Edit tour

Windows Analysis Report
V2clgnyM2J.exe

Overview

General Information

Sample name:	V2clgnyM2J.exe
Analysis ID:	1581797
MD5:	70a43f05ebbb4c0f0c09315778b5204c
SHA1:	4cb4abb9f2084cc447958d3e5605825b6f4474c7
SHA256:	3e5045e0af927fed92760e84a4300a7803632d7d8da0fcd5126700bfa4a79029
Infos:

Detection

GhostRat

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

Bypasses PowerShell execution policy

Connects to many ports of the same IP (likely port scanning)

Loading BitLocker PowerShell Module

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Program Location with Network Connections

Abnormal high CPU Usage

Checks for available system drives (often done to infect USB drives)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64native

V2clgnyM2J.exe (PID: 1016 cmdline: "C:\Users\user\Desktop\V2clgnyM2J.exe" MD5: 70A43F05EBBB4C0F0C09315778B5204C)

cmd.exe (PID: 1256 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

RuntimeBrokers.exe (PID: 4836 cmdline: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe MD5: 30A274E00DA842B09E9763F19777ADED)

cmd.exe (PID: 5432 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

tasklist.exe (PID: 5284 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7372 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 6676 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 5012 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1952 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 6304 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 3104 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4360 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 5336 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 3600 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7404 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 7140 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 6092 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4756 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 4640 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 3672 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4152 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 7016 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 280 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1860 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 2080 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 7120 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6360 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 2816 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 7556 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 8048 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 6796 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 5656 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7444 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 1528 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 7512 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2288 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 1148 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 1856 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5352 cmdline: findstr /I "RuntimeBrokers.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 1936 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 6744 cmdline: tasklist /FI "IMAGENAME eq RuntimeBrokers.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

cmd.exe (PID: 7744 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 488 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 448 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 4236 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: RuntimeBrokers.exe PID: 4836	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, CommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1256, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ProcessId: 4836, ProcessName: RuntimeBrokers.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentImage: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentProcessId: 4836, ParentProcessName: RuntimeBrokers.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 7744, ProcessName: cmd.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 8.218.163.85, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, Initiated: true, ProcessId: 4836, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49756

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7744, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 488, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7744, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 488, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T00:49:51.834809+0100	2052875	1	A Network Trojan was detected	192.168.11.20	49757	8.218.163.85	9091	TCP
2024-12-29T00:56:53.755645+0100	2052875	1	A Network Trojan was detected	192.168.11.20	49775	8.218.163.85	9092	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\backup.dll	ReversingLabs: Detection: 69%
Source: C:\Users\Public\Bilite\Axialis\libcurl.dll	ReversingLabs: Detection: 69%

Multi AV Scanner detection for submitted file

Source: V2clgnyM2J.exe

ReversingLabs: Detection: 54%

Source: V2clgnyM2J.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: UpdaterSetup.exe.pdb source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.82801802567.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82795707276.0000000007070000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \YSS\Release\libcurl.pdb source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbK source: powershell.exe, 0000000F.00000002.82778685462.000000000086B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.82796589986.0000000007124000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbk source: powershell.exe, 0000000F.00000002.82803140266.0000000008591000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \YSS\Release\libcurl.pdbp: source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr
Source:	Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.81964532251.00000000004FF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.dr
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.82802792851.0000000008571000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UpdaterSetup.exe.pdbP source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb{D source: powershell.exe, 0000000F.00000002.82802792851.0000000008571000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: updater.exe.pdb source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000003634000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr
Source:	Binary string: updater.exe.pdbP source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000003634000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb; source: powershell.exe, 0000000F.00000002.82778685462.000000000086B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbnv source: powershell.exe, 0000000F.00000002.82802062725.0000000008515000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: z:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: x:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: v:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: t:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: r:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: p:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: n:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: l:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: j:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: h:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: f:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: d:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: b:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: y:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: w:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: u:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: s:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: q:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: o:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: m:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: k:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: i:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: g:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,		0_2_0040301A
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,		0_2_00402B79

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49757 -> 8.218.163.85:9091
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.11.20:49775 -> 8.218.163.85:9092

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 8.218.163.85 ports 18852,9092,1,2,5,9091,8

Source: global traffic

TCP traffic: 192.168.11.20:49756 -> 8.218.163.85:18852

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.85

Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: http://.css
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: http://.jpg
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 0000000E.00000002.82780172249.000000000366D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82778685462.000000000086B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000E.00000002.82780172249.000000000366D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82778685462.000000000086B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RuntimeBrokers.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.81964532251.00000000004FF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.log
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: powershell.exe, 0000000E.00000002.82789205676.00000000063A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82790763438.0000000005614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 0000000E.00000002.82795669742.00000000079EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.82781457955.0000000005AB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000E.00000002.82781457955.0000000005341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.82781457955.0000000005AB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: http://support.google.com/installer/
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: http://support.google.com/installer/%s?product=%s&error=%d
Source: powershell.exe, 0000000E.00000002.82795669742.00000000079EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962545736.0000000000A50000.00000004.00001000.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp, V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp, chiomsStup.exe.0.dr, RuntimeBrokers.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 0000000E.00000002.82780172249.000000000366D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82778685462.000000000086B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 0000000E.00000002.82781457955.0000000005341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBkq
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: https://clients2.google.com/cr/report
Source: powershell.exe, 0000000F.00000002.82790763438.0000000005614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.82790763438.0000000005614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.82790763438.0000000005614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: https://dl.google.com/update2/installers/icons/
Source: powershell.exe, 0000000E.00000002.82795669742.00000000079EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester4
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: powershell.exe, 0000000E.00000002.82789205676.00000000063A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82790763438.0000000005614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000E.00000002.82780172249.000000000366D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82778685462.000000000086B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.81964532251.00000000004FF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.dr	String found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/check
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.81964532251.00000000004FF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.dr	String found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModule
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: https://update.googleapis.com/service/update2/json
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	String found in binary or memory: https://update.googleapis.com/service/update2/jsonhttps://clients2.google.com/cr/reporthttps://m.goo

Source: RuntimeBrokers.exe, 00000004.00000003.82788664924.0000000004891000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_bb3513b9-c

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

Process Stats: CPU usage > 6%

Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_3_02A1B641	0_3_02A1B641
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_3_02A153DE	0_3_02A153DE
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_3_02A16906	0_3_02A16906
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_2_00404FAA	0_2_00404FAA
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_2_0041206B	0_2_0041206B
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_2_0041022D	0_2_0041022D
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_2_00411F91	0_2_00411F91
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_04E51D01	14_2_04E51D01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_04E50EFD	14_2_04E50EFD

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\backup.exe 9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

Code function: String function: 0040243B appears 37 times

Source: chiomsStup.exe.0.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: chiomsStup.exe.0.dr	Static PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71

Source: V2clgnyM2J.exe, 00000000.00000003.81904149653.0000000002591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameV vs V2clgnyM2J.exe
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamensdksetupJ vs V2clgnyM2J.exe
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXZCalendarServer.exe* vs V2clgnyM2J.exe
Source: V2clgnyM2J.exe, 00000000.00000002.81965693407.00000000005B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd. vs V2clgnyM2J.exe
Source: V2clgnyM2J.exe, 00000000.00000002.81965693407.00000000005B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs V2clgnyM2J.exe
Source: V2clgnyM2J.exe, 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameV vs V2clgnyM2J.exe
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameupdater.exe> vs V2clgnyM2J.exe
Source: V2clgnyM2J.exe, 00000000.00000003.81959474521.000000000367C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdaterSetup.exeB vs V2clgnyM2J.exe
Source: V2clgnyM2J.exe, 00000000.00000003.81962835460.0000000006810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUpdaterSetup.exeB vs V2clgnyM2J.exe
Source: V2clgnyM2J.exe	Binary or memory string: OriginalFilenameV vs V2clgnyM2J.exe

Source: V2clgnyM2J.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RuntimeBrokers.exe.0.dr

Binary string: @rb-%c%cIsWow64Processkernel32ntdll.dllRtlGetNtVersionNumbersg:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cppStopUnInitcurl init failedcurl_easy_perform failed,{}GetDownloadDownLoadFinish:{}, Size:{}Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36write_data_get_postwrite_data_get_post StopABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/PCI{1A3E09BE-1E45-494B-9174-D7385B45BBF5}\\.\#{ad498944-762f-11d0-8dcb-00c04fc3358c}NoteBookDesktopkernel32GetSystemFirmwareTablekernel32.dllROOT\WMIMSSMBios_RawSMBiosTablesSmbiosMajorVersionSmbiosMinorVersionSMBiosData\device\physicalmemoryntdll.dllZwOpenSectionZwMapViewOfSectionZwUnmapViewOfSectionZwClose

Source: classification engine

Classification label: mal96.troj.evad.winEXE@101/45@0/1

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

Code function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407776

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

Code function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040118A

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

Code function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004034C1

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

Code function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401BDF

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

File created: C:\Users\Public\Bilite

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2716:304:WilStaging_02
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Mutant created: \Sessions\1\BaseNamedObjects\2024.11.10
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4692:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_03

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

File created: C:\Users\user\AppData\Local\Temp\monitor.bat

Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"

Source: V2clgnyM2J.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'RUNTIMEBROKERS.EXE'

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: V2clgnyM2J.exe

ReversingLabs: Detection: 54%

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

File read: C:\Users\user\Desktop\V2clgnyM2J.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\V2clgnyM2J.exe "C:\Users\user\Desktop\V2clgnyM2J.exe"
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: libcurl.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"

Source: chiomsStup.exe.lnk.4.dr

LNK file: ..\..\Public\Bilite\chiomsStup.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: V2clgnyM2J.exe

Static file information: File size 47523239 > 1048576

Source:	Binary string: UpdaterSetup.exe.pdb source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.82801802567.00000000084B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82795707276.0000000007070000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \YSS\Release\libcurl.pdb source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbK source: powershell.exe, 0000000F.00000002.82778685462.000000000086B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.82796589986.0000000007124000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbk source: powershell.exe, 0000000F.00000002.82803140266.0000000008591000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \YSS\Release\libcurl.pdbp: source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr
Source:	Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.81964532251.00000000004FF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.dr
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.82802792851.0000000008571000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UpdaterSetup.exe.pdbP source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb{D source: powershell.exe, 0000000F.00000002.82802792851.0000000008571000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: updater.exe.pdb source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000003634000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr
Source:	Binary string: updater.exe.pdbP source: V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000003634000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb; source: powershell.exe, 0000000F.00000002.82778685462.000000000086B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbnv source: powershell.exe, 0000000F.00000002.82802062725.0000000008515000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: libcurl.dll.0.dr	Static PE information: section name: .00cfg
Source: chiomsStup.exe.0.dr	Static PE information: section name: CPADinfo
Source: chiomsStup.exe.0.dr	Static PE information: section name: malloc_h
Source: backup.dll.4.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_3_02A1A41B push es; retf	0_3_02A1A42E
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_3_02A1A1A9 push es; retf	0_3_02A1A3EE
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_2_00411C20 push eax; ret	0_2_00411C4E

Source: C:\Users\user\Desktop\V2clgnyM2J.exe	File created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Jump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File created: C:\Users\user\AppData\Local\Temp\backup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	File created: C:\Users\Public\Bilite\chiomsStup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	File created: C:\Users\Public\Bilite\Axialis\libcurl.dll	Jump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	File created: C:\Users\user\AppData\Local\Temp\backup.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

Key value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4

Jump to behavior

Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Window / User API: threadDelayed 8181	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9841	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9616	Jump to behavior

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dll			Jump to dropped file
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Dropped PE file which has not been started: C:\Users\Public\Bilite\chiomsStup.exe			Jump to dropped file

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 4580	Thread sleep time: -73000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 6564	Thread sleep count: 110 > 30	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 6564	Thread sleep time: -330000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 6564	Thread sleep count: 8181 > 30	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 6564	Thread sleep time: -24543000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 8112	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 1240	Thread sleep count: 267 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7516	Thread sleep count: 9841 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7516	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep count: 9616 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2816	Thread sleep count: 195 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5964	Thread sleep count: 267 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7604	Thread sleep count: 268 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7964	Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 4812	Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 1960	Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 2380	Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7388	Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 2136	Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 4208	Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 3280	Thread sleep count: 270 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7920	Thread sleep count: 268 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,		0_2_0040301A
Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,		0_2_00402B79

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Thread delayed: delay time: 73000			Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000F.00000002.82801802567.00000000084B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1

Source: C:\Users\user\Desktop\V2clgnyM2J.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

Code function: 0_2_0040D72E cpuid

0_2_0040D72E

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_00401F9D

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

Code function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401626

Source: C:\Users\user\Desktop\V2clgnyM2J.exe

Code function: 0_2_00404FAA KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00404FAA

Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: RuntimeBrokers.exe PID: 4836, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: RuntimeBrokers.exe PID: 4836, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 Scripting	11 Process Injection	1 Masquerading	2 Input Capture	1 System Time Discovery	Remote Services	2 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	11 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	37 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
V2clgnyM2J.exe	54%	ReversingLabs	Win32.Ransomware.Generic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\backup.dll	70%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\backup.exe	4%	ReversingLabs
C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe	4%	ReversingLabs
C:\Users\Public\Bilite\Axialis\libcurl.dll	70%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\Bilite\chiomsStup.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://.jpg	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png4	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.log	0%	Avira URL Cloud	safe
https://update-xztodolist.cqttech.com/api/v1/update/check	0%	Avira URL Cloud	safe
https://crashpad.chromium.org/	0%	Avira URL Cloud	safe
https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModule	0%	Avira URL Cloud	safe
https://crashpad.chromium.org/bug/new	0%	Avira URL Cloud	safe
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://pesterbdd.com/images/Pester.png4	powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://html4/loose.dtd	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.log	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.81964532251.00000000004FF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000E.00000002.82789205676.00000000063A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82790763438.0000000005614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	false		high
http://ocsp.sectigo.com0	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000E.00000002.82795669742.00000000079EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.82781457955.0000000005AB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000E.00000002.82795669742.00000000079EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/bug/new	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000F.00000002.82790763438.0000000005614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000F.00000002.82790763438.0000000005614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModule	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.81964532251.00000000004FF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	false		high
https://aka.ms/pscore6lBkq	powershell.exe, 0000000E.00000002.82781457955.0000000005341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	false		high
http://.css	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html4	powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000002.82795669742.00000000079EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	false		high
https://github.com/Pester/Pester4	powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	false		high
https://m.google.com/devicemanagement/data/api	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000003.82666691514.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.dr, backup.dll.4.dr	false		high
https://dl.google.com/update2/installers/icons/	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000E.00000002.82781457955.0000000005497000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.82781457955.0000000005AB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.0000000004707000.00000004.00000800.00020000.00000000.sdmp	false		high
http://support.google.com/installer/	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	false		high
https://contoso.com/	powershell.exe, 0000000F.00000002.82790763438.0000000005614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.82789205676.00000000063A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82790763438.0000000005614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://update-xztodolist.cqttech.com/api/v1/update/check	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.81964532251.00000000004FF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://support.google.com/installer/%s?product=%s&error=%d	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	false		high
http://www.quovadis.bm0	powershell.exe, 0000000E.00000002.82780172249.000000000366D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82778685462.000000000086B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	powershell.exe, 0000000E.00000002.82780172249.000000000366D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82778685462.000000000086B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000E.00000002.82781457955.0000000005341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.82781459035.00000000045B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.jpg	V2clgnyM2J.exe, 00000000.00000003.81959474521.0000000002C34000.00000004.00000020.00020000.00000000.sdmp, chiomsStup.exe.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.218.163.85	unknown	Singapore		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581797
Start date and time:	2024-12-29 00:46:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 17m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	50
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	V2clgnyM2J.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@101/45@0/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 53 Number of non-executed functions: 65
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target powershell.exe, PID 4236 because it is empty
Execution Graph export aborted for target powershell.exe, PID 488 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: V2clgnyM2J.exe

Simulations

Behavior and APIs

Time	Type	Description
18:49:12	API Interceptor	13417004x Sleep call for process: RuntimeBrokers.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	test5.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	47.90.135.102
	libcurl.dll	Get hash	malicious	Matanbuchus	Browse	47.254.174.185
	EpCAySF1G6.exe	Get hash	malicious	Unknown	Browse	8.218.163.62
	EpCAySF1G6.exe	Get hash	malicious	Unknown	Browse	8.218.163.62
	xd.ppc.elf	Get hash	malicious	Mirai	Browse	47.245.158.74
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	47.57.184.195
	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse	8.212.102.187
	splarm7.elf	Get hash	malicious	Unknown	Browse	47.253.191.95
	nabsh4.elf	Get hash	malicious	Unknown	Browse	47.240.78.242
	splppc.elf	Get hash	malicious	Unknown	Browse	47.52.40.232

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\backup.exe	CnjMEmbChO.exe	Get hash	malicious	Unknown	Browse
	CnjMEmbChO.exe	Get hash	malicious	Unknown	Browse
	WiezmDFd6L.exe	Get hash	malicious	Unknown	Browse
	WiezmDFd6L.exe	Get hash	malicious	Unknown	Browse
	Fqae7BLq4m.exe	Get hash	malicious	Unknown	Browse
	Fqae7BLq4m.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\PolicyManagement.xml

Download File

Process:	C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1893
Entropy (8bit):	5.212287775015203
Encrypted:	false
SSDEEP:	48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
MD5:	E3FB2ECD2AD10C30913339D97E0E9042
SHA1:	A004CE2B3D398312B80E2955E76BDA69EF9B7203
SHA-256:	1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
SHA-512:	9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3zsicwka.eof.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhwrh1kt.sxb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjnbrlu3.pqw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_id4y5hhm.sqn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktwkt5du.qgr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvmfiwrg.oe3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ps5wk4nm.5kk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_riejsp14.xol.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\backup.dll

Download File

Process:	C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2290968
Entropy (8bit):	6.605322536519871
Encrypted:	false
SSDEEP:	49152:5TdEUKL5mmrQA4t4Q0DS/Eo6vOkbmTUc3n+L5EQBzTdXbWF2:55EUKL5mULK4Q0m8o6vXmTUc3ncEQBzp
MD5:	1B183331FC04468714FBA2F47DE17153
SHA1:	8D8B780F0376195BE5EAB97011F4DCC8EC219F59
SHA-256:	C1D72D7016E3EE1B51EA384F7BFCC09DDA324E07D61CEDD52BCF455EE8699CB9
SHA-512:	4BDA0DBA01AEF22E42240D2F7C390B62E04F1E24CB11AFFCFAB0E9D186A38E929779ECDCCD239806401018A1ABA562072F3D40BF067D2F98E1DCF2ADA76F0649
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...n.gg...........!.........<......S!.......................................`#...........@............................0.......h..... ..H............"..)... !..0...........................b......P................................................text............................... ..`.rdata..._.......`..................@..@.data...@..... ..^..................@....00cfg........ ......N .............@..@.tls.......... ......P .............@....rsrc....H.... ..H...R .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\backup.exe

Download File

Process:	C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	777816
Entropy (8bit):	6.621348016864403
Encrypted:	false
SSDEEP:	12288:hEj1aAa/zgWDTuE8jegvwIDMuecTenORuFjBw7oHOSgmskduZnTKVrdMujyE3e+0:ooBCoH3BdoTKxdLyAZXdOEvnBzLRUFgi
MD5:	30A274E00DA842B09E9763F19777ADED
SHA1:	848C6A9348020EAEEC1A5674990683A1D9977B80
SHA-256:	9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66
SHA-512:	81DED3C48D3FFDCF82952922C4B70D5F0945B1B0D5E178A1B552C7D5E8F39D00D3E007D161A7AFBA4502CC5CB2E92DF973902D94C28DF2DE5176FD2F50DE036A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: CnjMEmbChO.exe, Detection: malicious, Browse Filename: CnjMEmbChO.exe, Detection: malicious, Browse Filename: WiezmDFd6L.exe, Detection: malicious, Browse Filename: WiezmDFd6L.exe, Detection: malicious, Browse Filename: Fqae7BLq4m.exe, Detection: malicious, Browse Filename: Fqae7BLq4m.exe, Detection: malicious, Browse
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........a............b......b.......b.................................,.................................................Rich............................PE..L.....Wg.........................................@.................................l.....@..........................................p..0...............X(.......{.. (..p...................0).......(..@............................................text............................... ..`.rdata..............................@..@.data....P.......:..................@....rsrc...0....p.......4..............@..@.reloc...{.......\|...:..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\monitor.bat

Download File

Process:	C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	788
Entropy (8bit):	5.10946826685498
Encrypted:	false
SSDEEP:	24:NFW/WcuW/WcuWEAzWcyMZKx31SIYaYZLZ6y:NFVcuVcujAzzZKx31SIYN/6y
MD5:	B8422B84DA3F3E791EAB8621899B55D1
SHA1:	0214A135F224C150852D30FE9CA743585C9BB57B
SHA-256:	565D247FC0F778E67EE20EC635E815D19A12DEB5FEFEC94F11274956B44C3627
SHA-512:	D151F620777C5B67056A6CFEE0A88278B2E5FB9AD57DCDD80F2DFF75A801D63EBDDD6D0C74BEDAB8CBF9E8BA152EB7913F2790720AD4B73490ECD250789E7F18
Malicious:	false
Preview:	@echo off..:CheckProcess..set "ProcessName=RuntimeBrokers.exe"..set "ProcessPath=C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bilite\Axialis\libcurl.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" \| findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

C:\Users\user\AppData\Local\Temp\monitor.pid

Download File

Process:	C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:EQ:EQ
MD5:	2E92962C0B6996ADD9517E4242EA9BDC
SHA1:	0AEEE979A64DE2BCDF8C02FC02E65C67B4625E73
SHA-256:	4AEB7AD6D5D37A041C4C5CE6562BF9E3CAF05A42D931CEF4D9E2A60CA623194D
SHA-512:	8138FFC12EA856378A3E76D8DB8AB498D5CAA33D6CAAF8472369729E8FFF829D691FCCA860084E13E399B21211ABE0EAF1CEB05BBA9FD9B229110A77E08A90CD
Malicious:	false
Preview:	5432

C:\Users\user\AppData\Local\updated.ps1

Download File

Process:	C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.741657013789009
Encrypted:	false
SSDEEP:	3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
MD5:	AA0E1012D3B7C24FAD1BE4806756C2CF
SHA1:	FE0D130AF9105D9044FF3D657D1ABEAF0B750516
SHA-256:	FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
SHA-512:	15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
Malicious:	true
Preview:	$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath \| Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

C:\Users\user\Desktop\chiomsStup.exe.lnk

Download File

Process:	C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 28 22:48:35 2024, mtime=Sat Dec 28 22:48:35 2024, atime=Sun Dec 8 12:55:51 2024, length=10384768, window=hide
Category:	dropped
Size (bytes):	1051
Entropy (8bit):	4.673141726388187
Encrypted:	false
SSDEEP:	12:8xjU4IZ1ZcCHqXfMx2R2ACmq2BDXcq32NUjA682ByLfGPNvav2kEwyh0v4t2YCBn:88LMx9lmNAA682u4Nyv2kE1hOJTvm
MD5:	39ADF43AA2544DBA99A0A04E407A724E
SHA1:	52149EC45B53FD99885E88933D38C22001D6590F
SHA-256:	65694F14E45AD2D630136236225290152BABAF468B21C0C930D0F0B94ADC6D66
SHA-512:	0C6AB32EAC61D07C6F170485A652EE9DCD450031EC883C813B65B24EDACAFE7E808520F5BAB0E29C4C9682DF3ABF0D8083E8FA6E3D0677E4CD0E31915A798A17
Malicious:	false
Preview:	L..................F.... ....x3..Y..R.F..Y...@.xI...u...........................P.O. .:i.....+00.../C:\...................x.1....."S...Users.d......OwH.Y.......u..............:.......8.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....\|.1......Y....Public..f......O.I.Y......Du..............<......o-.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......Y....Bilite..>......Y...Y............................ei..B.i.l.i.t.e.....j.2..u...Y.n .CHIOMS~1.EXE..N......Y...Y............................"e{.c.h.i.o.m.s.S.t.u.p...e.x.e.......T...............-.......S..............>.....C:\Users\Public\Bilite\chiomsStup.exe..".....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.c.h.i.o.m.s.S.t.u.p...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......609290..............n4UB.. .\|..o%..0....G.P..#.....n4UB.. .\|..o%..0....G.P..#.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.5.3.1.6.5.6.7.-.2.9.6.9.5.8.8.3.8.2.-.3.7.7.8.2.2.2.4.1.4.-.1.0.0.1.........9...1SPS..mD..

C:\Users\Public\Bilite\Axialis\IiViS

Download File

Process:	C:\Users\user\Desktop\V2clgnyM2J.exe
File Type:	openssl enc'd data with salted password, base64 encoded
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.942275084497218
Encrypted:	false
SSDEEP:	3:iqkQEpePwi/5vmrn:ilQAQv5Qn
MD5:	1CEF2A872B3BA832C330692551B2A449
SHA1:	4677A0B5D2C8D36E0C73C2155ECEBFA08DE292C5
SHA-256:	7AA40A073F5DC8CB00FF695D306811C7C73704B30E871D6B7D63551D7704257C
SHA-512:	C737F93C06F22F21D2F1AC285FFBE713006B6491B58FB50CF9476B3B0061D2D63506278D06946C8A0DC9B48B1863B229B944C7D230B3DB2FCAD415DB5C7EEA20
Malicious:	false
Preview:	U2FsdGVkX19D0rJsLjCj9UcHtD83ck0ZxOAMaTX0CBw=

C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

Download File

Process:	C:\Users\user\Desktop\V2clgnyM2J.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	777816
Entropy (8bit):	6.621348016864403
Encrypted:	false
SSDEEP:	12288:hEj1aAa/zgWDTuE8jegvwIDMuecTenORuFjBw7oHOSgmskduZnTKVrdMujyE3e+0:ooBCoH3BdoTKxdLyAZXdOEvnBzLRUFgi
MD5:	30A274E00DA842B09E9763F19777ADED
SHA1:	848C6A9348020EAEEC1A5674990683A1D9977B80
SHA-256:	9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66
SHA-512:	81DED3C48D3FFDCF82952922C4B70D5F0945B1B0D5E178A1B552C7D5E8F39D00D3E007D161A7AFBA4502CC5CB2E92DF973902D94C28DF2DE5176FD2F50DE036A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........a............b......b.......b.................................,.................................................Rich............................PE..L.....Wg.........................................@.................................l.....@..........................................p..0...............X(.......{.. (..p...................0).......(..@............................................text............................... ..`.rdata..............................@..@.data....P.......:..................@....rsrc...0....p.......4..............@..@.reloc...{.......\|...:..............@..B................................................................................................................................................................................................................................................................

C:\Users\Public\Bilite\Axialis\grsiicef.png

Download File

Process:	C:\Users\user\Desktop\V2clgnyM2J.exe
File Type:	data
Category:	dropped
Size (bytes):	43717205
Entropy (8bit):	7.999992198238367
Encrypted:	true
SSDEEP:	786432:a+r55OPXRfp54Usga2n5qYdInJEYZzzTmON+ISIKYlU:/r55OFYnDSxIJPzmXvjYlU
MD5:	2CC0D4E03FDCCAC7FFFD46BF6D476DC6
SHA1:	36977EAD18DCA5903D79636F431EFA0714828B09
SHA-256:	57014555CBACBD3D81574D33BE2A77C3421ED66290CF548187E601A24FB54712
SHA-512:	30AEA3AAC3B7731721C10BEF73E592F81B130FCAC05719B8A49A3AA29A5979F99530AA2B0C17D00A7C5A2E6FDF5B3ADCCB7B9583867DF328BC72CFFCA729EBDD
Malicious:	false
Preview:	..>.....x...@...um.M...3.Z.............S.K.D.fC'b.)1...~?GDs......].s..0.{r....EV....1P..c...b........3...< ....]..k..1S..m.[=...^...].x.^.YB....u.MK2...W..8...W..^g+u.5.X..}....e.I$nOZ_.D.t./.^.5.............!.g'..#.........N.(...$.-C~..k.\.....v...c..be.....xG@.......J...P'8....Y....s..n...U.8....R....ucd,....HQ...).-...i...{!k..5.....q..E.:..)D>...Y...I.Zp.vHJ..%....F..d..:.....CM...H.5.YW6..e.+.....?...m.2.a"$f....Bd.&. ......l.......2ua...mL.;..,E.......T.K>.............*..n......K....>V.....L.hhU..9..Nd....a.Y.9..i.!j.Qf.71...z.!0W.....QK..+..GG.....7_Ea......4.9.+.....~......p....&".L..i.Z....Ub......]C..#E.w.g...Hf....h...T. ..v.y...aS}..E....r7.QQH.&.L.X....{.Ap[......I+...r1...3.B..8.3..f.'..........o_\.....f?hMJ..hW.a.UyU.....c.Y.l\|........B.$.E..u.D\|V1P....=...r.k.[......O}~...t...8...}...m .o..j.3!...$5=...@H&.....#.<...k........wJ.&...x.n.....i./N.}'..W.g..FB....h?3.z........B..]vJu..)r;[@G..f...r.%=..h."._?......^r..\|

C:\Users\Public\Bilite\Axialis\libcurl.dll

Download File

Process:	C:\Users\user\Desktop\V2clgnyM2J.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2290968
Entropy (8bit):	6.605322536519871
Encrypted:	false
SSDEEP:	49152:5TdEUKL5mmrQA4t4Q0DS/Eo6vOkbmTUc3n+L5EQBzTdXbWF2:55EUKL5mULK4Q0m8o6vXmTUc3ncEQBzp
MD5:	1B183331FC04468714FBA2F47DE17153
SHA1:	8D8B780F0376195BE5EAB97011F4DCC8EC219F59
SHA-256:	C1D72D7016E3EE1B51EA384F7BFCC09DDA324E07D61CEDD52BCF455EE8699CB9
SHA-512:	4BDA0DBA01AEF22E42240D2F7C390B62E04F1E24CB11AFFCFAB0E9D186A38E929779ECDCCD239806401018A1ABA562072F3D40BF067D2F98E1DCF2ADA76F0649
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...n.gg...........!.........<......S!.......................................`#...........@............................0.......h..... ..H............"..)... !..0...........................b......P................................................text............................... ..`.rdata..._.......`..................@..@.data...@..... ..^..................@....00cfg........ ......N .............@..@.tls.......... ......P .............@....rsrc....H.... ..H...R .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Bilite\chiomsStup.exe

Download File

Process:	C:\Users\user\Desktop\V2clgnyM2J.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10384768
Entropy (8bit):	6.780996075213578
Encrypted:	false
SSDEEP:	196608:VpjYZ94Z6AhJ5NtGdDDIauMJZZCgdaTos7s4QA/rmYeus5dvXCKsJdVV3qHDYyY2:VpjwKZF5LGdDDvJZZCgdwbcAheus5xXB
MD5:	C8B07E0F9BA7C97B55CB29835FFAF5F6
SHA1:	9FFFC728C361DCDD4828212F1F0E56A0DAC92463
SHA-256:	A68355D5F7E99F3BE66D84EA5AD4A72F92D1611C53F959C0B4E742B363678578
SHA-512:	0AB0D39F0FBCDB11E241AE95CC540A54EF4D9A6E611AE516EF189627E73505696AEBEDACE7D4527C40F31A021850CB7CB563F4D0CE0411BE2F9B87ABA2493866
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...{*2g.........."......T4...i...................@......................................@.........................<.=.U.....=.@.....@..H^..........,...I...`.......k=.....................Pi=......q4.............@.=.l............................text....S4......T4................. ..`.rdata..`....p4......X4.............@..@.data........ >..R....=.............@....tls....u.....?......N>.............@...CPADinfo(.....?......P>.............@...malloc_h......@......R>............. ..`.rsrc....H^...@..H^..T>.............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	172
Entropy (8bit):	3.8842159555406113
Encrypted:	false
SSDEEP:	3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnQUqg2Htyst3g4t32vov:hYFRamFSQZ0lv5y/9JctESnQUq3tyMXZ
MD5:	B44FC16E07912C24524F74A8D3C9BCED
SHA1:	CCBA90D10D32BFF18221183C88146B378011CC3B
SHA-256:	FA51D90457861D7169034A0D4122B3AFDA2B4C07E157A4C18AF06D833C96ED2A
SHA-512:	1B9F0DD3387FDD1324828AA7CC94A98EC0344A5CAF1EDFFAAF7C0F98F134B09A4DCFD440E9374B0D3C80E099DFE43DABD838B0BE34C395C2F64C9334AE569516
Malicious:	false
Preview:	..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13..12..11..10.. 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.999975834347258
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	V2clgnyM2J.exe
File size:	47'523'239 bytes
MD5:	70a43f05ebbb4c0f0c09315778b5204c
SHA1:	4cb4abb9f2084cc447958d3e5605825b6f4474c7
SHA256:	3e5045e0af927fed92760e84a4300a7803632d7d8da0fcd5126700bfa4a79029
SHA512:	d6f31da81d6ccc02969bbebadcc908ff0028ca8f73b3b478b30892333d01b3d644306f004d695fd4c760c74999ddfab84b5605d4f64d5785f12a7e78cb3414d3
SSDEEP:	786432:XAGhPZ/2u+jAcPiy3GrySHDNuf2DXAXG3pdHTi7mO6cW5o7iqK/lbOu+NqmXWAt:/PZ+pPiywyUDNDDSG3pY756NomD/ll+V
TLSH:	96A733B970B51A36EEAE5F3BF509A42F90F1FBF6444DDA8223801E90FE056E580D2745
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................N...............0....@..........................................................................P.............................

File Icon


Icon Hash:	878fd7f3b9353593

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007F52909394A2h
cmp dword ptr [00417710h], ebx
jne 00007F529093938Eh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007F5290939474h
push 00417048h
push 00417044h
call 00007F529093945Fh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007F529093942Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x13c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x13c0	0x1400	5293a0fb2c46166ce21247d17e837639	False	0.3568359375	data	4.96958597460067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a250	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.3709677419354839
RT_ICON	0x1a538	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.6081081081081081
RT_MENU	0x1a660	0x4a	data	English	United States	0.8648648648648649
RT_DIALOG	0x1a6ac	0xf2	data	English	United States	0.7148760330578512
RT_STRING	0x1a7a0	0x40	data	English	United States	0.59375
RT_GROUP_ICON	0x1a7e0	0x22	data	English	United States	1.0
RT_VERSION	0x1a804	0x314	data	English	United States	0.44416243654822335
RT_MANIFEST	0x1ab18	0x60f	XML 1.0 document, ASCII text, with CRLF line terminators			0.4229529335912315
RT_MANIFEST	0x1b128	0x298	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4894578313253012

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-29T00:49:51.834809+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.11.20	49757	8.218.163.85	9091	TCP
2024-12-29T00:56:53.755645+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.11.20	49775	8.218.163.85	9092	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 00:49:47.589951992 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:47.902992964 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:47.903218031 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.224589109 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.224602938 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.224842072 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.224863052 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.224875927 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.225065947 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.537825108 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.537846088 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.537859917 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.537874937 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.538041115 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.538111925 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.538129091 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.538144112 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.538158894 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.538275003 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.538352013 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.851320028 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.851527929 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.851562977 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.851589918 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.851756096 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.851777077 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.851807117 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.851872921 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.852000952 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.852019072 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.852030993 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.852056026 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.852082014 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.852106094 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.852130890 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.852157116 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.852195978 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.852233887 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.852309942 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.852324963 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.852545023 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.852579117 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:48.853403091 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:48.853455067 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.164984941 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165004969 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165019035 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165287971 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.165352106 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165369987 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165384054 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165397882 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165524960 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.165524960 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.165555000 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165572882 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165601015 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165803909 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.165865898 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165884018 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165899038 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165911913 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.165925026 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.166099072 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.166141987 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.166146040 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.166323900 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.166409016 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.166428089 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.166441917 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.166455030 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.166560888 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.166639090 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.166661978 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.166692972 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.166707993 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.166721106 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.166734934 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.166846991 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.166846991 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.167006016 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.167023897 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.167038918 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.167253017 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.167253971 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.167296886 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.167313099 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.167459965 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.478235960 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.478250980 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.478260994 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.478270054 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.478488922 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.478504896 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.478514910 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.478524923 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.478590012 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.478600979 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.478610992 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.478620052 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.478732109 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.478794098 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.478821993 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.479007959 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.479018927 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479074001 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479084969 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479094982 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479104996 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479125023 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479135990 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479219913 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.479336977 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479347944 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479353905 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.479357004 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479394913 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479407072 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479417086 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479427099 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479543924 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.479598045 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479610920 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479620934 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479630947 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479643106 CET	18852	49756	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:49.479724884 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.480813026 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:49.480813026 CET	49756	18852	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:51.520840883 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:51.833957911 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:51.834604025 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:51.834809065 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:52.148497105 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.148952961 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:52.149012089 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:52.462451935 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.463830948 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.464072943 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.464092016 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.464102983 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.464251041 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:52.777916908 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.777935982 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.778188944 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.778218031 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.778234005 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.778328896 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:52.778461933 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.778513908 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:52.778523922 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:52.779100895 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.091984987 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092003107 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092021942 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092202902 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.092228889 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092247963 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092262030 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092276096 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092288971 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092308044 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092322111 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092506886 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092509985 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.092756033 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092773914 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092956066 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.092962980 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.093173027 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.411148071 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411166906 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411344051 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.411390066 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411406994 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411422014 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411621094 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.411667109 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411684036 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411699057 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411711931 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411837101 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411912918 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.411953926 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411972046 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411984921 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.411998987 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.412000895 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.412161112 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.412190914 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.412208080 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.412221909 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.412235975 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.412354946 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.412354946 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.412386894 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.412462950 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.412477970 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.412676096 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.412686110 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.412735939 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.412750006 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.412940979 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.413016081 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.465548038 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.724662066 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.724683046 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.724699020 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.724872112 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.724956036 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.724972963 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.724987984 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725032091 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725048065 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725061893 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725076914 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725112915 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.725213051 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.725224018 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725239038 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725303888 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725320101 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725334883 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725348949 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725363016 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725378036 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725392103 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725405931 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725420952 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.725490093 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725505114 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725519896 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725568056 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725577116 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.725583076 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725596905 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725610971 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725625992 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725641012 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725681067 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.725773096 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725789070 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725802898 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725811005 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.725816965 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.725831985 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726018906 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726020098 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.726057053 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726073980 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726090908 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726105928 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726120949 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726345062 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.726349115 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726382971 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726403952 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726418018 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726432085 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726447105 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726463079 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726475000 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.726697922 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:53.778765917 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.779050112 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:53.779218912 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.038008928 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038068056 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038110971 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038156033 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038280010 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038289070 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.038326025 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038337946 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.038369894 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038414955 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038459063 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038500071 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038532972 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.038542032 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038588047 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038657904 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038702965 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.038713932 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038758039 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038799047 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038841963 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038858891 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.038883924 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038904905 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.038937092 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.038959980 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.038980961 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039021969 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039037943 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.039064884 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039107084 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039149046 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039167881 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.039190054 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039221048 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.039232016 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039274931 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039298058 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.039319038 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039360046 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039376020 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.039402008 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039444923 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039486885 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039527893 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039545059 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.039571047 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039612055 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039654970 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039701939 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.039707899 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039774895 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039807081 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.039819956 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039875031 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039916039 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039958000 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.039989948 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.040000916 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040044069 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040085077 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040105104 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.040127993 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040169954 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040221930 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040260077 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.040265083 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040307999 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040349960 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040390968 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040432930 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040443897 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.040476084 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040493965 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.040518045 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040559053 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040572882 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.040601969 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040643930 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040663004 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.040685892 CET	9091	49757	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:54.040770054 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:54.040819883 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:55.090436935 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:55.397732019 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:49:55.398128986 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:49:57.074057102 CET	49757	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:01.231615067 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:01.231666088 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:01.231712103 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:01.538861036 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:50:01.538978100 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:50:01.539998055 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:50:01.540393114 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:01.903877974 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:50:11.055357933 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:11.362385035 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:50:11.414558887 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:11.506408930 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:11.855132103 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:50:26.708010912 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:27.015460968 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:50:27.039098024 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:27.400966883 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:50:42.360897064 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:42.669939995 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:50:42.704746962 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:43.062926054 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:50:57.982465982 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:58.289504051 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:50:58.321027040 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:50:58.678294897 CET	9091	49758	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:13.603971958 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:13.603971958 CET	49758	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:15.541234016 CET	49759	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:15.848925114 CET	9092	49759	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:15.849845886 CET	49759	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:20.395102024 CET	49759	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:20.395153046 CET	49759	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:20.703193903 CET	9092	49759	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:20.703258038 CET	9092	49759	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:20.704487085 CET	9092	49759	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:20.704858065 CET	49759	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:21.058793068 CET	9092	49759	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:31.474980116 CET	49759	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:31.474980116 CET	49759	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:31.782887936 CET	9092	49759	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:31.783063889 CET	49759	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:33.412185907 CET	49760	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:33.726011038 CET	9091	49760	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:33.726313114 CET	49760	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:38.289679050 CET	49760	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:38.289731026 CET	49760	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:38.603693008 CET	9091	49760	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:38.603703022 CET	9091	49760	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:38.604940891 CET	9091	49760	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:38.605243921 CET	49760	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:38.967114925 CET	9091	49760	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:49.346115112 CET	49760	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:49.346138954 CET	49760	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:49.660037041 CET	9091	49760	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:49.660295010 CET	49760	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:51.283297062 CET	49761	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:51.597631931 CET	9092	49761	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:51.597949982 CET	49761	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:56.152509928 CET	49761	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:56.152555943 CET	49761	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:56.466315031 CET	9092	49761	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:56.466334105 CET	9092	49761	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:56.467416048 CET	9092	49761	8.218.163.85	192.168.11.20
Dec 29, 2024 00:51:56.467767000 CET	49761	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:51:56.839216948 CET	9092	49761	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:07.232724905 CET	49761	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:07.232724905 CET	49761	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:07.546511889 CET	9092	49761	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:07.546685934 CET	49761	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:09.169959068 CET	49762	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:09.484105110 CET	9091	49762	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:09.484330893 CET	49762	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:14.039144039 CET	49762	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:14.039220095 CET	49762	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:14.354620934 CET	9091	49762	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:14.354679108 CET	9091	49762	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:14.355653048 CET	9091	49762	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:14.355990887 CET	49762	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:14.713135004 CET	9091	49762	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:25.103843927 CET	49762	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:25.103843927 CET	49762	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:25.417932034 CET	9091	49762	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:25.418102980 CET	49762	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:27.041009903 CET	49763	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:27.356128931 CET	9092	49763	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:27.356297970 CET	49763	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:31.915874004 CET	49763	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:31.915936947 CET	49763	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:32.230801105 CET	9092	49763	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:32.230873108 CET	9092	49763	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:32.232053995 CET	9092	49763	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:32.232474089 CET	49763	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:32.596890926 CET	9092	49763	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:43.006059885 CET	49763	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:43.321038008 CET	9092	49763	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:43.356542110 CET	49763	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:43.724756002 CET	9092	49763	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:58.643285036 CET	49763	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:58.643285036 CET	49763	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:52:58.958206892 CET	9092	49763	8.218.163.85	192.168.11.20
Dec 29, 2024 00:52:58.958379984 CET	49763	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:00.580478907 CET	49764	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:00.894284964 CET	9091	49764	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:00.894442081 CET	49764	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:05.511280060 CET	49764	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:05.511354923 CET	49764	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:05.825512886 CET	9091	49764	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:05.825556040 CET	9091	49764	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:05.826397896 CET	9091	49764	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:05.826702118 CET	49764	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:06.191739082 CET	9091	49764	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:16.514276981 CET	49764	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:16.827614069 CET	9091	49764	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:16.856650114 CET	49764	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:17.225989103 CET	9091	49764	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:32.135875940 CET	49764	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:32.135876894 CET	49764	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:32.449539900 CET	9091	49764	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:32.449713945 CET	49764	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:34.073179960 CET	49765	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:34.381937981 CET	9092	49765	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:34.382040024 CET	49765	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:38.942779064 CET	49765	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:38.942807913 CET	49765	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:39.251770020 CET	9092	49765	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:39.251812935 CET	9092	49765	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:39.252821922 CET	9092	49765	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:39.253196001 CET	49765	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:39.609016895 CET	9092	49765	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:50.022563934 CET	49765	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:50.022563934 CET	49765	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:50.330930948 CET	9092	49765	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:50.331187010 CET	49765	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:51.959851027 CET	49766	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:52.271867990 CET	9091	49766	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:52.272155046 CET	49766	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:56.854314089 CET	49766	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:57.166688919 CET	9091	49766	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:57.166934013 CET	9091	49766	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:57.167968988 CET	9091	49766	8.218.163.85	192.168.11.20
Dec 29, 2024 00:53:57.168374062 CET	49766	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:53:57.535168886 CET	9091	49766	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:07.893677950 CET	49766	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:07.893677950 CET	49766	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:08.205730915 CET	9091	49766	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:08.205964088 CET	49766	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:09.831036091 CET	49767	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:10.145230055 CET	9092	49767	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:10.145420074 CET	49767	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:14.698213100 CET	49767	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:14.698242903 CET	49767	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:15.012233019 CET	9092	49767	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:15.012470961 CET	9092	49767	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:15.013691902 CET	9092	49767	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:15.014000893 CET	49767	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:15.373435020 CET	9092	49767	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:25.764717102 CET	49767	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:25.764717102 CET	49767	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:26.079318047 CET	9092	49767	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:26.079493999 CET	49767	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:27.702012062 CET	49768	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:28.009535074 CET	9091	49768	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:28.009732008 CET	49768	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:32.548796892 CET	49768	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:32.548820972 CET	49768	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:32.856765032 CET	9091	49768	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:32.856852055 CET	9091	49768	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:32.857826948 CET	9091	49768	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:32.858186960 CET	49768	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:33.220458984 CET	9091	49768	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:43.667031050 CET	49768	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:43.974035978 CET	9091	49768	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:43.998747110 CET	49768	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:44.360241890 CET	9091	49768	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:59.304251909 CET	49768	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:59.304251909 CET	49768	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:54:59.611373901 CET	9091	49768	8.218.163.85	192.168.11.20
Dec 29, 2024 00:54:59.611654043 CET	49768	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:01.241468906 CET	49769	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:01.556265116 CET	9092	49769	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:01.556469917 CET	49769	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:06.096566916 CET	49769	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:06.096647978 CET	49769	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:06.411912918 CET	9092	49769	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:06.412086010 CET	9092	49769	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:06.412839890 CET	9092	49769	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:06.413170099 CET	49769	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:06.773762941 CET	9092	49769	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:17.175306082 CET	49769	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:17.175357103 CET	49769	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:19.112472057 CET	49770	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:19.419641972 CET	9091	49770	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:19.419909954 CET	49770	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:23.973126888 CET	49770	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:23.973179102 CET	49770	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:24.281835079 CET	9091	49770	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:24.282097101 CET	9091	49770	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:24.283489943 CET	9091	49770	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:24.283922911 CET	49770	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:24.634622097 CET	9091	49770	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:35.046299934 CET	49770	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:35.046299934 CET	49770	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:35.353502989 CET	9091	49770	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:35.353718996 CET	49770	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:36.983566046 CET	49771	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:37.302341938 CET	9092	49771	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:37.302515984 CET	49771	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:41.841396093 CET	49771	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:41.841474056 CET	49771	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:42.157182932 CET	9092	49771	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:42.157449961 CET	9092	49771	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:42.158584118 CET	9092	49771	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:42.158929110 CET	49771	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:42.521706104 CET	9092	49771	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:52.980079889 CET	49771	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:52.980079889 CET	49771	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:53.296623945 CET	9092	49771	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:53.296801090 CET	49771	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:54.917082071 CET	49772	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:55.231197119 CET	9091	49772	8.218.163.85	192.168.11.20
Dec 29, 2024 00:55:55.231453896 CET	49772	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:59.783128023 CET	49772	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:55:59.783209085 CET	49772	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:00.098428965 CET	9091	49772	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:00.098469973 CET	9091	49772	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:00.099356890 CET	9091	49772	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:00.099692106 CET	49772	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:00.465987921 CET	9091	49772	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:10.851790905 CET	49772	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:10.851790905 CET	49772	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:11.170907974 CET	9091	49772	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:11.171104908 CET	49772	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:12.788187027 CET	49773	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:13.098937035 CET	9092	49773	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:13.099168062 CET	49773	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:17.726368904 CET	49773	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:17.726447105 CET	49773	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:18.037249088 CET	9092	49773	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:18.037503958 CET	9092	49773	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:18.039052010 CET	9092	49773	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:18.039378881 CET	49773	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:18.400832891 CET	9092	49773	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:28.722053051 CET	49773	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:28.722053051 CET	49773	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:29.030929089 CET	9092	49773	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:29.032387972 CET	49773	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:30.659331083 CET	49774	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:30.976321936 CET	9091	49774	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:30.976509094 CET	49774	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:35.539540052 CET	49774	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:35.539571047 CET	49774	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:35.855093002 CET	9091	49774	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:35.855139017 CET	9091	49774	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:35.856203079 CET	9091	49774	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:35.856604099 CET	49774	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:36.227284908 CET	9091	49774	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:46.624345064 CET	49774	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:46.624393940 CET	49774	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:46.940279007 CET	9091	49774	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:46.940526009 CET	49774	9091	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:48.561583042 CET	49775	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:48.874350071 CET	9092	49775	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:48.874691010 CET	49775	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:53.441159964 CET	49775	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:53.441210032 CET	49775	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:53.441256046 CET	49775	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:53.754157066 CET	9092	49775	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:53.754219055 CET	9092	49775	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:53.755276918 CET	9092	49775	8.218.163.85	192.168.11.20
Dec 29, 2024 00:56:53.755645037 CET	49775	9092	192.168.11.20	8.218.163.85
Dec 29, 2024 00:56:54.120985985 CET	9092	49775	8.218.163.85	192.168.11.20

Target ID:	0
Start time:	18:48:29
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\V2clgnyM2J.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\V2clgnyM2J.exe"
Imagebase:	0x400000
File size:	47'523'239 bytes
MD5 hash:	70A43F05EBBB4C0F0C09315778B5204C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:48:35
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Imagebase:	0x10000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:48:35
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70b9c0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:48:36
Start date:	28/12/2024
Path:	C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Imagebase:	0x470000
File size:	777'816 bytes
MD5 hash:	30A274E00DA842B09E9763F19777ADED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	18:49:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Imagebase:	0x10000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	18:49:46
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70b9c0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	18:49:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:49:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "RuntimeBrokers.exe"
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:49:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0x10000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:49:46
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70b9c0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:49:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0x10000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:49:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xa80000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:49:46
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70b9c0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:49:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0xdd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:49:47
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0xdd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	18:50:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	18:50:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "RuntimeBrokers.exe"
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	18:50:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xa80000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	18:50:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	18:50:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "RuntimeBrokers.exe"
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	18:50:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xa80000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	18:51:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	18:51:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "RuntimeBrokers.exe"
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	18:51:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xa80000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	18:51:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	18:51:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "RuntimeBrokers.exe"
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	18:51:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xa80000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	18:52:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	18:52:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "RuntimeBrokers.exe"
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	18:52:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xa80000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	18:52:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	18:52:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "RuntimeBrokers.exe"
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	18:52:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xa80000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	18:53:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	18:53:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "RuntimeBrokers.exe"
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	18:53:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xa80000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	18:53:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	18:53:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "RuntimeBrokers.exe"
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	18:53:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xa80000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	18:54:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	18:54:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "RuntimeBrokers.exe"
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	18:54:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xa80000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	18:54:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	18:54:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "RuntimeBrokers.exe"
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	18:54:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xa80000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	18:55:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	18:55:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "RuntimeBrokers.exe"
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	18:55:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0x7ff697320000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	18:55:46
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq RuntimeBrokers.exe"
Imagebase:	0x4f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.9%
Total number of Nodes:	1422
Total number of Limit Nodes:	15

Executed Functions

Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
Part of subcall function 00401B37: DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C

Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD

_wtol.MSVCRT ref: 0040509F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
_wtol.MSVCRT ref: 00405217
??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F

Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC

Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519

Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569

Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6

wsprintfW.USER32 ref: 00405595
_wtol.MSVCRT ref: 004057DE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
CoInitialize.OLE32(00000000), ref: 004059E9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
GetKeyState.USER32(00000010), ref: 00405AA1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
memset.MSVCRT ref: 004060AE
ShellExecuteExW.SHELL32(?), ref: 0040617E
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
_wtol.MSVCRT ref: 00405F65
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C

Strings

Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406495
4AA, xrefs: 0040504C
7-Zip SFX, xrefs: 00406490
Shortcut, xrefs: 0040632A
;!@Install@!UTF-8!, xrefs: 00405436
4DA, xrefs: 00406034
del, xrefs: 00405F9A
AutoInstall, xrefs: 00405AC1, 00405B1C, 00405ECC
GUIFlags, xrefs: 0040571F
hidcon, xrefs: 00405E5E
HelpText, xrefs: 0040595E
Delete, xrefs: 00406352
shc, xrefs: 00405F7A
InstallPath, xrefs: 004059F3
forcenowait, xrefs: 00405F25
XpA, xrefs: 00405581
@DA, xrefs: 00405699
setup.exe, xrefs: 00405DE5, 00405DEA, 00405E45
SelfDelete, xrefs: 0040577C, 0040640B
;!@InstallEnd@!, xrefs: 00405431
IA, xrefs: 004055D2, 004058FB
MiscFlags, xrefs: 0040573F
nowait, xrefs: 00405F03
sfxversion, xrefs: 004050D6
amd64, xrefs: 00405FE4
SetEnvironment, xrefs: 0040586E, 0040591F
BeginPrompt, xrefs: 00405A71
RunProgram, xrefs: 00405A66, 00405B6B, 00405B79
x86, xrefs: 00405FBE
ExecuteParameters, xrefs: 0040605D
i386, xrefs: 00405FD1
FinishMessage, xrefs: 00406399
7zSfxString%d, xrefs: 0040558F
sfxconfig, xrefs: 0040527C, 00405488
7ZipSfx.%03x, xrefs: 00405C77
OverwriteMode, xrefs: 004056BB
GUIMode, xrefs: 004056FF
ExecuteFile, xrefs: 00405A61, 00405B47, 00405B55
x64, xrefs: 00405FF7

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerWindowlstrcpymemcmpwsprintf$AttributesCloseCommandCreateCurrentDestroyDirectoryDispatchErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateVersionWait_wcsnicmpmemmovememsetwvsprintf
String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
API String ID: 3696187633-3058303289
Opcode ID: 819a16367885825f4e344e77836869b1f6d7740230357e2b02187f71ec59b593
Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
Opcode Fuzzy Hash: 819a16367885825f4e344e77836869b1f6d7740230357e2b02187f71ec59b593
Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
SetLastError.KERNEL32(00000010), ref: 0040303D

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E

Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
SendMessageW.USER32(00008001,00000000,?), ref: 004011FF

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00411E1C
__p__fmode.MSVCRT ref: 00411E31
__p__commode.MSVCRT ref: 00411E3F
__setusermatherr.MSVCRT ref: 00411E6B
_initterm.MSVCRT ref: 00411E81
__getmainargs.MSVCRT ref: 00411EA4
_initterm.MSVCRT ref: 00411EB4
GetStartupInfoA.KERNEL32(?), ref: 00411EF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00411F17
exit.KERNELBASE ref: 00411F27
_XcptFilter.MSVCRT ref: 00411F39

Strings

HpA, xrefs: 00411E9C, 00411E9F

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: HpA
API String ID: 801014965-2938899866
Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
DispatchMessageW.USER32(?), ref: 00401B89
KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

Strings

Static, xrefs: 00401B5A

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: MessageTimerWindow$CreateDestroyDispatchHandleKillModule
String ID: Static
API String ID: 1156981321-2272013587
Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298

Strings

, xrefs: 0040B22D

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-3916222277
Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
wsprintfW.USER32 ref: 004044A7

Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

#17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533

Strings

IA, xrefs: 0040447B
7zSfxFolder%02d, xrefs: 004044A1

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d$IA
API String ID: 3387708999-1317665167
Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59

Strings

IA, xrefs: 00409391
IA, xrefs: 00409225

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??2@
String ID: IA$IA
API String ID: 1033339047-1400641299
Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00410D0D

Strings

HKA, xrefs: 00410CE9
\KA, xrefs: 00410CE2
4KA, xrefs: 00410CF0
$KA, xrefs: 00410CF7

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: free
String ID: $KA$4KA$HKA$\KA
API String ID: 1294909896-3316857779
Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004096D0
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941

Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B

Strings

HIA, xrefs: 0040978B

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: HIA
API String ID: 3431946709-2712174624
Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
memcmp.MSVCRT(?,?,?), ref: 004028E4
memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC

Strings

ExecuteFile, xrefs: 00404A48

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??2@
String ID: ExecuteFile
API String ID: 1033339047-323923146
Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A

Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E

Strings

@, xrefs: 00402471

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D

Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemmove
String ID:
API String ID: 4269121280-0
Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99

Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A634
??3@YAXPAX@Z.MSVCRT(?), ref: 0040A729

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B

Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754

Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64

Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040ED05
_CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9

Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E745
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4

Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A7E3

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A

Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59

Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411A32

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99

Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94

Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54

Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406552

Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60

Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC5E

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD

Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54

Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02

Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?), ref: 0040EA24

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54

Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50

Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F446

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59

Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299

Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698

Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509

Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09

Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F400

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction Fuzzy Hash:

Non-executed Functions

Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 004034E5
SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
_wtol.MSVCRT ref: 0040367F
CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6

Strings

.lnk, xrefs: 004036FF

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18

Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
wsprintfW.USER32 ref: 00401FFD
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
GetLastError.KERNEL32 ref: 00402017
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
GetLastError.KERNEL32 ref: 0040204C
lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
SetLastError.KERNEL32(00000000), ref: 00402098
lstrlenA.KERNEL32(00413FD0), ref: 004020CC
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
_wtol.MSVCRT ref: 0040212A
MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

Strings

\3A, xrefs: 00401FDB
XpA, xrefs: 00401FB4
7zSfxString%d, xrefs: 00401FF7

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d$XpA$\3A
API String ID: 2117570002-3108448011
Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18

Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
LockResource.KERNEL32(00000000), ref: 00401C41
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
GetProcAddress.KERNEL32(00000000), ref: 00401C76
wsprintfW.USER32 ref: 00401C95
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
GetProcAddress.KERNEL32(00000000), ref: 00401CAD

Strings

SetThreadPreferredUILanguages, xrefs: 00401CA4
kernel32, xrefs: 00401C5D, 00401C62, 00401CA9
SetProcessPreferredUILanguages, xrefs: 00401C58
%04X%c%04X%c, xrefs: 00401C8F

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8

Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040779A
GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4

Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C

Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
GetWindow.USER32(?,00000005), ref: 00406D8F
GetWindow.USER32(00000000,00000002), ref: 00406DA5

Strings

uxtheme, xrefs: 00406D5E
SetWindowTheme, xrefs: 00406D70
\EA, xrefs: 00406D98

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$\EA$uxtheme
API String ID: 324724604-1613512829
Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC

Function 02A153DE Relevance: 2.1, Strings: 1, Instructions: 837COMMON

Download Yara Rule

Strings

8, xrefs: 02A1565A

Memory Dump Source

Source File: 00000000.00000003.81959148044.0000000002A15000.00000004.00000020.00020000.00000000.sdmp, Offset: 02A15000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_2a15000_V2clgnyM2J.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 6ab3fb64fa2986e41653e834ecafa8d538035a3c8a3b06685c36863f92ae6781
Instruction ID: a80142b2587343b34d2f1e0046a1a0dabb5e36e2940547220b384948cc3efd2f
Opcode Fuzzy Hash: 6ab3fb64fa2986e41653e834ecafa8d538035a3c8a3b06685c36863f92ae6781
Instruction Fuzzy Hash: 7162DC9684E3C15FE3134B345C666957F716EA3168B8F45DBC0C0CF4E3EA59490AD362

Function 0041022D Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84

Function 02A16906 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.81959148044.0000000002A15000.00000004.00000020.00020000.00000000.sdmp, Offset: 02A15000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_2a15000_V2clgnyM2J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7c4ef63d75a5587b794e51b608e82f37f44734ee99dfba45251be002f2870e
Instruction ID: 495d8156d23b905d75a42f7c72e7dfdbdf4e2e1f32343ae362105336cac810aa
Opcode Fuzzy Hash: 3c7c4ef63d75a5587b794e51b608e82f37f44734ee99dfba45251be002f2870e
Instruction Fuzzy Hash: 9FE1D3A648F3C15FD3434B7498216957FB8AF53228F2A41DBD4C0CE4A3E39A494AC762

Function 02A1B641 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.81959148044.0000000002A15000.00000004.00000020.00020000.00000000.sdmp, Offset: 02A15000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_2a15000_V2clgnyM2J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bc7b585164657d53c65c02b8ce774c4fd34d29c1e7ccb33c8033663714cc7e
Instruction ID: 531ab920aa9b955d54166ff4ece42f908cc2d2c20de9cee355faa2e8d9fba719
Opcode Fuzzy Hash: 67bc7b585164657d53c65c02b8ce774c4fd34d29c1e7ccb33c8033663714cc7e
Instruction Fuzzy Hash: 0E510CA694E3E04FEB234B3469E21C87FB0AD53224B2E45D7C4C48B597E11D166BC753

Function 0041206B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0

Function 00411F91 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0

Function 0040D72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50

Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
CloseHandle.KERNEL32(004177C4), ref: 00404C40
SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2

Strings

:Repeat, xrefs: 00404B92
" goto Repeat, xrefs: 00404BE0
open, xrefs: 00404C63
7ZSfx%03x.cmd, xrefs: 00404B58
", xrefs: 00404BB9, 00404BBE, 00404C02
if exist ", xrefs: 00404BC7
del ", xrefs: 00404B9F, 00404BA4, 00404BED

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58

Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

_wtol.MSVCRT ref: 004047DC
_wtol.MSVCRT ref: 004047F8

Strings

ExtractPathWidth, xrefs: 004047E5
ExtractTitle, xrefs: 004046AF
MiscFlags, xrefs: 00404771, 00404776, 00404792
ExtractPathTitle, xrefs: 00404801
ErrorTitle, xrefs: 0040467F
GUIFlags, xrefs: 0040473E, 00404743, 0040475F
CancelPrompt, xrefs: 00404831
ExtractCancelText, xrefs: 004047A1
|wA, xrefs: 0040464B
Title, xrefs: 00404611
OverwriteMode, xrefs: 00404721
GUIMode, xrefs: 004046F4
WarningTitle, xrefs: 00404697
ExtractDialogWidth, xrefs: 004047BE
ExtractDialogText, xrefs: 004047AD
ExtractPathText, xrefs: 00404819
Progress, xrefs: 004046C7

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
API String ID: 2725485552-3187639848
Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D

Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
GetWindowLongW.USER32(?,000000F0), ref: 00402DF3

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

Part of subcall function 00401A85: CharUpperW.USER32(?,7563E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
GetParent.USER32(?), ref: 00402E2E
LoadLibraryA.KERNEL32(riched20), ref: 00402E42
GetMenu.USER32(?), ref: 00402E55
SetThreadLocale.KERNEL32(00000419), ref: 00402E62
CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
DestroyWindow.USER32(?), ref: 00402EA3
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
GetSysColor.USER32(0000000F), ref: 00402EBC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02

Strings

RichEdit20W, xrefs: 00402E8C
{\rtf, xrefs: 00402E09
STATIC, xrefs: 00402DDD
riched20, xrefs: 00402E3D

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 1731037045-2281146334
Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68

Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401CD4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
GetObjectW.GDI32(?,00000018,?), ref: 00401D28
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
CreateCompatibleDC.GDI32(?), ref: 00401D4B
CreateCompatibleDC.GDI32(?), ref: 00401D52
SelectObject.GDI32(00000000,?), ref: 00401D60
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
SelectObject.GDI32(00000000,00000000), ref: 00401D76
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
SelectObject.GDI32(00000000,?), ref: 00401DB3
SelectObject.GDI32(00000000,?), ref: 00401DB9
DeleteDC.GDI32(00000000), ref: 00401DC2
DeleteDC.GDI32(00000000), ref: 00401DC5
ReleaseDC.USER32(00000000,?), ref: 00401DCC
ReleaseDC.USER32(00000000,?), ref: 00401DDB
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64

Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401E05
lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
GetMenu.USER32(?), ref: 00401E44

Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
CoInitialize.OLE32(00000000), ref: 00401E8C
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
GlobalFree.KERNEL32(00000000), ref: 00401ECD

Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC

GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
GlobalFree.KERNEL32(00000000), ref: 00401F3A

Strings

IMAGES, xrefs: 00401E4E
STATIC, xrefs: 00401E13

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68

Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetDlgItem.USER32(?,000004B8), ref: 0040816A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
GetDlgItem.USER32(?,000004B5), ref: 004081C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
GetDlgItem.USER32(?,000004B5), ref: 004081D5
SetWindowLongW.USER32(00000000), ref: 004081D8
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
GetDlgItem.USER32(?,000004B4), ref: 0040821A
SetFocus.USER32(00000000), ref: 0040821D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
GetDlgItem.USER32(?,00000002), ref: 00408294
IsWindow.USER32(00000000), ref: 00408297
GetDlgItem.USER32(?,00000002), ref: 004082A7
EnableWindow.USER32(00000000), ref: 004082AA
GetDlgItem.USER32(?,000004B5), ref: 004082BE
ShowWindow.USER32(00000000), ref: 004082C1

Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142

Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerwsprintf
String ID:
API String ID: 1309318444-0
Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C

Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
strncmp.MSVCRT ref: 004031F1
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

Strings

MiscFlags, xrefs: 004032C0
GUIFlags, xrefs: 004032B2
SetEnvironment, xrefs: 0040326B
{\rtf, xrefs: 004031D6, 004031EB
hAA, xrefs: 0040309E

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@$lstrcmpstrncmp
String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
API String ID: 2881732429-172299233
Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59

Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406A69
GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
GetDlgItem.USER32(?,000004B4), ref: 00406AA5
GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
GetSystemMetrics.USER32(00000010), ref: 00406B0B
GetSystemMetrics.USER32(00000011), ref: 00406B11
GetSystemMetrics.USER32(00000008), ref: 00406B18
GetSystemMetrics.USER32(00000007), ref: 00406B1F
GetParent.USER32(?), ref: 00406B43
GetClientRect.USER32(00000000,?), ref: 00406B55
ClientToScreen.USER32(?,?), ref: 00406B68
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
GetClientRect.USER32(?,?), ref: 00406C55
ClientToScreen.USER32(?,?), ref: 00406B71

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

GetSystemMetrics.USER32(00000008), ref: 00406CD6
GetSystemMetrics.USER32(00000007), ref: 00406CDD

Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64

Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
LoadIconW.USER32(00000000), ref: 00407D33
GetSystemMetrics.USER32(00000032), ref: 00407D43
GetSystemMetrics.USER32(00000031), ref: 00407D48
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
LoadImageW.USER32(00000000), ref: 00407D54
SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
GetWindow.USER32(?,00000005), ref: 00407E76
GetWindow.USER32(?,00000005), ref: 00407E92
GetWindow.USER32(?,00000005), ref: 00407EAA
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
LoadIconW.USER32(00000000), ref: 00407F0D
GetDlgItem.USER32(?,000004B1), ref: 00407F28
SendMessageW.USER32(00000000), ref: 00407F2F

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 1889686859-0
Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF

Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00406F45
GetWindowLongW.USER32(00000000), ref: 00406F4C
DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
GetSystemMetrics.USER32(00000031), ref: 00406F91
GetSystemMetrics.USER32(00000032), ref: 00406F98
GetWindowDC.USER32(?), ref: 00406FAA
GetWindowRect.USER32(?,?), ref: 00406FB7
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
ReleaseDC.USER32(?,00000000), ref: 00406FF3

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64

Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040678E
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
GetDlgItem.USER32(?,000004B4), ref: 004067AB
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
GetDlgItem.USER32(?,?), ref: 004067CC
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
GetDlgItem.USER32(?,?), ref: 004067DD
SetFocus.USER32(00000000,?,000004B4,75640E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28

Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603

Strings

IA, xrefs: 0040C74D
IA, xrefs: 0040C4AF
IA, xrefs: 0040C4D9
IA, xrefs: 0040C65E
IA, xrefs: 0040C4C6
IA, xrefs: 0040C66E

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@
String ID: IA$IA$IA$IA$IA$IA
API String ID: 613200358-3743982587
Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58

Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479

Strings

FinishMessage, xrefs: 00408417, 00408433
ErrorTitle, xrefs: 00408511
SetEnvironment, xrefs: 004083BC
BeginPrompt, xrefs: 004084A4, 004084A9
HelpText, xrefs: 00408598
WarningTitle, xrefs: 0040853A

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
API String ID: 613200358-994561823
Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E

Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
GetDC.USER32(00000000), ref: 00406DFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
ReleaseDC.USER32(00000000,?), ref: 00406E24
GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65

Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040696E
GetSystemMetrics.USER32(0000000B), ref: 0040698A
GetSystemMetrics.USER32(0000003D), ref: 00406993
GetSystemMetrics.USER32(0000003E), ref: 0040699B
SelectObject.GDI32(?,?), ref: 004069B8
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
SelectObject.GDI32(?,?), ref: 004069F9
ReleaseDC.USER32(?,?), ref: 00406A08

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40

Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4

Part of subcall function 00401A85: CharUpperW.USER32(?,7563E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175

Strings

hAA, xrefs: 00404091, 0040409B, 004040A2, 004040B0

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@$CharUpper$lstrlen
String ID: hAA
API String ID: 2587799592-1362906312
Opcode ID: b8720cb8756f8e9e8094298d34df6b31f2892d9def23642e2fc1977912460d31
Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
Opcode Fuzzy Hash: b8720cb8756f8e9e8094298d34df6b31f2892d9def23642e2fc1977912460d31
Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658

Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8

Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Strings

;!@Install@!UTF-8!, xrefs: 00404D59
03A, xrefs: 00404CCF
;!@InstallEnd@!, xrefs: 00404D73

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-2279431206
Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98

Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00407579
KillTimer.USER32(?,00000001), ref: 0040758A
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
SuspendThread.KERNEL32(0000026C), ref: 004075CD
ResumeThread.KERNEL32(0000026C), ref: 004075EA
EndDialog.USER32(?,00000000), ref: 0040760C

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D

Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85

Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
wsprintfA.USER32 ref: 00404EBC

Strings

;!@Install@!UTF-8!, xrefs: 00404E4A
:Language:%u!, xrefs: 00404EB6
;!@InstallEnd@!, xrefs: 00404E59

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-1550708412
Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799

Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932

Strings

%%T\, xrefs: 004038A6
%%T/, xrefs: 004038E4

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98

Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED

Strings

%%S/, xrefs: 0040399F
%%S\, xrefs: 00403961

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98

Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8

Strings

%%M\, xrefs: 00403A1C
%%M/, xrefs: 00403A5A

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58

Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE

Strings

4JA, xrefs: 0040E4AF
xJA, xrefs: 0040E493
TJA, xrefs: 0040E4A1
DJA, xrefs: 0040E4A8
hJA, xrefs: 0040E49A
$JA, xrefs: 0040E4B6

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ExceptionThrow
String ID: $JA$4JA$DJA$TJA$hJA$xJA
API String ID: 432778473-803145960
Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C

Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B

??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245

Strings

IA, xrefs: 0040C0EC
IA, xrefs: 0040C11B
IA, xrefs: 0040C12D

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: IA$IA$IA
API String ID: 4294387087-924693538
Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54

Function 00407B33 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B8), ref: 00407B8B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
wsprintfW.USER32 ref: 00407BBB
??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Strings

%d%%, xrefs: 00407BB5

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@ItemMessageSendwsprintf
String ID: %d%%
API String ID: 3767627759-1518462796
Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59

Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898

Strings

IA, xrefs: 0040E818, 0040E841

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID: IA
API String ID: 3462485524-3293647318
Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401029
wsprintfW.USER32 ref: 00401049
lstrcatW.KERNEL32(?,?), ref: 0040105C
ExitProcess.KERNEL32 ref: 00401084

Strings

0x%p, xrefs: 00401043

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA

Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9

GetSystemMetrics.USER32(00000007), ref: 00407A51
GetSystemMetrics.USER32(00000007), ref: 00407A62
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29

Strings

100%% , xrefs: 00407A81, 00407A88, 00407AE1

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99

Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407A12

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

GetDlgItem.USER32(?,000004B3), ref: 004079C6

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4

Strings

(%u%s), xrefs: 00407A0C

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: TextWindow$ItemLength$??3@wsprintf
String ID: (%u%s)
API String ID: 3595513934-2496177969
Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68

Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
GetProcAddress.KERNEL32(00000000), ref: 00402211

Strings

GetNativeSystemInfo, xrefs: 00402200
kernel32, xrefs: 00402205

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 2574300362-3846845290
Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE

Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
GetProcAddress.KERNEL32(00000000), ref: 0040219F

Strings

Wow64RevertWow64FsRedirection, xrefs: 0040218E
kernel32, xrefs: 00402193

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C

Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
GetProcAddress.KERNEL32(00000000), ref: 004021D1

Strings

kernel32, xrefs: 004021C5
Wow64DisableWow64FsRedirection, xrefs: 004021C0

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC

Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658

Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
wsprintfW.USER32 ref: 00403FFB
GetFileAttributesW.KERNEL32(?), ref: 00404016

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88

Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,7563E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64

Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
GetDlgItem.USER32(?,000004B7), ref: 00408020
SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
String ID:
API String ID: 2538916108-0
Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54

Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
GetSystemMetrics.USER32(00000031), ref: 0040683A
CreateFontIndirectW.GDI32(?), ref: 00406849
DeleteObject.GDI32(00000000), ref: 00406878

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54

Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040749F
SHBrowseForFolderW.SHELL32(?), ref: 004074B8
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
SHGetMalloc.SHELL32(00000000), ref: 004074FE

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID:
API String ID: 1557639607-0
Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75

Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8

Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
SetWindowTextW.USER32(?,?), ref: 00403B12
??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98

Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407045
CreateFontIndirectW.GDI32(?), ref: 0040705B
GetDlgItem.USER32(?,000004B5), ref: 0040706F
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19

Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401BA8
GetWindowRect.USER32(?,?), ref: 00401BC1
ScreenToClient.USER32(00000000,?), ref: 00401BCF
ScreenToClient.USER32(00000000,?), ref: 00401BD6

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61

Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403C89

Strings

[G@, xrefs: 00403C64, 00403C88
GUIFlags, xrefs: 00403C68

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$[G@
API String ID: 2131799477-2126219683
Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D

Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Strings

?O@, xrefs: 00402F23

Memory Dump Source

Source File: 00000000.00000002.81965440439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.81965401844.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965512800.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965544979.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.81965594656.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_V2clgnyM2J.jbxd

Similarity

API ID: EnvironmentVariable
String ID: ?O@
API String ID: 1431749950-3511380453
Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

Analysis Process: powershell.exePID: 488, Parent PID: 7744COMMON

Executed Functions

Function 04E529F0 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.82780940326.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fbbeb2606a9475da6704ae2d18bd069bd927f819606239f7b072221bd97379
Instruction ID: 7bab2f2ce290358e60f2b5239217084ce5fd55a074175e2bf57ec571bf580ba5
Opcode Fuzzy Hash: 00fbbeb2606a9475da6704ae2d18bd069bd927f819606239f7b072221bd97379
Instruction Fuzzy Hash: 7C918874A00209CFCB15CF58C4949AEBBB2FF88314B2486A9D955AB3A1C735FC51CFA4

Function 04E52B00 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.82780940326.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18dfd8d6890ebe2d2c59580afe648c5902f3c393de81e287c9a4a36f46442b9
Instruction ID: 0b6289a6ea6266be9be3cd81822a61aedb7b6c2f3530c3153976fcd0655b7332
Opcode Fuzzy Hash: e18dfd8d6890ebe2d2c59580afe648c5902f3c393de81e287c9a4a36f46442b9
Instruction Fuzzy Hash: 42413674A00509CFCB09CF58C5989AAFBB1FF48314B2585A9D915AB365C732FC51CFA4

Analysis Process: powershell.exePID: 4236, Parent PID: 448COMMON

Executed Functions

Function 073317D8 Relevance: 18.1, Strings: 14, Instructions: 573COMMON

Download Yara Rule

Strings

$r2l, xrefs: 07331933
G2l, xrefs: 07331C0F
4'kq, xrefs: 07331B20
G2l, xrefs: 07331A47
$r2l, xrefs: 0733193F
G2l, xrefs: 07331A51
G2l, xrefs: 0733180A
1l, xrefs: 07331E98
4'kq, xrefs: 07331B16
1l, xrefs: 07331EA6
G2l, xrefs: 07331814
4'kq, xrefs: 07331C70
4'kq, xrefs: 07331C7A
G2l, xrefs: 07331C19

Memory Dump Source

Source File: 0000000F.00000002.82797661909.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7330000_powershell.jbxd

Similarity

API ID:
String ID: 1l$ 1l$$r2l$$r2l$4'kq$4'kq$4'kq$4'kq$G2l$G2l$G2l$G2l$G2l$G2l
API String ID: 0-3557864093
Opcode ID: c981f05e0dd810dda59ee51857a15972c58fb88352963eef557edd23e937e6d1
Instruction ID: 5a42822bb4688ef7ca588e6a2b0278b04ff69a870784027c62a3bd037644d8f6
Opcode Fuzzy Hash: c981f05e0dd810dda59ee51857a15972c58fb88352963eef557edd23e937e6d1
Instruction Fuzzy Hash: 661257B5B046498FEB359B78C4106BABBA6AFC6310F14847AD58DCF291DB35C841CBE1

Function 073317BE Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

$r2l, xrefs: 07331933
G2l, xrefs: 0733180A

Memory Dump Source

Source File: 0000000F.00000002.82797661909.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7330000_powershell.jbxd

Similarity

API ID:
String ID: $r2l$G2l
API String ID: 0-1429412513
Opcode ID: 93337145006d4344349b7ced2dc145ed09d2ac536a2aea625c4de7e57d1acb2f
Instruction ID: 36214202dae71484c112989aa0bd349ccafea2106e676eda31c883a07577adf1
Opcode Fuzzy Hash: 93337145006d4344349b7ced2dc145ed09d2ac536a2aea625c4de7e57d1acb2f
Instruction Fuzzy Hash: E24125F5F006099FFF308A64C44167A7BA7AF82340F1984AAD94C9F251C739D841CBE6

Function 00DC29F0 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.82780776551.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a835cdada08ef30350483273f56f9bd9b5baf900a7a0871d804d24043385421
Instruction ID: 69d2f48845921e4b175985f02a1ab3cb9f1e1fc29b497822f0c891978122cdea
Opcode Fuzzy Hash: 6a835cdada08ef30350483273f56f9bd9b5baf900a7a0871d804d24043385421
Instruction Fuzzy Hash: FF915B70A0024ACFCB15CF5DC494ABEBBB1FF49310B2981A9D8559B3A5C735EC51CBA4

Function 00DC3BE1 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.82780776551.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9db02cccd2fa41bbc74d7319e9e72b7f379ae7709b9dab52e8c05276a642fe
Instruction ID: c7c01718203154261c8332cfb74bd5a55c83c186bbb42bc26131f9fed4664cfc
Opcode Fuzzy Hash: bb9db02cccd2fa41bbc74d7319e9e72b7f379ae7709b9dab52e8c05276a642fe
Instruction Fuzzy Hash: C841B3746093858FC702DF68C494A59BFF1EF8A310B0984EAD489DF353C625DD15CBA2

Function 00DC2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.82780776551.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c861461f25e7c30f98606cd1c1657058994f40f535e8e9f4925200ee1869269
Instruction ID: a93443d0b9b6ca4397749128e738e5c862ad36135d7334cf4cffb5fa55346897
Opcode Fuzzy Hash: 1c861461f25e7c30f98606cd1c1657058994f40f535e8e9f4925200ee1869269
Instruction Fuzzy Hash: 5A410874A0050A9FCB19CF59C598EBEFBB2FF48310B258169D8159B364C732EC51DBA4

Function 00DC2CA2 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.82780776551.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22538865c8ad610c068e749bda8dec743068dc28f29a7a19d18545256f82dad5
Instruction ID: e9f8fde153a067877c33078a69000bc3fb3dd5492d5b4cceb53ce5f8a9e9704d
Opcode Fuzzy Hash: 22538865c8ad610c068e749bda8dec743068dc28f29a7a19d18545256f82dad5
Instruction Fuzzy Hash: 4021903160E7D29FC7039B6898A09A87F70EF6731571940C7C0A0CF193CB269C1AC766

Function 00DC3C10 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.82780776551.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd285b7a54d07a461d3df4ec9e51f6226d7df54e32afe3a53c71d5d8c4f0de1
Instruction ID: 0d8c7c0a6f64d7e435a57655575103a92b866b8ded284528bc44807bd04be08d
Opcode Fuzzy Hash: 6dd285b7a54d07a461d3df4ec9e51f6226d7df54e32afe3a53c71d5d8c4f0de1
Instruction Fuzzy Hash: 622138B4A0420ACFCB00CF9CC4809AEBBB4FB89300B1584AAD845EB352C735ED51CBA1

Function 00D1D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.82780229929.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e83f3670c88e2e3395d6b84665d15006d4071b0daa3fb9b9231dbd832428b93
Instruction ID: 445abcb3a7183a740be0dd4154befcd07c150054a7cc4fd7c7e793753674f7b2
Opcode Fuzzy Hash: 1e83f3670c88e2e3395d6b84665d15006d4071b0daa3fb9b9231dbd832428b93
Instruction Fuzzy Hash: 8301AC71905340BEE7104B19D8C47A6FFD8DF49734F2C842AEDC50B242D7799885DAB1

Function 00D1D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.82780229929.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a4d688eaf13e96c2e00acec07f8574f3e89079aa3995ff65b50563b5ae7f09
Instruction ID: b1cfa892c68959438d4fa78423d07d579ed8cc87e4540d6132ed544ea33eae15
Opcode Fuzzy Hash: 18a4d688eaf13e96c2e00acec07f8574f3e89079aa3995ff65b50563b5ae7f09
Instruction Fuzzy Hash: 1101526250E3C05FD7128B259C94752BFB4DF57224F1D80DBD8848F193C2695C48C772

Function 00DC2C85 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.82780776551.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_dc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24304ac7c31aa340195383a30d9bb2fd8d0e38bf8a4f497b8c4d0b5d82a0596b
Instruction ID: 493a9d3019769469efe330e0e943d7fd30079fe085fcde92c0ebd0289dc00a90
Opcode Fuzzy Hash: 24304ac7c31aa340195383a30d9bb2fd8d0e38bf8a4f497b8c4d0b5d82a0596b
Instruction Fuzzy Hash: 89F096756052458FC702D758DC60AACB7B0DF46335F1940EBD514DB292C7265C16CB55

Non-executed Functions

Function 07331418 Relevance: 12.8, Strings: 10, Instructions: 320COMMON

Download Yara Rule

Strings

$kq, xrefs: 073316FE
$kq, xrefs: 0733142A
tPkq, xrefs: 073314A1
tPkq, xrefs: 07331495
G2l, xrefs: 07331599
$kq, xrefs: 0733145C
G2l, xrefs: 0733158F
4'kq, xrefs: 07331619
4'kq, xrefs: 07331625
$kq, xrefs: 07331450

Memory Dump Source

Source File: 0000000F.00000002.82797661909.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7330000_powershell.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq$$kq$G2l$G2l
API String ID: 0-1110563324
Opcode ID: 5cc67943bfc07839cf16d1cf2cc4536e84315a05fbd2cb1650a73f2a88f9dc03
Instruction ID: c9edd0cd18ac498ab7c18c7da932813f597489123870c16f4d2567a9cf837376
Opcode Fuzzy Hash: 5cc67943bfc07839cf16d1cf2cc4536e84315a05fbd2cb1650a73f2a88f9dc03
Instruction Fuzzy Hash: EAA154F570435A8FEB349A7DC800666BBBAAFC2711F28847BD949CB291DA35CC01C761

Function 07330518 Relevance: 11.6, Strings: 9, Instructions: 316COMMON

Download Yara Rule

Strings

G2l, xrefs: 07330547
$kq, xrefs: 07330720
4'kq, xrefs: 07330627
$kq, xrefs: 0733072C
4'kq, xrefs: 0733061B
tPkq, xrefs: 07330771
tPkq, xrefs: 07330765
G2l, xrefs: 07330551
$kq, xrefs: 073306FA

Memory Dump Source

Source File: 0000000F.00000002.82797661909.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7330000_powershell.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq$G2l$G2l
API String ID: 0-1180294040
Opcode ID: 56611753a72b56b91c73fa4bb879ac8d49ba2d6eca898c28f09389878c93f164
Instruction ID: fe145b0d4552d8837e0ebecfade40908b89d05bcc8a5f33657b342f6f0231363
Opcode Fuzzy Hash: 56611753a72b56b91c73fa4bb879ac8d49ba2d6eca898c28f09389878c93f164
Instruction Fuzzy Hash: F0A137F57043468FE7398A79841067ABBE7EFC2711F2484BBD549CB291DA35C841CBA1

Function 07331168 Relevance: 8.9, Strings: 7, Instructions: 192COMMON

Download Yara Rule

Strings

4'kq, xrefs: 0733121E
G2l, xrefs: 073311A1
4'kq, xrefs: 07331212
$kq, xrefs: 073312EF
$kq, xrefs: 0733131A
G2l, xrefs: 07331197
$kq, xrefs: 07331326

Memory Dump Source

Source File: 0000000F.00000002.82797661909.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7330000_powershell.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$$kq$$kq$$kq$G2l$G2l
API String ID: 0-4181808809
Opcode ID: e9c060b266a10ab3c549a836d9221a0aaaf9b9ffde885685515baf740f60bfa0
Instruction ID: c7e9e1bcdca7ab81a004fd7f4ec58d4120a86b56910ee4c3a88ddd2760e4f6e3
Opcode Fuzzy Hash: e9c060b266a10ab3c549a836d9221a0aaaf9b9ffde885685515baf740f60bfa0
Instruction Fuzzy Hash: F25136B570460ECFEB359A6DC410766BBA6AFC6721F24847BC44DCB691CB3AC841C7A1

Function 0733264C Relevance: 6.3, Strings: 5, Instructions: 61COMMON

Download Yara Rule

Strings

?4l, xrefs: 073326CB
?4l, xrefs: 073326D5
?4l, xrefs: 073326B3
G2l, xrefs: 0733268F
$I'k, xrefs: 073326EB

Memory Dump Source

Source File: 0000000F.00000002.82797661909.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7330000_powershell.jbxd

Similarity

API ID:
String ID: $I'k$?4l$?4l$?4l$G2l
API String ID: 0-223816410
Opcode ID: 9d3bb41c1117a9f681176d028df5fa0bb56db39103f347b95096b7ad69f739be
Instruction ID: afa832bfacda47330a07e77799a0bf9553e118b655f366b450aba53483d39405
Opcode Fuzzy Hash: 9d3bb41c1117a9f681176d028df5fa0bb56db39103f347b95096b7ad69f739be
Instruction Fuzzy Hash: 0B11E2F5A012068FE720DF698401AA7BBF5BF85311F15816AD458CB662D735C890CFA1

Function 07332660 Relevance: 6.3, Strings: 5, Instructions: 54COMMON

Download Yara Rule

Strings

?4l, xrefs: 073326CB
?4l, xrefs: 073326D5
?4l, xrefs: 073326B3
G2l, xrefs: 0733268F
$I'k, xrefs: 073326EB

Memory Dump Source

Source File: 0000000F.00000002.82797661909.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7330000_powershell.jbxd

Similarity

API ID:
String ID: $I'k$?4l$?4l$?4l$G2l
API String ID: 0-223816410
Opcode ID: 8e64c50b6a1b34edf7321aa9f6586b6316d3b9ed7f9c41222fc95204b502209a
Instruction ID: 3e96a32fea13dae4ad5636ed99312834ce22cec8561c7e524e2fafd0e6c85385
Opcode Fuzzy Hash: 8e64c50b6a1b34edf7321aa9f6586b6316d3b9ed7f9c41222fc95204b502209a
Instruction Fuzzy Hash: AA11A0F5E00206DFE720DE598401B67BBF9BF85312F158065D81C9B251E775D980CBE1

Function 07332BC0 Relevance: 5.2, Strings: 4, Instructions: 226COMMON

Download Yara Rule

Strings

4'kq, xrefs: 07332CDF
4'kq, xrefs: 07332CE9
G2l, xrefs: 07332BF9
G2l, xrefs: 07332BEF

Memory Dump Source

Source File: 0000000F.00000002.82797661909.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7330000_powershell.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$G2l$G2l
API String ID: 0-663730079
Opcode ID: 1533c3ebd3dd8ed28608e51574be7065c89eed32e839b967f0ef900a73cee5fc
Instruction ID: f098b8f9332edaa5a8cca5ea46b1d1ef0694c40d0ef019189f0a0052e59db47a
Opcode Fuzzy Hash: 1533c3ebd3dd8ed28608e51574be7065c89eed32e839b967f0ef900a73cee5fc
Instruction Fuzzy Hash: C5716CF67003059FEB309A688411777BBA6BFC5710F14843ADA9DCB691CA39C841C7A1

Function 073332A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$kq, xrefs: 073332D6
$kq, xrefs: 07333304
$kq, xrefs: 07333310
$kq, xrefs: 073332BA

Memory Dump Source

Source File: 0000000F.00000002.82797661909.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7330000_powershell.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: ab5f8bd98124182475541893f8376220a59fd3d7f80020656e4dfe16752207e2
Instruction ID: 87014f6178244ef9d22185dc2b9f82366e9bf07566a13f7d76952f3355c1364e
Opcode Fuzzy Hash: ab5f8bd98124182475541893f8376220a59fd3d7f80020656e4dfe16752207e2
Instruction Fuzzy Hash: 95213AF131420597FB34557A8841B67A6DA9BC5321F24C43AE94DDB781CE3FC8008361

Function 0733030A Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

$kq, xrefs: 07330352
4'kq, xrefs: 0733037F
4'kq, xrefs: 07330373
$kq, xrefs: 0733035E

Memory Dump Source

Source File: 0000000F.00000002.82797661909.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7330000_powershell.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$$kq$$kq
API String ID: 0-1727931526
Opcode ID: 2ed27f4ec27015a41407bc56b5222e29eea23c8b3fbda34d71759200483b2948
Instruction ID: 53fc6bce2cb5663698531458d187625b8a7800b865882337b636eb59b872711c
Opcode Fuzzy Hash: 2ed27f4ec27015a41407bc56b5222e29eea23c8b3fbda34d71759200483b2948
Instruction Fuzzy Hash: 200171A031A3D64FD73B563854201266FB39FC3A2072A44EBD084CF697CA6D4C0A8767

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report V2clgnyM2J.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\PolicyManagement.xml

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3zsicwka.eof.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhwrh1kt.sxb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjnbrlu3.pqw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_id4y5hhm.sqn.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktwkt5du.qgr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvmfiwrg.oe3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ps5wk4nm.5kk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_riejsp14.xol.ps1

C:\Users\user\AppData\Local\Temp\backup.dll

C:\Users\user\AppData\Local\Temp\backup.exe

C:\Users\user\AppData\Local\Temp\monitor.bat

C:\Users\user\AppData\Local\Temp\monitor.pid

C:\Users\user\AppData\Local\updated.ps1

C:\Users\user\Desktop\chiomsStup.exe.lnk

C:\Users\Public\Bilite\Axialis\IiViS

C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

Windows Analysis Report
V2clgnyM2J.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre