LoadCursorW.USER32(00000000,00007F00), ref: 00FC2C6B
LoadIconW.USER32(00000063), ref: 00FC2C81
LoadIconW.USER32(000000A4), ref: 00FC2C93
LoadIconW.USER32(000000A2), ref: 00FC2CA5
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FC2CBD
RegisterClassExW.USER32(?), ref: 00FC2D0E

Part of subcall function 00FC507A: GetSysColorBrush.USER32(0000000F), ref: 00FC50AD
Part of subcall function 00FC507A: RegisterClassExW.USER32(00000030), ref: 00FC50D7
Part of subcall function 00FC507A: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC50E8
Part of subcall function 00FC507A: InitCommonControlsEx.COMCTL32(?), ref: 00FC5105
Part of subcall function 00FC507A: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC5115
Part of subcall function 00FC507A: LoadIconW.USER32(000000A9), ref: 00FC512B
Part of subcall function 00FC507A: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC513A

Strings

0, xrefs: 00FC2CDD
#, xrefs: 00FC2CE4
AutoIt v3, xrefs: 00FC2CFD

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0275383f3b976874705db5224a4e6bf58b283f21781651e4018d05ce41225ccf
Instruction ID: 279f15fe3fe42191c8a735012de1001767cd1185863fefc276b1e404a13ef1d6
Opcode Fuzzy Hash: 0275383f3b976874705db5224a4e6bf58b283f21781651e4018d05ce41225ccf
Instruction Fuzzy Hash: D4215EB4D04318AFDB209FA5E955B9EBFB4FB08B10F00802AF9C4A6284D7BB0550DF94

Function 00FC3998 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00FC3992,?,?), ref: 00FC3A00
KillTimer.USER32(?,00000001,?,?,?,?,?,00FC3992,?,?), ref: 00FC3A2C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FC3A4F
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00FC3992,?,?), ref: 00FC3A5A
CreatePopupMenu.USER32 ref: 00FC3A6E
PostQuitMessage.USER32(00000000), ref: 00FC3A8F

Strings

TaskbarCreated, xrefs: 00FC3A55

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f3662fc959f033ba5588f8db0424a66f457299e3aec46589a004d8a2f1511ac6
Instruction ID: dc92de0b528c208ddec68f13729573506c90bd90f24d5dd10fe91d9cbc86cb08
Opcode Fuzzy Hash: f3662fc959f033ba5588f8db0424a66f457299e3aec46589a004d8a2f1511ac6
Instruction Fuzzy Hash: B6412935548106ABEB25AF78DE4BF6D3A55F704390F00C21DF5C2862C5DABE9A10F7A1

Function 00FC0E5B Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB1155: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF), ref: 00FB1173

Part of subcall function 00FCFD48: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00FC0F35), ref: 00FCFD6A

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FC0F78
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 01006FEF
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 01007030
RegCloseKey.ADVAPI32(?), ref: 01007072

Strings

\Include\, xrefs: 00FC0F35
Software\AutoIt v3\AutoIt, xrefs: 00FC0F6E
Include, xrefs: 01006FE6, 01007027
\, xrefs: 010070EE

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 338900592-2727554177
Opcode ID: bea4c50205b4af968ea1d49082cedc22d3b6cf3aa876074795563da8cdd44a86
Instruction ID: a6ef9c75a643abc9881e7b69e5a4011f6b685be99f3a149df3767d30945bc036
Opcode Fuzzy Hash: bea4c50205b4af968ea1d49082cedc22d3b6cf3aa876074795563da8cdd44a86
Instruction Fuzzy Hash: 85718C714083019ED320EF69EC819AFBBE8BF84B40F40442EB4C58B2A0DB39D949DB52

Function 00FF0585 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FF02C4: CreateFileW.KERNELBASE(00000000,00000000,?,00FF062E,?,?,00000000,?,00FF062E,00000000,0000000C), ref: 00FF02E1

GetLastError.KERNEL32 ref: 00FF0699
GetFileType.KERNELBASE(00000000), ref: 00FF06AC
GetLastError.KERNEL32 ref: 00FF06B6
CloseHandle.KERNEL32(00000000), ref: 00FF06DF
CloseHandle.KERNEL32(?), ref: 00FF0829
GetLastError.KERNEL32 ref: 00FF085B

Strings

H, xrefs: 00FF07E7

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: ErrorLast$CloseFileHandle$CreateType
String ID: H
API String ID: 3086256261-2852464175
Opcode ID: 6a2f757456330c22da68819250d58af816421ee3730eb45b3cfd84eb927dc48b
Instruction ID: 4c46fad4d2bd47193cbfc21dce8a187f0d087f87d89ec2dfde3b472443e0ee38
Opcode Fuzzy Hash: 6a2f757456330c22da68819250d58af816421ee3730eb45b3cfd84eb927dc48b
Instruction Fuzzy Hash: B8A13732A041589FDF28EF68DC817BD7BA0AF06324F180159F941DB2E2DB399812EB51

Function 012583C1 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 161
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,01258661,00000000), ref: 01258422
MessageBoxA.USER32(00000000,no data,01258661,00000000), ref: 0125849A
GetTickCount.KERNEL32 ref: 01258532

Strings

Executing manually will not work, xrefs: 0125841B
no data, xrefs: 01258493
uPQzHOdQ, xrefs: 012583F2

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: Message$CountTick
String ID: Executing manually will not work$no data$uPQzHOdQ
API String ID: 1431039135-1731644993
Opcode ID: 23f0c691bb8d4f3c59c2cfa2663b8e0fe6349ba62ad9ecfe61d0c3737769f0ae
Instruction ID: 9eb028b1ed0c53970e7504d2415113280425faedbc3ceb334ef18397f9c811c7
Opcode Fuzzy Hash: 23f0c691bb8d4f3c59c2cfa2663b8e0fe6349ba62ad9ecfe61d0c3737769f0ae
Instruction Fuzzy Hash: DE614B38620206CFCBA0FF95E4C9AADB3B5FB98214F514655ED00AB358DB70AC468F71

Function 00FCFBB7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FCFBE5
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FCFC06
ShowWindow.USER32(00000000), ref: 00FCFC1A
ShowWindow.USER32(00000000), ref: 00FCFC23

Strings

edit, xrefs: 00FCFC00
AutoIt v3, xrefs: 00FCFBDD, 00FCFBE2, 00FCFBE3

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7798be0b456edd4bdf8e16ae95b91ea2c814c57ccaa69989bf882bf29372e3ef
Instruction ID: 821efa1149afe0ea1630c36659b43a3c43786b84cfaf2ffac691018cb0d4b50f
Opcode Fuzzy Hash: 7798be0b456edd4bdf8e16ae95b91ea2c814c57ccaa69989bf882bf29372e3ef
Instruction Fuzzy Hash: 43F05EB0A443947BEA306617AD5CE3B3EBDE7DAF50F00405EBDC0A2164C16A0810CBB4

Function 01251165 Relevance: 9.1, APIs: 6, Instructions: 106filewindowCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,012555B5,00000001,00000000,00000000,00000000), ref: 01251181
MessageBoxA.USER32(00000000,0125129D,01251299,00000000), ref: 0125119B
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,012555B5,00000001,00000000), ref: 012511A3
ReadFile.KERNEL32(00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 012511C5
MessageBoxA.USER32(00000000,012512A1,01251299,00000000), ref: 012511DC
CloseHandle.KERNEL32(00000000,00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01251286

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: File$Message$CloseCreateHandleReadSize
String ID:
API String ID: 2324011479-0
Opcode ID: f1f0e1494ebd3de71f24a31b1ce60c50c044dd5802666a9c0f5392d1b99455ed
Instruction ID: 732ebb8cedcf9af34f77e0f5c3d00fd9028b73e0aff8fe33ce69ac2a8cf71c4e
Opcode Fuzzy Hash: f1f0e1494ebd3de71f24a31b1ce60c50c044dd5802666a9c0f5392d1b99455ed
Instruction Fuzzy Hash: 8A3139B4354302AFD354EF19CC81F6AB3E4EF98A50F508928F998DB381DA70E8558B61

Function 00FE8B75 Relevance: 7.8, APIs: 5, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb310a9c27f7fa57cdc32772fb05fb13b408663f279ddd5dbe03d7813e5010f8
Instruction ID: 1c708c754f77c7ad3d341def434b44748a3148c77a646ed5105315621595c271
Opcode Fuzzy Hash: cb310a9c27f7fa57cdc32772fb05fb13b408663f279ddd5dbe03d7813e5010f8
Instruction Fuzzy Hash: 23C11671E042C9AFCF11EFEAD841BADBBB4BF19350F140144E458A7382DB789942EB61

Function 01258277 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 155windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,01258661,00000000), ref: 01258422

Strings

>, xrefs: 012583DB
Executing manually will not work, xrefs: 0125841B
uPQzHOdQ, xrefs: 012583F2

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: Message
String ID: >$Executing manually will not work$uPQzHOdQ
API String ID: 2030045667-1937669157
Opcode ID: 84a7a200ca55a27a3d058c212b27bfde08dad525f1d8483ad676d170cba9a063
Instruction ID: 2aa91f183c3a06c879621255edc498e08f508bd5eea02dd693c783e5881f205f
Opcode Fuzzy Hash: 84a7a200ca55a27a3d058c212b27bfde08dad525f1d8483ad676d170cba9a063
Instruction Fuzzy Hash: 3C5115B39687449FD796DF61C8C77987774EB21328FA5406EE801C5542F6BEAC02CB06

Function 00FC5C80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FC5C71,SwapMouseButtons,00000004,?), ref: 00FC5CA4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FC5C71,SwapMouseButtons,00000004,?,?,?,?,00FC4F9C), ref: 00FC5CC5
RegCloseKey.KERNELBASE(00000000,?,?,00FC5C71,SwapMouseButtons,00000004,?,?,?,?,00FC4F9C), ref: 00FC5CE7

Strings

Control Panel\Mouse, xrefs: 00FC5CA2

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ddc849608058eeb0a558a594afe4ee9819ee747e291952b2701f89f3549a25e0
Instruction ID: 25a652b44effcee49d04fa99f1dc93b75f8ab902654389e44a2a1e4a12700b63
Opcode Fuzzy Hash: ddc849608058eeb0a558a594afe4ee9819ee747e291952b2701f89f3549a25e0
Instruction Fuzzy Hash: 92113CB5A11619BFDB20CFA8D985FAFBBBCEF04B50B104559F805E7110D632EE81A760

Function 01254E0D Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,01254E9C), ref: 01254E4D
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,01254E9C), ref: 01254E5C
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,01254E9C), ref: 01254E7B
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 01254E81

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 1bc747adef47f505875bdc0c36de0fea25569a225dd791a93ee1f9257b5a87fb
Instruction ID: 71f2909fc5603a27184a6da9276459aac2588fdc1f7b18dece16c0032860da84
Opcode Fuzzy Hash: 1bc747adef47f505875bdc0c36de0fea25569a225dd791a93ee1f9257b5a87fb
Instruction Fuzzy Hash: F71161B0A24305BFE760EFB8DC82FAEB7ECDB09710F200965B614E7180E6705E409B14

Function 012582AF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,01258661,00000000), ref: 01258422
MessageBoxA.USER32(00000000,no data,01258661,00000000), ref: 0125849A
GetTickCount.KERNEL32 ref: 01258532

Strings

Executing manually will not work, xrefs: 0125841B
uPQzHOdQ, xrefs: 012583F2

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: Message$CountTick
String ID: Executing manually will not work$uPQzHOdQ
API String ID: 1431039135-321689922
Opcode ID: 3c59d941ede2ba40d4d23006507a1c172883b74893cef6c56e37e1d7ea86e82d
Instruction ID: 2afd5c6c43778ac0915d997eafaf49a8c0e9b153bc3cbfc527ac1c22f1f9b2db
Opcode Fuzzy Hash: 3c59d941ede2ba40d4d23006507a1c172883b74893cef6c56e37e1d7ea86e82d
Instruction Fuzzy Hash: B541D2B3D687459FDB96DF61D8C77A877B4EB20324FD1402EA801C1542F6BEAC018B56

Function 01038974 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 01038D10
TerminateProcess.KERNEL32(00000000), ref: 01038D17
FreeLibrary.KERNEL32(?,?,?,?), ref: 01038EF8

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 22d030f5c024aca38cc999c9cd4d3878e77a25ede5e3b73f9ce824a9bbfc2756
Instruction ID: e8ad58dcbcbf926c7efcab07a4399272f918a06c4d27554ceb01b12b776c99e8
Opcode Fuzzy Hash: 22d030f5c024aca38cc999c9cd4d3878e77a25ede5e3b73f9ce824a9bbfc2756
Instruction Fuzzy Hash: E3127B71A083419FD714DF28C484B5ABBE5FF88318F04899EF9898B252D735E945CF92

Function 00FB921A Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCF9FB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FCFA2C
Part of subcall function 00FCF9FB: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FCFA34
Part of subcall function 00FCF9FB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FCFA3F
Part of subcall function 00FCF9FB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FCFA4A
Part of subcall function 00FCF9FB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FCFA52
Part of subcall function 00FCF9FB: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCFA5A

Part of subcall function 00FCF508: RegisterWindowMessageW.USER32(00000004,?,00FB93EB), ref: 00FCF560

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FB9488
OleInitialize.OLE32 ref: 00FB94A6
CloseHandle.KERNEL32(00000000,00000000), ref: 00FF8D75

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 8ddf34386c98b5b33961e72516fb204f67edbef475fc9d4fb3084f290fe8ab11
Instruction ID: 92c103d25e592570f1123bd8afc4a559a43b7fce5410a075561918d6225565ab
Opcode Fuzzy Hash: 8ddf34386c98b5b33961e72516fb204f67edbef475fc9d4fb3084f290fe8ab11
Instruction Fuzzy Hash: B671CEB4999201CFC7A8EF79E9A965D3BE1FB58300310812AE4CAC7349EB3E4445DF64

Function 00FC1CF6 Relevance: 4.6, APIs: 3, Instructions: 104COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 00FC1D9F
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,?,00000001), ref: 00FC1DAF

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 74347e016af58425bef7f696f7b9c0c2579f0564072ed2249f0fdd200a1b7669
Instruction ID: 1b8cdc319bb1ce29821049d64d19d94bd808476cce30a6102031d61dc9b7ab50
Opcode Fuzzy Hash: 74347e016af58425bef7f696f7b9c0c2579f0564072ed2249f0fdd200a1b7669
Instruction Fuzzy Hash: 50315A31A0060AEFDB14CF6CC981F99B7B5FB04324F14862AE91597285C771FDA4EB90

Function 00FC3619 Relevance: 4.6, APIs: 3, Instructions: 76timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC37B5: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FC38A8

KillTimer.USER32(?,00000001), ref: 00FC36A2
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FC36B1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 01007D4E

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: f4108aa91466d4617c9653c672b96ec87946aa53ce73ab6106d1b03f92729001
Instruction ID: fd55cbf4648a3949a944404ccb51af965c1fe8927063a8a66c58f45faaf90159
Opcode Fuzzy Hash: f4108aa91466d4617c9653c672b96ec87946aa53ce73ab6106d1b03f92729001
Instruction Fuzzy Hash: 1E31A471904344AFEB73CF248885FEABBFC9F06304F00449ED5D957241D7386A858B51

Function 012547CD Relevance: 4.6, APIs: 3, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020119,?), ref: 01254813
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000100,?,00000000,00000000,00020119,?), ref: 0125483A
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00020119,?), ref: 0125485F

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 712d3af2663db280e53856c2e5cbdd465a33fd0d0744bc0e4c0c6c4841cc4760
Instruction ID: 814fe6d85ecd689555782f695f909182f0acdf47c50b2d1a3f44e827755a905d
Opcode Fuzzy Hash: 712d3af2663db280e53856c2e5cbdd465a33fd0d0744bc0e4c0c6c4841cc4760
Instruction Fuzzy Hash: F9115671E1011D7BDB15EA98DC85EFEB3BCAF59310F004565FA14E7241E6709E848BA1

Function 01254BF1 Relevance: 4.6, APIs: 3, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,01254C75), ref: 01254C36
WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,01254C75), ref: 01254C4E
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,01254C75), ref: 01254C5A

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: ede8a37052e29c92acf420ebedd5ddc2c1ae0e5d40fd7a0a31ce9228561d216e
Instruction ID: 5b492c5af9bd0fe660781a337b0a553424f646df4b2e8de29afc088fd12ee15d
Opcode Fuzzy Hash: ede8a37052e29c92acf420ebedd5ddc2c1ae0e5d40fd7a0a31ce9228561d216e
Instruction Fuzzy Hash: 3E01B171A202057FE724AAA89CC2FBEB7ACDB85B10F510565BA10E21D0E6B05E408660

Function 00FC10B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 010071AE

Part of subcall function 00FB119F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB1192,?), ref: 00FB11BF

Part of subcall function 00FCFDB9: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FCFDD8

Strings

X, xrefs: 0100717C

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: d4a08d98a796fac84aa0e4a55ab2246e7786b1296673a88a5ed25ded0e6bb7dc
Instruction ID: 54d5dcef63832ab057f29f72585af2b1c686032c4688131e676201e0e47bb64d
Opcode Fuzzy Hash: d4a08d98a796fac84aa0e4a55ab2246e7786b1296673a88a5ed25ded0e6bb7dc
Instruction Fuzzy Hash: 7121C371A002589BDB05DF98DC06BEE7BFDAF49710F00805AE944E7281DBB855899FA1

Function 01256BA5 Relevance: 3.1, APIs: 2, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,01256CAA), ref: 01256C1F
RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,01256CAA), ref: 01256C53

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 624aeb0679045ba1c7a12ee306fa3929b98382d6066f187c365e91fd021dcb77
Instruction ID: 4fbcfa37bf60ad9cc2c7d9441ea76aa8b5f167935bf9bb597fcdf08f738e0d4f
Opcode Fuzzy Hash: 624aeb0679045ba1c7a12ee306fa3929b98382d6066f187c365e91fd021dcb77
Instruction Fuzzy Hash: 3E31A471F10209BFEB51EBA9DCC5BAEB7B8EF54300F4084A5E950E3240DB75AE098710

Function 00FC1E10 Relevance: 3.1, APIs: 2, Instructions: 65fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00010000,?,00000000,?,00000000,?,?,00FBC03B), ref: 00FC1E6E
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00008000,00000000,?,00000000,?,?,00FBC03B), ref: 00FC1EA7

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 612b421569ca46580a4e40ac8fcab0b715f8ba3f301a1df69481b798d611e1cf
Instruction ID: 88f8b82bdebcbca899425029a3b281a04d9f3a08bdbc18e1d78763b544939fe2
Opcode Fuzzy Hash: 612b421569ca46580a4e40ac8fcab0b715f8ba3f301a1df69481b798d611e1cf
Instruction Fuzzy Hash: 4E214439600706AFD720CF59C981F66B7F9FB49720F10882DE99A87A81C7B1B954DB60

Function 00FC1EE8 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00FBC025,?,00008000), ref: 00FC1F16
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00FBC025,?,00008000), ref: 01007483

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 59b6256a008f111a671432047d012e3503f962ad4976075a065be99bb48d8713
Instruction ID: 6a5111e2850cea55d93efe358f2d32707e888b6a735caefb057349ef803962af
Opcode Fuzzy Hash: 59b6256a008f111a671432047d012e3503f962ad4976075a065be99bb48d8713
Instruction Fuzzy Hash: 58019231245225B6F3314A6ACD0FF977F99EF03B70F218208BE985A1E2CBB45464DB90

Function 00FE91BB Relevance: 3.0, APIs: 2, Instructions: 50COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00FE926A,FF8BC369,00000000,00000002,00000000), ref: 00FE91F4
GetLastError.KERNEL32(?,00FE926A,FF8BC369,00000000,00000002,00000000,?,00FE598F,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00FD6AFC), ref: 00FE91FE

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 4454be45479264870ba7ee86c1dce77613bb4cc0cd31ea2b42e12c7320d8a1c6
Instruction ID: 75e832f98b06fddcc34734823abe57566ea1c5b24e0cd83fc7edcdfb4fd8e036
Opcode Fuzzy Hash: 4454be45479264870ba7ee86c1dce77613bb4cc0cd31ea2b42e12c7320d8a1c6
Instruction Fuzzy Hash: 90012833A182557BCB159F9ADC0586E3B2AEF85330B240248F81097190EAB5DD01E7A0

Function 00FCFC28 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00FCFC4A

Part of subcall function 00FCFC98: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FCFCAD
Part of subcall function 00FCFC98: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FCFCC4

Part of subcall function 00FC2D33: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC2D63
Part of subcall function 00FC2D33: IsDebuggerPresent.KERNEL32 ref: 00FC2D76
Part of subcall function 00FC2D33: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00FC2DE2
Part of subcall function 00FC2D33: SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 00FC2E63

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00FCFC84

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 90c325accc6c373e64cbb18598a950dcc6b021cc0ae214b0bec75f40ae08fbcc
Instruction ID: e4742b3dc415f82377e788f0b153638959fdcdee9166d038572a2e108a6ae2b2
Opcode Fuzzy Hash: 90c325accc6c373e64cbb18598a950dcc6b021cc0ae214b0bec75f40ae08fbcc
Instruction Fuzzy Hash: E2F0E971548308AFD720AB70EE4BF1C7BA1B710711F008819F5C54A1CADBBF9160DB84

Function 01254E02 Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,01254E9C), ref: 01254E7B
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 01254E81

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: 5eecda559ff69586c3b6a6d391044200ef38843fb35e84923458a989e5f5e4c6
Instruction ID: 38820036c8ce327313fa1938cd58fc46bf44956281c03d406e6fcfea38dbf3fe
Opcode Fuzzy Hash: 5eecda559ff69586c3b6a6d391044200ef38843fb35e84923458a989e5f5e4c6
Instruction Fuzzy Hash: F5E04FB5A28204BFE744EFA4DCC1EBDB7ECEB84300F604866B504D2100DA709D409B20

Function 01254799 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,?,01256F6D,00000000,012570D4,?,?,00000000,00000000), ref: 012547A5
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,?,?,01256F6D,00000000,012570D4,?,?,00000000,00000000), ref: 012547C2

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 150071e8d115d48b6e860e46511f068db359f69ce08f9d5d34f1670f96483210
Instruction ID: a7e9df4bbb13064474a79082d70697976f606c066d858bdd2a7ac06827afd6d3
Opcode Fuzzy Hash: 150071e8d115d48b6e860e46511f068db359f69ce08f9d5d34f1670f96483210
Instruction Fuzzy Hash: 46D0A790B2122317DB5431BC3CC6EAE818C0B16970B110360FB10E3182DE544DC20195

Function 01257E05 Relevance: 3.0, APIs: 2, Instructions: 5COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,01258165,00000000,01258180,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01257E07
TerminateProcess.KERNEL32(00000000,00000000,01258165,00000000,01258180,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01257E0D

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID:
API String ID: 2429186680-0
Opcode ID: b11399cddf9350ece28e91c1209740a3cf97649afd2b7b8c8d81269606c38880
Instruction ID: e06887d6073adda99f67f4f4145a492684992de4e2204d7c2035f06be2ca41f8
Opcode Fuzzy Hash: b11399cddf9350ece28e91c1209740a3cf97649afd2b7b8c8d81269606c38880
Instruction Fuzzy Hash: A290024466820713D95832B00945FAE60085F60902FC10850F308A54844C9C90900069

Function 00FE84DE Relevance: 2.6, APIs: 2, Instructions: 61COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00FE83FC,?,01079910,0000000C), ref: 00FE8534
GetLastError.KERNEL32(?,00FE83FC,?,01079910,0000000C), ref: 00FE853E

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 6c70fefd49dc4d799ef365e4b3c7117c4beeecbac1ec25e158c69608a172fb9f
Instruction ID: fb365617e2db6fa8f428aba1282d36ee9f5663936652a8f9671c0e6692726adf
Opcode Fuzzy Hash: 6c70fefd49dc4d799ef365e4b3c7117c4beeecbac1ec25e158c69608a172fb9f
Instruction Fuzzy Hash: 32010C32E056E01AD234723A6D4577E77868F81B78F294129F82C971C3DE6DCC82A261

Function 0123C2A5 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,0123C638), ref: 0123C2D4
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,0123C638), ref: 0123C2FB

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: a18028a8f3d8eabaeec14eea95c656aaa3b43afc80694adb3453432e24d423c5
Instruction ID: bbfbdd775bd9ef402cc60817944d66653460979f23c1f490548ed71792082a0a
Opcode Fuzzy Hash: a18028a8f3d8eabaeec14eea95c656aaa3b43afc80694adb3453432e24d423c5
Instruction Fuzzy Hash: ACF0A7F3F2073156EB2156AD4C81B6299859FC6BA0F154173FA4CFF3C9D6A1481142A0

Function 01020156 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0102016F

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 40bf949e1a33d12b93c55d42c0bf6f370ff29a37b31dcce4b22f8a58120e48dc
Instruction ID: c9ddf85d8ac9e0d89d27e0a207fedf22782d9fe28ac0332b9b1922c6352279c4
Opcode Fuzzy Hash: 40bf949e1a33d12b93c55d42c0bf6f370ff29a37b31dcce4b22f8a58120e48dc
Instruction Fuzzy Hash: B741A1B6A00319AFDB11DFA8CC809EEB7F9EF44310F20856FF95697255EB709A448B50

Function 00FD02C0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 00FD036F

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 6c53bae69a097cfb0d9810db82707785476f3ced3f8705fe22ac9e2947a4556f
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9731E2B1A00105DFC718CF59D484A6DFBA6FB49310F6886A6E409CB356EB71EDC1EB80

Function 00FC27CA Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC290F: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FC27DC,?,?,00FC058E,?,00000001), ref: 00FC291B
Part of subcall function 00FC290F: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FC292D
Part of subcall function 00FC290F: FreeLibrary.KERNEL32(00000000,?,?,00FC27DC,?,?,00FC058E,?,00000001), ref: 00FC293F

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00FC058E,?,00000001), ref: 00FC27FC

Part of subcall function 00FC28D8: LoadLibraryA.KERNEL32(kernel32.dll,?,?,010077B4,?,?,00FC058E,?,00000001), ref: 00FC28E1
Part of subcall function 00FC28D8: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FC28F3
Part of subcall function 00FC28D8: FreeLibrary.KERNEL32(00000000,?,?,010077B4,?,?,00FC058E,?,00000001), ref: 00FC2906

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: fbd2cbd44c58797524e373662b183a48e5eb68a774f2322fd65457a3d0a14a36
Instruction ID: b2a5f81e71cb50efd5241091dc05f43629193db152ff8862dc7bf73ae18e4e66
Opcode Fuzzy Hash: fbd2cbd44c58797524e373662b183a48e5eb68a774f2322fd65457a3d0a14a36
Instruction Fuzzy Hash: 24110432600206ABDB64BF64CE43FAD77A5EF94710F50842EF482AA1C1EE799A05A750

Function 0125190D Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 01251986

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 597749b9c1834c3e4a511af67be6513dbadd4ce49a27b2bca116fa7848ce6b10
Instruction ID: 1e864e98eaa01e25771d5d2d28e56738952037880dfd2d4ca53a3afad2d63b74
Opcode Fuzzy Hash: 597749b9c1834c3e4a511af67be6513dbadd4ce49a27b2bca116fa7848ce6b10
Instruction Fuzzy Hash: 4711F1B4E1420AAFCB44DF99D8819AEBBF8FB48710F518469ED14A7340D734AE118B51

Function 01256CF3 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 01256D26

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 89b6fba270f4f6a47129fd476a07cfd1ab684a6d332d97ffa145a61918c1e987
Instruction ID: 904e1e97a3cbacf3bfe936793d6f92e302fdd21db12108aa836d8e792f15c2ff
Opcode Fuzzy Hash: 89b6fba270f4f6a47129fd476a07cfd1ab684a6d332d97ffa145a61918c1e987
Instruction Fuzzy Hash: FFF0A475B00109ABD750EAADECC0FBABBEC9F59250F048165FE18D7340D6719D008BA0

Function 01256CF5 Relevance: 1.5, APIs: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 01256D26

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a80400a3fc9b2e2b6db2f134cdc82aca6f267dffc5661afd40d6916a5f9470f4
Instruction ID: 146f4040fb3802cb53d7704dc0431e5584eff6c206797a3bf4eb8750ec860a89
Opcode Fuzzy Hash: a80400a3fc9b2e2b6db2f134cdc82aca6f267dffc5661afd40d6916a5f9470f4
Instruction Fuzzy Hash: C5F0C875A00109ABC750EB9DECC0FAFBBEC9F59250F048155FE18D7340D6719D008BA0

Function 00FE287C Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00FE2D00,00000001,00000364,?,?,?,00FE26D1,00FE281A,?,?,00FBFC79,?), ref: 00FE28BD

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 772e5ab4fe6d9ecf1f0305992c3dced6d69e6340510aae311f5c6785bbed951d
Instruction ID: b71cb5ff76eeff0fda350788d76febbb67714a18c793a39b94a66a4fa3645c68
Opcode Fuzzy Hash: 772e5ab4fe6d9ecf1f0305992c3dced6d69e6340510aae311f5c6785bbed951d
Instruction Fuzzy Hash: EEF0B436A0126567DBA15A6B9C06B6E374DBF40770B194163B84496194EF34DA00A6F2

Function 00FE282E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00FD0445,?,?,00FBFA72,00000000,?,?,?,00FB1188,?), ref: 00FE2860

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 734c4687f479134b0604494e30b61ed8b68b9f905b7dc4d4b979530891612502
Instruction ID: e8cc073c1052550e3eaaac77cf20c6422c64fa776bd670343e60fc7c0b092182
Opcode Fuzzy Hash: 734c4687f479134b0604494e30b61ed8b68b9f905b7dc4d4b979530891612502
Instruction Fuzzy Hash: 25E09B315412A167D6B136675C0575F3A4DBF417B0F194123BC8596191FB24DE01B2F1

Function 01240A89 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,00010000,?,00001000), ref: 01240ABB

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 98cb9e290b6fcda0473899373f779afeb580b28c0de553bc535e0dfee71ead7e
Instruction ID: 4f428741ffd1d3bc243332327247c144908215d271c82e57fbe1c9de64326e47
Opcode Fuzzy Hash: 98cb9e290b6fcda0473899373f779afeb580b28c0de553bc535e0dfee71ead7e
Instruction Fuzzy Hash: 60F0A0B1720111DBCB14EA9CC8C0FA672DC8F88250B048161B708DB348EB60DC8887A2

Function 00FC283A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3dc83447941d27beedd6c1ddd04eda31103d438525c026e7ed7c5086397f902
Instruction ID: 1cc29e10426327ab2d3eeb294143418d360543f2271cd8afd35ee342c5b5cc95
Opcode Fuzzy Hash: b3dc83447941d27beedd6c1ddd04eda31103d438525c026e7ed7c5086397f902
Instruction Fuzzy Hash: 75F0A071401302CFD7759F64D590916B7E5FF0032931489BEE1C682651C336A840EF50

Function 00FF5FA4 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00FF5FAF

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2179922af00d2afe319f4a0b9f92efff20fe65351e0ef862f742f0bf3c4dd25a
Instruction ID: aad3d216edfc9802d8e7a613dd4593484762001e919009264653da207932e46d
Opcode Fuzzy Hash: 2179922af00d2afe319f4a0b9f92efff20fe65351e0ef862f742f0bf3c4dd25a
Instruction Fuzzy Hash: EBF0E5B2E582495ADB309B669C04BB1BBC4AF01321F10042ADAD5C21D1DFB95490BB61

Function 0123FF29 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00FB0000,?,00000105), ref: 0123FF47

Part of subcall function 012401BD: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 012401D8
Part of subcall function 012401BD: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 012401F6
Part of subcall function 012401BD: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 01240214
Part of subcall function 012401BD: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 01240232
Part of subcall function 012401BD: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,012402C1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0124027B
Part of subcall function 012401BD: RegQueryValueExA.ADVAPI32(?,0124043D,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,012402C1,?,80000001), ref: 01240299
Part of subcall function 012401BD: RegCloseKey.ADVAPI32(?,012402C8,00000000,00000000,00000005,00000000,012402C1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 012402BB

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 4f6f7f1076de1bd117e32dae873e78de734a710e1bc72a608b831ebaeac8ce49
Instruction ID: 59146572d6205f43509c5a8a6c10e249173996c2febe69538267972ba967fa63
Opcode Fuzzy Hash: 4f6f7f1076de1bd117e32dae873e78de734a710e1bc72a608b831ebaeac8ce49
Instruction Fuzzy Hash: 8BE06DB1A103118BCB14DE5CD9C0A9233D8AB48654F004561BD58CF386D771D9508BD1

Function 00FCFDB9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FCFDD8

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: bce57d9d355e6c3a05ba9816fbea29dd103372a5d5abf643295278cb1d35744f
Instruction ID: 9fd9e02b11549b09c95d957c6ec20749b90c38e0963877007f66e4d6766eed55
Opcode Fuzzy Hash: bce57d9d355e6c3a05ba9816fbea29dd103372a5d5abf643295278cb1d35744f
Instruction Fuzzy Hash: 2FE0CD7690122857C721E5989C05FFA77DDDF897A0F0401B5FD0CD7208D965AC8097D1

Function 00FC3AA8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FC3AA9

Part of subcall function 00FC4E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 00FC4E6B

Part of subcall function 00FC4B74: GetCursorPos.USER32(?), ref: 00FC4B88
Part of subcall function 00FC4B74: ScreenToClient.USER32(00000000,?), ref: 00FC4BA5
Part of subcall function 00FC4B74: GetAsyncKeyState.USER32(00000001), ref: 00FC4BCE
Part of subcall function 00FC4B74: GetAsyncKeyState.USER32(00000002), ref: 00FC4BE8

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: AsyncStateWindow$ClientCursorForegroundLongScreen
String ID:
API String ID: 4074248120-0
Opcode ID: 940dcfa8a2f7a0365b5c708574fe874e8960bd7363b91866be7dc988eb6ba053
Instruction ID: 1b324bc8092346fc6a788fa81c8ec57a19bbc6cee6e60d1d4708cb9653e014b2
Opcode Fuzzy Hash: 940dcfa8a2f7a0365b5c708574fe874e8960bd7363b91866be7dc988eb6ba053
Instruction Fuzzy Hash: CFD05E346015228BC924AA189956F1D3691BB457307044244F4A58B2E5CB695D92E7D5

Function 0124272D Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0125432F,00000000,0125673F,012568E5,?,c:\,012568E5,?,c:\), ref: 01242738

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4572904268e265fd193fcb2e56680a69fd8facc4a158caf36c05ddde75ad2af6
Instruction ID: f16b5ba261f16a9a0ab0c054a11fdcc165527b17133c8f579d0e6cfa93f952cf
Opcode Fuzzy Hash: 4572904268e265fd193fcb2e56680a69fd8facc4a158caf36c05ddde75ad2af6
Instruction Fuzzy Hash: 3DC08CA0B312020B2F5CA1BE3CC05AA028C496A0317201A21F278D21E2D71190572410

Function 00FF02C4 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00FF062E,?,?,00000000,?,00FF062E,00000000,0000000C), ref: 00FF02E1

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 39c2e80597082683e27958f01a6c6d24a15c9b2ed2f5fd38c8f274155efe986a
Instruction ID: 60f6735c98fb9ea6ef1f38621475e5ddf80e56849d73d7d90c581bb6f83b4ad0
Opcode Fuzzy Hash: 39c2e80597082683e27958f01a6c6d24a15c9b2ed2f5fd38c8f274155efe986a
Instruction Fuzzy Hash: B3D06C3200010DBBDF128E84DD46EDA3BAAFB48714F014000BE5856020C736E821AB90

Function 00FE27F4 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00FBFC79,?,?,00FB111E), ref: 00FE280A

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 67f25f56531833681cf29ac3037bf53598744d75c46dae52cc99524fdddd4a57
Instruction ID: 15dc927193544548f4106843d61dc8048b7ecc320a0bd7d74f791117076578cc
Opcode Fuzzy Hash: 67f25f56531833681cf29ac3037bf53598744d75c46dae52cc99524fdddd4a57
Instruction Fuzzy Hash: 16D0A73100014477DB222A66EC05B6E3E5DAB80324F040020B50804071E7358690E794

Function 01242A45 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,0125433A,00000000,0125673F,012568E5,?,c:\,012568E5,?,c:\), ref: 01242A52

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 2afb928ea0769a03e65cdb2334b4541331df32d5787a6e4dcd60dacd8e68de1d
Instruction ID: 784fd4b10e26559f7e03c15c2bd2c145b51a5df856501fc54abce92be79425c6
Opcode Fuzzy Hash: 2afb928ea0769a03e65cdb2334b4541331df32d5787a6e4dcd60dacd8e68de1d
Instruction Fuzzy Hash: B2B012D3B743412BEF1035F83CC5F3E518CD769806F100C71F245D6142D567C8550011

Function 01027EFB Relevance: 1.5, APIs: 1, Instructions: 222COMMON

Download Yara Rule

APIs

Part of subcall function 00FC1EE8: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00FBC025,?,00008000), ref: 00FC1F16

GetLastError.KERNEL32(00000002,00000000), ref: 01028195

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: b1c9d0da0675eff5bb776607d660deab243165f2e139fd420dfb645e23ab18da
Instruction ID: ccfd1800201f46268bd3a2147c75f1c60e527c135cd0cec9b9d943673b69fdbc
Opcode Fuzzy Hash: b1c9d0da0675eff5bb776607d660deab243165f2e139fd420dfb645e23ab18da
Instruction Fuzzy Hash: 6291B0342043129FD755EF28C891BADB7E1BF89310F04856EF9855B292CB38AD45DF42

Function 0123C449 Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 0123C4E2

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d03a3046163f6184b9b7679b7e0f3bebce94dd28af840b4081a31fe43a55cf8b
Instruction ID: 5e8ea013345ea8871791495e7469f0dede15669acab781dfc653fd311c207675
Opcode Fuzzy Hash: d03a3046163f6184b9b7679b7e0f3bebce94dd28af840b4081a31fe43a55cf8b
Instruction Fuzzy Hash: 1921CDB52143469FC750CF2CC880A6AB7E4FF88350B14892AFA99EB344D330E954CB62

Function 0123C381 Relevance: 1.3, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 0123C3FA

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 868db0d6804e96216372af0c7d2330db006d09f73424ef6d07a75df0a5e5ee91
Instruction ID: 981df3514dd58f67128139bcf12d8638e66018face6ad65e29be00ad8d59bd4f
Opcode Fuzzy Hash: 868db0d6804e96216372af0c7d2330db006d09f73424ef6d07a75df0a5e5ee91
Instruction Fuzzy Hash: DB2190B4214302AFC320DF1CD884A1ABBE0FB98360F24896AE6D8D7351D371E961CF56

Function 0123C509 Relevance: 1.3, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 0123C599

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3e22dc52ce3fe1480b08218084e6d26e5182a57910f25d76e7cc0191749c2ddf
Instruction ID: 9f6137f4d8d615eb7a2718a7f03688c6de3ef592a3977aa28e1b18578b437408
Opcode Fuzzy Hash: 3e22dc52ce3fe1480b08218084e6d26e5182a57910f25d76e7cc0191749c2ddf
Instruction Fuzzy Hash: 2921E0B5215302DFC751CF2CE880A1AB7E4FF89354B14496AE594EB345D331E958CFA2

Function 01254C85 Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 01254BF1: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,01254C75), ref: 01254C36
Part of subcall function 01254BF1: WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,01254C75), ref: 01254C4E
Part of subcall function 01254BF1: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,01254C75), ref: 01254C5A

Sleep.KERNEL32(00000002,00000000,01254CF6), ref: 01254CD6

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: b99a7a783a4bdcb9f32e12afd13eae9846701ce81228c977282d2d9b02870111
Instruction ID: 222886fb682cc61d693c167715754c931f5fbd95d73f40a797daa6a53bc853dd
Opcode Fuzzy Hash: b99a7a783a4bdcb9f32e12afd13eae9846701ce81228c977282d2d9b02870111
Instruction Fuzzy Hash: DEF0A470A24649AFD741FBA8D981AADF7F8EB95700F5040B5E804E3690EB355E41C711

Function 01254CFC Relevance: 1.3, APIs: 1, Instructions: 38sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 01254BF1: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,01254C75), ref: 01254C36
Part of subcall function 01254BF1: WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,01254C75), ref: 01254C4E
Part of subcall function 01254BF1: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,01254C75), ref: 01254C5A

Sleep.KERNEL32(00000002,00000000,01254CF6), ref: 01254CD6

Memory Dump Source

Source File: 00000037.00000002.1572820171.0000000001239000.00000040.00000020.00020000.00000000.sdmp, Offset: 01239000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_1239000_file.jbxd

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: 7c7192be15a1d739495aac008c9d772b06e278ed7ede4af4e18e06da564ceca1
Instruction ID: ef96dfdb290f43ee4f482be27ca9f78b670e4f3dbf1475c905d9b291d4214e94
Opcode Fuzzy Hash: 7c7192be15a1d739495aac008c9d772b06e278ed7ede4af4e18e06da564ceca1
Instruction Fuzzy Hash: 27F0AFB0A20249FFDB41FBA4E981ABDFBF8EB88300F5144B5E804E3650EA355E418B00

Function 01262D51 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.1572820171.000000000125D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_125d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction ID: c6963657697c7dcb935e42350dd8096b91dddfc55392ff8e7741ff352f3b361f
Opcode Fuzzy Hash: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction Fuzzy Hash: 5C31F521624A03EAEF214AACDC44BA37B5CFF05224F240236E795974C2D770B9D4C7A5

Non-executed Functions

Function 0102A187 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76528FB0,?,00000000), ref: 0102A1A8
GetFileAttributesW.KERNEL32(?), ref: 0102A1E6
SetFileAttributesW.KERNEL32(?,?), ref: 0102A200
FindNextFileW.KERNEL32(00000000,?), ref: 0102A218
FindClose.KERNEL32(00000000), ref: 0102A223
FindFirstFileW.KERNEL32(*.*,?), ref: 0102A23F
SetCurrentDirectoryW.KERNEL32(?), ref: 0102A28F
SetCurrentDirectoryW.KERNEL32(010779A0), ref: 0102A2AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 0102A2B7
FindClose.KERNEL32(00000000), ref: 0102A2C4
FindClose.KERNEL32(00000000), ref: 0102A2D6

Strings

*.*, xrefs: 0102A23A

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 7c6eb87bfd82c88b86fe0a444fad552f8e354b3ed08f7cf0cb7023ef594bf446
Instruction ID: 4382c2758bccb1d1076907121a4b46c1588561a9360d522286d5439d030845b6
Opcode Fuzzy Hash: 7c6eb87bfd82c88b86fe0a444fad552f8e354b3ed08f7cf0cb7023ef594bf446
Instruction Fuzzy Hash: 44310576701239AFDB209EB8DC48ADE77EC9F16260F040196E994E3150EF36DA488B64

Function 0101E180 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB119F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FB1192,?), ref: 00FB11BF

GetFileAttributesW.KERNEL32(?), ref: 0101E1C0
FindFirstFileW.KERNEL32(?,?), ref: 0101E1FD
DeleteFileW.KERNEL32(?,?,?,?), ref: 0101E24D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0101E25E
FindClose.KERNEL32(00000000), ref: 0101E275
FindClose.KERNEL32(00000000), ref: 0101E27E

Strings

\*.*, xrefs: 0101E1CF

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 84c1d31d924bb2ce8862806af642935ed0ceb0c41261cfdafd04b303f111fdd9
Instruction ID: 0597514e17b9fae1452be3f3939170b0d52a24abf2348c88bc89f7613e52d29c
Opcode Fuzzy Hash: 84c1d31d924bb2ce8862806af642935ed0ceb0c41261cfdafd04b303f111fdd9
Instruction Fuzzy Hash: 1B318F71008345ABC302EF64CD958EFB7E8BE65310F444E2DF8E582091EB299A09DB52

Function 010121C9 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01012308), ref: 010121DE
CloseHandle.KERNEL32(?,?,01012308), ref: 010121F3

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 32e0b2bb899272f22a66e60119dcee064eec393a3ae017931c8d295e3d3d8d61
Instruction ID: 169c26d28e889f377777654133929435199ad9e1729b4bd7b26266876b9a3dc5
Opcode Fuzzy Hash: 32e0b2bb899272f22a66e60119dcee064eec393a3ae017931c8d295e3d3d8d61
Instruction Fuzzy Hash: E3E04F76104600AFF7352B54FD06F727BE9EB04310F24C82EF6A581475DB66AC90EB10

Function 01040198 Relevance: 51.2, APIs: 6, Strings: 23, Instructions: 479windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01040288
IsWindowVisible.USER32(?), ref: 010402DF
IsWindowEnabled.USER32(?), ref: 01040331

Part of subcall function 01012E91: SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01012F15
Part of subcall function 01012E91: SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01012F28
Part of subcall function 01012E91: SendMessageW.USER32(?,00000189,?,00000000), ref: 01012F58

Part of subcall function 01012A02: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 01012A0D

Strings

GETCURRENTCOL, xrefs: 010406CE
GETCURRENTSELECTION, xrefs: 0104056E
SELECTSTRING, xrefs: 01040599
GETCURRENTLINE, xrefs: 01040693
EDITPASTE, xrefs: 01040705
SETCURRENTSELECTION, xrefs: 01040541
DELSTRING, xrefs: 010404D4
SENDCOMMANDID, xrefs: 01040787
ADDSTRING, xrefs: 010404A1
SHOWDROPDOWN, xrefs: 0104042E
TABRIGHT, xrefs: 0104038F, 010403A4
ISCHECKED, xrefs: 010405CC
ISENABLED, xrefs: 010402F0, 01040307
GETLINE, xrefs: 01040744
GETLINECOUNT, xrefs: 0104066C
CURRENTTAB, xrefs: 010403DB
GETSELECTED, xrefs: 01040641
UNCHECK, xrefs: 01040621
ISVISIBLE, xrefs: 01040294, 010402AF
HIDEDROPDOWN, xrefs: 01040464
CHECK, xrefs: 01040601
FINDSTRING, xrefs: 01040501
TABLEFT, xrefs: 01040342, 01040359

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$Window$BuffCharEnabledUpperVisible
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 409549560-45149045
Opcode ID: 67737ac2b6aa72945ec59f77fa04ad4074100d61b9003e0c0ed78490779a157d
Instruction ID: 28e46bd57d8c8667779f662224952569ff56d3820225b79270f3d0081453959c
Opcode Fuzzy Hash: 67737ac2b6aa72945ec59f77fa04ad4074100d61b9003e0c0ed78490779a157d
Instruction Fuzzy Hash: 6A02C9B46042018FDB14EF18C494AAE7BE1BF94344F1484ADF9CA6B3A6CB35DD46CB46

Function 0103C00E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0103D398: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0103C0AE,?,?), ref: 0103D3B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0103C0F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0103C172
RegDeleteValueW.ADVAPI32(?,?), ref: 0103C20A
RegCloseKey.ADVAPI32(?), ref: 0103C27E
RegCloseKey.ADVAPI32(?), ref: 0103C29C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0103C2F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0103C304
RegDeleteKeyW.ADVAPI32(?,?), ref: 0103C322
FreeLibrary.KERNEL32(00000000), ref: 0103C383
RegCloseKey.ADVAPI32(00000000), ref: 0103C394

Strings

advapi32.dll, xrefs: 0103C2ED
RegDeleteKeyExW, xrefs: 0103C2FE

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 1742008743-4033151799
Opcode ID: a9ebb9a401a2a5d38538cccfb7ba9980521dc03b4ac8f4185f90f6cf8ae51eac
Instruction ID: db87d3ebaef9bb89d8439900fcb194a64bed4f991af1b76eeb0cf76d8c72960d
Opcode Fuzzy Hash: a9ebb9a401a2a5d38538cccfb7ba9980521dc03b4ac8f4185f90f6cf8ae51eac
Instruction Fuzzy Hash: C4C1D335204201AFE710DF68C994F2ABBE5BF85308F14849DF49A9B392CB76E945CF81

Function 01024142 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 01024189
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 010241AA

Strings

Error: , xrefs: 0102428B
"%s" (%d) : ==> %s:%s%s, xrefs: 010242BE
Incorrect parameters to object property !, xrefs: 01024265
^ ERROR , xrefs: 01024258
Line %d (File "%s"):, xrefs: 010241FD, 01024216
"%s" (%d) : ==> %s:, xrefs: 010242DC

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: LoadString
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 2948472770-3080491070
Opcode ID: c18ee6754d960409ca089cbf638e9558a5b50fe3aee0129369f534ef9eb0eb8d
Instruction ID: 965f24e1faec5404131f96289e702a4488e92d5073424294a5ed48524104ffac
Opcode Fuzzy Hash: c18ee6754d960409ca089cbf638e9558a5b50fe3aee0129369f534ef9eb0eb8d
Instruction Fuzzy Hash: 31518E71D0020ABADB15EBE1CD86EEEB7B9AF18300F5041A5F545A2051DB392F99DF50

Function 01014198 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 362COMMON

Download Yara Rule

Strings

CLASSNN, xrefs: 010142A7, 010142BA
TEXT, xrefs: 0101452D
INSTANCE, xrefs: 010144FF
REGEXPCLASS, xrefs: 0101430B, 0101431E
NAME, xrefs: 010143D9, 010143EC
CLASS, xrefs: 0101423A, 01014256

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID:
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 0-1603158881
Opcode ID: c36684c868ee52f1c20f07a1d3f03c844ea9a7d77bb78fd7e502f35de6ca2b00
Instruction ID: 7ea6ca020b1f4728f2f7549d911ac07a9b4b977fd963cc68dfe191dbeb486c8a
Opcode Fuzzy Hash: c36684c868ee52f1c20f07a1d3f03c844ea9a7d77bb78fd7e502f35de6ca2b00
Instruction Fuzzy Hash: 5CD14B71F00202EBDB18DFA8C880BEDB7B5BF04304F54C169E99AD7215EB39A949DB50

Function 00FD40DA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 00FD4142
api-ms-, xrefs: 00FD412E

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: ffe178d6c9664f20884cd6406aa33a69fccf65244bf79b526ce18a4ea29a176d
Instruction ID: ff9e7a6dc37ecf78da8f7b090878088930caea6d72a3c11b7f362f061644d1d5
Opcode Fuzzy Hash: ffe178d6c9664f20884cd6406aa33a69fccf65244bf79b526ce18a4ea29a176d
Instruction Fuzzy Hash: 3021D576E01215BBCB328B649D81B2A376AAF217B0F1C0212FC45A7384D635FD40A7E0

Function 010161D2 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 010161F7
GetDeviceCaps.GDI32(00000000,00000058), ref: 01016208
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0101620F
ReleaseDC.USER32(00000000,00000000), ref: 01016217
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0101622E
MulDiv.KERNEL32(000009EC,00000001,?), ref: 01016240

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 484fd545d37d969d86d77f41374a8713dfe0ba0c074f90655f469197ca866827
Instruction ID: b01c5bedfd0599e811d408a1a22bc7b98110ba52fdc9a0cc79e9e711bf86bf86
Opcode Fuzzy Hash: 484fd545d37d969d86d77f41374a8713dfe0ba0c074f90655f469197ca866827
Instruction Fuzzy Hash: CE0188B5E00308BBEB109BE59D45A5EBFB8EB58351F0440A6FE48A7245D6759910CF50

Function 01014024 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01013E94: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01013EB2
Part of subcall function 01013E94: GetWindowThreadProcessId.USER32(?,00000000), ref: 01013EC3
Part of subcall function 01013E94: GetCurrentThreadId.KERNEL32 ref: 01013ECA
Part of subcall function 01013E94: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,?,?,?,0101368B), ref: 01013ED1

GetFocus.USER32 ref: 0101404B
GetParent.USER32(00000000), ref: 01014068
GetClassNameW.USER32(?,?,00000100), ref: 010140A7
EnumChildWindows.USER32(?,01014110), ref: 010140CF

Strings

%s%d, xrefs: 010140E3

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows
String ID: %s%d
API String ID: 2776554818-1110647743
Opcode ID: e1a03346dc1920f4a0fafab4e4d2cd90eb95e0176095962fdb5d50a0e09cbfb3
Instruction ID: 660861a9cf6ec546fe2785e2669abbf02639615ba4a2cfe2002653ca9782160b
Opcode Fuzzy Hash: e1a03346dc1920f4a0fafab4e4d2cd90eb95e0176095962fdb5d50a0e09cbfb3
Instruction Fuzzy Hash: AA21F3B5600205ABCF21BFB58DC4AFD77A9AF98314F044065FD89DB14ADB3998099FB0

Function 0101211E Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01012134
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01012140
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0101214F
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01012156
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0101216C

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 75a15c96e0a9cebcd2b7f06ea3c7ee263345fb25e70cb6bee6a6e0196042cbd0
Instruction ID: 1e559eefb4be3c91ad19e0e9647df9b93ea93d5b9776edb704bd096aa94bb373
Opcode Fuzzy Hash: 75a15c96e0a9cebcd2b7f06ea3c7ee263345fb25e70cb6bee6a6e0196042cbd0
Instruction Fuzzy Hash: 64F062B9240301BBD7224FA8ED89F563BBDEF99661F200414FE85C7254CA79D8108B60

Function 0104414F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 010441D8
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 010441E8
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0104420E

Strings

Listbox, xrefs: 010441A7

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: abfeecf4fd0da4891d16a67004f8d223b68a795bc1360655aacf8cfda1c70cfd
Instruction ID: 340ba52a414c3daf0eab058193cf59afa06b982c076faca210802829e5f48b33
Opcode Fuzzy Hash: abfeecf4fd0da4891d16a67004f8d223b68a795bc1360655aacf8cfda1c70cfd
Instruction Fuzzy Hash: 2C21B0B2610118BBEF128E58CCC5FBB37AEEF89754F018124FA849B1A1C6719C52C7A0

Function 0104803B Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(011CF830,?), ref: 01048061
GetWindowRect.USER32(?,?), ref: 010480D7
PtInRect.USER32(?,?,01049573), ref: 010480E7
MessageBeep.USER32(00000000), ref: 01048153

Memory Dump Source

Source File: 00000037.00000002.1571934174.0000000000FB1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000037.00000002.1571900416.0000000000FB0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.000000000104D000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572077982.0000000001071000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572187023.000000000107D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000037.00000002.1572232042.0000000001085000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_fb0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e030333c2a654c9e169045a7009280a7e2e758e94a9d09139aff2318e734b59a
Instruction ID: b97ec4f36cd4280a76c3c9f0c38c748ae358ae8003bf97749ba142e33791929c
Opcode Fuzzy Hash: e030333c2a654c9e169045a7009280a7e2e758e94a9d09139aff2318e734b59a
Instruction Fuzzy Hash: 0E4180B4A00219DFDB21CFD8C4C5AA9BBF9FB49710F0485B7EAD49B265C735A841CB50

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 740d3a.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\549e0e.rbs

C:\Config.Msi\549e10.rbs

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\kwZvl2ZDr.a3x

C:\System Volume Information\SPP\OnlineMetadataCache\{8770b57a-cd3c-4ef2-af9f-1b6257341760}_OnDiskSnapshotProp

C:\System Volume Information\SPP\metadata-2

C:\System Volume Information\SPP\snapshot-2

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\AI_B2DC.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jh14bcko.rpn.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsjn3oad.ijd.psm1

Windows Analysis Report
740d3a.msi

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre